What is Secure Boot and Should You Care?

UEFO logoIn a chat room this morning, LockerGnome contributor Eddie Ringle dropped a URL accompanied by a brief comment about it having to do with something called “UEFI secure boot.” Mr. Ringle and I share many of the same interests — at least when it comes to technology — so I followed the link to discover an article posted by a Fedora Linux developer, Implementing UEFI Secure Boot in Fedora, in which the developer notes the recent release of Fedora 17 as being “the last Fedora release in the pre-UEFI secure boot era”:

Fedora 18 will be released at around the same time as Windows 8, and as previously discussed all Windows 8 hardware will be shipping with secure boot enabled by default.

Before this morning I couldn’t have explained the difference between a UEFI citing and a UFO sighting; it turns out that UEFI is an acronym for the Unified Extensible Firmware Interface, a specification intended to be the replacement for Basic Input Output System (BIOS). One UEFI-based feature that has become controversial lately is the “secure boot” feature, which will be implemented in the next generation of PCs running the soon-to-be-released Windows 8 operating system.

What is secure boot, and what does it have to do with Windows 8, Fedora, or any other operating systems? Should you care? In this article I will explain what you need to know about secure boot and what to do the next time you encounter a UEFI citing.

This morning Mr. Ringle told us that “machines with UEFI secure boot enabled are at Microsoft’s mercy when it comes to what operating systems can be booted (i.e. they can disable access to an operating system simply by pushing out an update).” This certainly rang some alarms in the Linux community when news began circulating that Microsoft’s next operating system would be implementing UEFI secure boot. Last September Microsoft addressed some of the concerns by describing UEFI and secure boot “protecting the pre-OS environment“; to vendors and developers of competing operating systems, this same statement could be read as “keeping alternative operating systems off PCs.” In February of this year Microsoft confirmed the fears of many of its competitors by announcing that it would be locking down the ARM processors around which many Windows 8 devices would be manufactured.

After reading the article posted by the Fedora developer (the first article posted above), I basically understood the problems the Linux community would have to overcome in order to continue making the open source operating system relatively easy to install and distribute to those less tech-savvy. Linux was once notoriously difficult to install, particularly for anyone who had no experience using a command line interface. These days distributions of Linux come equipped with graphical user interface installers that are more familiar to a generation of PC users who grew up with Windows or Mac operating systems (and their installers), and are able to be installed on far more devices than either of the aforementioned OSes. For the Linux community to have to overcome a whole new hurdle in its installation process seems unfair, if not entirely unnecessary. As Mr. Ringle views it,

What Microsoft is doing with ARM devices is just like what is going on with the iPhone and locked-down Android devices. Manufacturers (and carriers, for that matter), for some reason, think that they still own the device even after they’ve sold it. Google is the only company that doesn’t pull stuff like this.

Speaking of Google, how will the developer of Chrome OS react to Microsoft’s “securing” of its OS? Will Google follow suit? As one IT writer speculates, Google may “just have machines produced that have UEFI with ChromeOS-only secure boot.” Mr. Ringle doesn’t believe Google will react to Microsoft’s UEFI moves; when I asked him if he thought Google would stick with a traditional BIOS or move toward UEFI he indicated the latter to be a possibility, as it “can ship [its] devices with secure boot disabled”:

In fact, motherboards you buy for custom builds have secure boot disabled; it’s just the OEMs that want the Windows logo on their machines — the same logo that will just fall off over time since that’s what stickers do.

I must agree with Mr. Ringle — not only are the stickers that come with a PC temporary, the operating system you find on a device years after its purchase is often an entirely different one. Even if one is still running the same version of Windows, the OS is certain to have been modified quite considerably due to service pack releases and hotfixes over the years. Windows XP with Service Pack 3 is quite a different beast altogether than the XP of 2001. Setting aside Apple hardware for the moment, the vast majority of personal computers have been traditionally designed to be modified and customized with radically different components and operating systems. This move to more “secured” hardware disrupts that trend, especially since it’s a move made in the Microsoft-dominated desktop space. Its one thing to lock down a smart phone; it’s another to lock down hardware that’s intended to be used by many more millions of customers.

Ringle reminds me, however, that “it’s not so much a problem on x86 machines; just turn secure boot off.” He’s got a point — Microsoft is said to be doing this only with ARM-based machines, not the traditional x86 ones we’ve come to know and love. “But ARM is gaining too much traction to ignore as x86’s possible successor.”

So it’s not really a problem, then, is it? I mean, ARM is still basically in its infancy, right? As long as the x86-based computers sitting on our desktops are still able to be modified to our heart’s content, should we care if Microsoft wants to only allow Windows 8 on its Windows 8 devices? Even if, as Mr. Ringle has noted, ARM is gaining traction — we’re still years away from ARM-based systems being in the majority, right? Perhaps. But BIOS firmware has pretty much run its course, and UEFI is just starting out on its own — and UEFI’s secure boot feature wasn’t developed to simply be ignored. Microsoft may be the first significant developer to use the feature, but if successful with its implementation, we may see more devices being locked down. And a future of “secured” devices may look good on paper, but in reality we’ll be spending valuable hours hacking away at the devices in order to modify them for our own purposes.

Well, at least there will always be a need for developers. It appears that we’ll always need somebody to break apart the bonds of technology — even if those bonds are presumably intended to make our computing devices “safer.”

And the next time you encounter a UEFI, you’ll know you don’t have to call the Men in Black.

The UEFI logo is an image in the public domain, discovered at Wikipedia.org.