Windows 8 Requires Secure Boot, May Hinder Other Software
After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Linux developer Matthew Garrett, who works for Red Hat, first talked about this issue on his blog today. He has done work on EFI, so he knows what he's talking about. The issue is that the secure boot technology that's part of EFI and which is mandatory for Windows 8's logo program, requires signing keys integrated into the firmware.
It goes further than merely installing an operating system, though. One or more signing keys can be installed into the firmware; executables and drivers need to be signed by these keys, or else they won't load. On top of that, another set of keys (Pkek) takes care of the communication between operating system and firmware. The operating system can then add signing keys to a blacklist and a whitelist. Since there's no central authority which issues these keys, OEMs will have to sign stuff themselves if a key is installed.
"This impacts both software and hardware vendors," Garrett explains, "An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware."
Linux developer Matthew Garrett, who works for Red Hat, first talked about this issue on his blog today. He has done work on EFI, so he knows what he's talking about. The issue is that the secure boot technology that's part of EFI and which is mandatory for Windows 8's logo program, requires signing keys integrated into the firmware.
It goes further than merely installing an operating system, though. One or more signing keys can be installed into the firmware; executables and drivers need to be signed by these keys, or else they won't load. On top of that, another set of keys (Pkek) takes care of the communication between operating system and firmware. The operating system can then add signing keys to a blacklist and a whitelist. Since there's no central authority which issues these keys, OEMs will have to sign stuff themselves if a key is installed.
"This impacts both software and hardware vendors," Garrett explains, "An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware."
Continue reading from the Source
