Press "Enter" to skip to content

Secure Boot: What’s Microsoft’s Agenda?

Secure boot is the sort of security solution Microsoft loves. Back in the days when Windows was even less secure than it is now, one of their security solutions was to have software vetted and signed. Although this might have helped enterprise customers a bit, it did little to make the home user more secure, as any software would still install normally after clicking through an “are you sure” warning. If this scheme did anything, it hurt small vendors who couldn’t afford to go through the process of having their software approved by Redmond.

Secure boot is the same sort of scheme, except this time there’s no “are you sure” screen to click through. If a user is trying to install an operating system (or even run one from a live CD) on a machine with secure boot enabled, that operating system will have to have unlock keys to enable hardware devices. These keys are provided to the creator of the operating system at the whim of the hardware makers.


I can’t begin to explain the number of things wrong with this system. To begin with, for this feature to fulfill its intended purpose, the keys must be kept secret. Nobody but the hardware maker and, perhaps, the OS distributor, can have access to them – meaning they probably must be kept in binary form with no source code being made available.

This is how MS plans to protect you from malicious boot viruses. They’re requiring OEMs who want to certify their devices with the Windows logo to implement this feature – and they’re not requiring these OEMs to offer a way for the user to disable it. And, as I said, it all depends on keeping the unlock codes secret. How long do you suppose that will last?

I’ll bet you dollars to doughnuts that within weeks, if not days or hours, of Windows 8’s release the secure boot unlock codes will be broken and available on the Internet. The jailbreakers, the counterfeiters, the hackers and crackers will be able to install anything they want on any machine, whether secure boot can be disabled or not. As soon as that happens, malicious bootkits will be found in the wild that can get around secure boot as easily as a little kid can get around a childproof safety cap.

Within six months of the release of Windows 8, the only people who’ll have trouble breaking secure boot will be consumer users who want to install an OS that doesn’t natively speak secure boot on their computers – which will probably mean any OS other than Windows.

I am not a coder, nor do I fancy myself as any kind of security expert. If I can figure out that secure boot will barely be a speed bump for the bad guys, but will be a killer for the casual computer enthusiast, wouldn’t it be safe to figure that the geniuses at Microsoft understood this long before the decision was made to require the feature’s full use by OEMs who want one of those nifty “certified Windows 8” stickers on their boxes?

Is their purpose to stop Linux? I don’t think so, not entirely. The folks up in Redmond aren’t that stupid, no matter how much of Starbuck’s coffee flavored Kool-Aid they’ve been drinking. They know they’re not going to stop a determined penguinista from installing a Linux distro by just throwing a few tacks in the road. I think they’re going after the new user, the person who wants to try their first Linux install.

The other day I was thumbing through the September 19th edition of eWeek. I stopped to read a PR piece on Windows 8 by Nicholas Kolakowski, which read like an advertisement for MS. In the article there was one paragraph that got me thinking:

“Through its official ‘Building Windows 8’ blog, Microsoft has offered select glimpses into the operating system’s nuts and bolts, including USB 3.0 support, fast boot times and the ability to run multiple virtualized operating systems on the same physical machine (emphasis mine).

Maybe MS doesn’t care if tons of home users decide to give Linux a try, as long as they do it atop Windows. A virtualized Linux running in Windows still counts, market share wise, as Windows. And the new user will still have to go through Windows, which he or she knows, to get to Linux, which he or she is just learning. I imagine most would quickly ask, “What’s the use?” and just return back to “old reliable” Windows.

This also could be a defense in an anti-trust suit, if Red Hat, IBM or Google ever decides to sue over this. Microsoft could claim they’re not blocking the implementation of Linux, that folks can run Linux all they want from within Windows. They might even try to claim they’re doing Linux users a service, offering them secure boot and Windows “security protections.”

Here’s something else on which to chew: Will SUSE be the first Linux distro able to boot on a Wintel machine with secure boot enabled – using keys provided by Redmond? Just saying.

6 Comments

  1. A Concerned Citizen A Concerned Citizen October 4, 2011

    The only sane solution is to nuke Redmond. And yes, I mean literally. The computing world will not be safe until every single Microsoft employee on the planet ceases to exist. They all must die, quickly. And take their Windows plague with them.

  2. George Mitchell George Mitchell October 4, 2011

    What I am expecting in this is a hidden link between access to the key and patent royalties. Microsoft now knows that the way to collect taxes on Linux is to go after the hardware vendors. In this case I would almost bet that PC OEMs and mobo makers that offer a disable feature will be subject to a “piracy” tax from Microsot. After all, secure boot also protects MS from piracy. Of course, the term “Linux” will never appear in these contract updates. Another stroke of genius on the part of MS!

  3. Laxator2 Laxator2 October 4, 2011

    I smell that the real rat behind this is Intel, not M$. Nobody ever made money by stopping the criminals.

    And Intel’s profits depend on people upgrading their hardware, instead of continuing to use those old machines by installing Linux on them.

    Intel needs M$ bloatware to justify selling faster processors.

    M$ pushes an automatic update, the machine slows to a crawl, can’t install Linux, so buy a new machine.

  4. Amy Amy October 5, 2011

    Is this a wake-up call for all those bloggers who have said that MS have changed their ways and are willing to embrace and work with the competition? Are MS just passing the buck and making out that the manufacturers and resellers are the “bad guys”. They’ve been losing big-time in recent years whilst OSS continues to march onward (have we really considered Windows as a viable alternative to OSS OSes?). If MS’s tactics are an example of “anti-competitive” behaviour (which is illegal in my country and many others), and “monopolistic” control (also illegal- a pseudo-governance dictatorship by contractual obligation), then they’re sadly (and yet again) in for a shock. Imposing UEFI (hardware sanctioned writes to hardware) might initially prove financially rewarding (if it manages to get off the ground running), but it does nothing to deviate from the fact that Windows itself, has been a massive virus and trojan conduit.

  5. lott lott October 7, 2011

    The agenda for Ms is to stop all implementation of other OS.
    That includes other tech devices like any mobile device since that is the future.
    Home computing is changing so fast that most PC’S are going to become the entertainment centers.
    Because you will have soon your server at home, by limiting only to use windows they do not loose any market chairs.
    Anyone can make a NAS server using BSD, and entertainment center using Linux like Myth box and know that it will be secured.
    So it is not just the laptops that they are stopping, it’s all the licenses that they will sell do to limitations.
    Plus they have the logical scape goat the manufactures.
    Most electronics in your home are being geared to run on the net or in a network.
    Most corporations do not fill comfortable with the expenses that MS tolls , so a great deal of them are moving to Linux and BSD.
    So who is left out there the public, Ho those poor suckers they are thinking right.
    That is the agenda same old market but new limitations, just think out side of the box that is the answer.

  6. lott lott October 7, 2011

    ho I all most forgot.
    Lets not forget that all cash cash to certify any software, plus the that 1% of manufactures for use of UEFI keys.

Comments are closed.

Breaking News: