Microsoft’s Take on UEFI May Impede Linux (and that’s being polite)
Recent revelations about the way that Windows 8 will make use of UEFI, the next generation PC BIOS, have caused speculation that this may cause problems for people wanting to install Linux. Potentially, this could cause the PC to switch away from its historic position as the standard bearer for open platforms.
The next version of Windows, Windows 8, may only run on a PC that features the UEFI BIOS. The snag is that it will probably make use of the “secure booting” feature of UEFI which prevents unsigned operating systems from booting on the hardware. The maker of the computer can install a certificate into the firmware on the motherboard, and consequently, only signed boot loaders (and possibly kernels and drivers and even applications) can then run on the machine. Software vendors such as Microsoft must send their code away to the manufacture of the computer to be signed so that it will run.
In other words, the PC will undergo a historic change, from the consummate open platform to a closed one. This also means that Linux wont boot on future PCs unless the motherboard manufacturer takes the time to certify each version of the boot loader and possibly each distro or even every kernel. It also seems that compliance with this system may be incompatible with licenses such as GPL 3.
To digress for a moment, it’s worth considering a software environment that may voluntarily go down this path, Mac OS X, as its users could be willing to accept a change in the balance between freedom for security. It’s quite possible that a future version of Mac OS will only allow software installation via the app store, and furthermore, it might become impossible to run a binary that has not been signed and approved by Apple itself. Apple itself would probably not be too bothered that its hardware would be inaccessible to other operating systems.
By contrast, Linux is a broad church. Part of what makes Linux so great is that you can do anything you like with it. You can install it where you like and modify it so that it meets your needs. What we’re facing is a potential future in which ex-corporate PCs, for example, may well be tied to a specific version of Windows and absolutely nothing else will run.
Unsurprisingly, Microsoft employees have attempted to play down the undesirable ramifications of what may happen. In a post entitled “Protecting the pre-OS environment with UEFI”, Microsoft blogger Steven Sinofsky says:
“The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available.”
Over the course of the post, he summarizes some of the advantages offered by the new system, namely increased security and faster booting, while also downplaying the barrier to alternative OS installation. In defense of the new policy, he claims that end-users will be able to disable secure booting on a UEFI equipped PC. This may be true, to an extent. However, it will be up to the hardware vendor to decide whether or not leave this option intact. I for one have often encountered PCs that exhibit a curtailed set of BIOS start up options. How long before it becomes a element of standard corporate IT policy that secure boot must be enabled?
Workarounds in the form of altering a jumper on the motherboard, selecting an option in the BIOS or even running an exploit to jail-break the machine are all barriers to Linux adoption.
There has also been some speculation on the subject of who will provide resistance to the adoption of the secure boot environment that Windows 8 will rely on.
How about techs? It’s worth remembering that a lot of technically minded people who work for large companies are fans of Linux. Yet, the Linux intrusion onto company desktops remains nascent, years after it reached sufficient maturity to take on Windows in that role. In the server room, the techs will be allowed to disable secure booting and will probably specify Linux compatible hardware if they run Linux, side stepping the problem. Overall, it’s doubtful that the “nerds in jumpers” will be a sufficient force to prevent Microsoft (let’s be honest here) doing a number on the computer industry.
It’s also possible that the hardware manufacturers will revolt against Microsoft’s plan to “accidentally” lock out alternatives to their product. However, one has to wonder how persuasive the wishes of less than 5% the potential user base will prove. Also, bear in mind that the manufacturers have an incentive to go along with secure boot as it has the potential to turn hardware that is no longer supported by Microsoft into a doorstop, thus encouraging sales of new hardware.
Activists in the fields of poverty alleviation and recycling ought to be on our side, but it’s not clear that many of them will understand the technical issues to a sufficient extent. In the future, Microsoft may well create a version of Windows that only runs for 12 months, unless the customer is willing to pay a new subscription fee. That’s a lot of land-fill and a lot of potential users deprived of a cheap or free computer setup.
So, in summary, whatever level of extra security is foisted onto the computer industry by Microsoft’s latest decision, it looks like it will fly in the face of the freedom that makes alternative operating systems like Linux as great as they are.
Jake Edge pointed out a lot of these problems earlier in the year in this excellent LWN.net post.