Linus Torvalds chimes in on Windows 8 and UEFI

Windows 8 will be released with what Microsoft is calling its Unified Extensible Firmware Interface (UEFI). The system is designed to be an extra security measure but some people have complained that having UEFI installed also means that being able to dual-boot to another OS on the same PC, such as Linux, would be harder.

A Linux OS provider, Red Hat, announced last week that it has a solution to this issue, saying, "Microsoft will provide keys for Windows and Red Hat will provide keys for Red Hat Enterprise Linux and Fedora. Similarly other distributions can participate at a nominal cost of $99 USD - allowing them to register their own keys for distribution to system firmware vendors."

Some Linux users don't like this idea, but ZDNet.com reports that Linus Torvalds, the creator of Linux, sees this plan as a good compromise, saying, "I’m certainly not a huge UEFI fan, but at the same time I see why you might want to have signed bootup etc. And if it’s only $99 to get a key for Fedora, I don’t see what the huge deal is.”

Having said that, Torvalds doesn't believe that UEFI will be as huge of a security deterrent as Microsoft seems to believe it is for Windows 8, saying, "The real problem, I feel, is that clever hackers will bypass the whole key issue either by getting a key of their own (how many of those private keys have stayed really private again? Oh, that’s right, pretty much none of them) or they’ll just take advantage of security bugs in signed software to bypass it without a key at all."

Source: ZDNet.com

Report a problem with article
Previous Story

Apple officially reveals new maps app, gives Google the bird

Next Story

Apple previews iOS 6, launches beta

37 Comments

Commenting is disabled on this article.

Eh I'll stick to computers which give me freedom of choice. Security lays in user so if a mongoloid wants to have locked up bootloader cause they download all the emoticons spyware and trojans looking for keys for adobe photoshop etc then let this be for them and not for me.

I control my computer, not the computer dictates what I can do, I don't care what any company thinks is best in principle.

If you want to use alternative OSes, this is a good reason to stay away from ARM/Windows RT. On Intel tablets, users can disable UEFI/Secure Boot.

xpclient said,
If you want to use alternative OSes, this is a good reason to stay away from ARM/Windows RT. On Intel tablets, users can disable UEFI/Secure Boot.

How many people will be begging to shove a slower OS like Android on a Windows 8 RT device? Seriously?

The ones that will, won't be buying a Windows 8 RT device in the first place.

And if it's only $99 to get a key for Fedora, I don't see what the huge deal is.”
Oh maybe because Linux is supposed to be free? I get it for those companies that are paying for RedHat and want the support. But Fedora isn't supposed to have a price attached. Or am I misunderstanding?

I have a feeling MS will detect if your bios supports Secure Boot. If it has the option it will stop booting until its turned on.

UEFI != Secure Boot.

UEFI is a specification that defines a software interface between an operating system and platform firmware (intended to be a replacement to BIOS). Secure Boot is just a feature of it.

I'm getting tired of reading articles which mix both things. It wouldn't hurt to document yourself before writing an article in something that's not clear to the writer.

You cant run anything you want on an iPhone or iPad but that is acceptable. You buy an android phone and they lock the bootloader and maybe release an unlocker if they feel like - Microsoft locks it but offers way around it to alleviate concerns. How is Microsoft's approach any worse then what you 80% of phone users and 90% of tablet users already signing up for?

Mike San said,
You cant run anything you want on an iPhone or iPad but that is acceptable. You buy an android phone and they lock the bootloader and maybe release an unlocker if they feel like - Microsoft locks it but offers way around it to alleviate concerns. How is Microsoft's approach any worse then what you 80% of phone users and 90% of tablet users already signing up for?

So you're saying I should pay to unlock the computer I've already paid for. Wow, where do I sign up?

simplezz said,

So you're saying I should pay to unlock the computer I've already paid for. Wow, where do I sign up?

This is something I really have an issue with regarding my iPhone 4. I am with Rogers in Canada and I travel quite a bit. So when I go anywhere that has a GPRS network, I would normally just purchase a local pre-paid SIM card and use that for the duration of my stay. This of course was when I had an Android phone.

With an iPhone, I can't do this any longer. Rogers has of course locked it to their network, and won't unlock it until the end of the contract (Oddly the phone was purchased separately from the contract, yet they still won't unlock it.) So I had to purchase a different phone just for my travel needs.

This has obviously ****ed me off to the point once my contract is up (7 months from now), I will not be renewing with them.

I've only been with Rogers for 9+ years...

Mike San said,
You cant run anything you want on an iPhone or iPad but that is acceptable. You buy an android phone and they lock the bootloader and maybe release an unlocker if they feel like - Microsoft locks it but offers way around it to alleviate concerns. How is Microsoft's approach any worse then what you 80% of phone users and 90% of tablet users already signing up for?

Because a smartphone is only designed to run one OS. Actual computers aren't.

SharpGreen said,

Because a smartphone is only designed to run one OS. Actual computers aren't.

Um, not really... In today's world, what you say is common 'thinking', but in reality this has not always been true and there is nothing demanding it to be.

Go back a few years, MOST computers did not allow other OSes either. PDP11,TRS80,Commadore64, AppleI, AppleII, Mac, and on and on... There were always exceptions, but 99.99999% of the time, one OS.

"Windows 8 will be released with what Microsoft is calling its Unified Extensible Firmware Interface (UEFI)."

Is it me or does that read like it's implying that Microsoft created UEFI and/or named it?

Panda X said,
"Windows 8 will be released with what Microsoft is calling its Unified Extensible Firmware Interface (UEFI)."

Is it me or does that read like it's implying that Microsoft created UEFI and/or named it?

Hey, it works for apple...

Panda X said,
"Windows 8 will be released with what Microsoft is calling its Unified Extensible Firmware Interface (UEFI)."

Is it me or does that read like it's implying that Microsoft created UEFI and/or named it?


Not just you....but look at who wrote that article.

So, for the signed UEFI to work, each mobo has to change UEFI ... so, that mean there could be an unlocked mobo (just like mobile phones) that could run them all?! ...

zeta_immersion said,
So, for the signed UEFI to work, each mobo has to change UEFI ... so, that mean there could be an unlocked mobo (just like mobile phones) that could run them all?! ...

Yes. If the motherboard isn't locked down, there's no problem.

zeta_immersion said,
So, for the signed UEFI to work, each mobo has to change UEFI ... so, that mean there could be an unlocked mobo (just like mobile phones) that could run them all?! ...

Motherboards will have an option in the BIOS to simply turn off Secure Boot, now for complete systems bought pre built (HP etc) its possible they wont include the option to turn off secure boot, but I don't see why and also theres enough stink being kicked up already that they'll be easily avoided.

All MS are requiring is that secure boot is enabled by default in order to pass a 'certified for windows 8' logo scheme, they don't mind if there is the ability to turn it off, but some folks want to get all conspiracy on us all.

Drossel said,
Oh shut up, Torvalds. Go whine somewhere else.

Wow! Just wow!

Did you even bother to read the article? He says it's a "good compromise." And his concerns about its effectiveness are very valid.

MS Lose32 said,
Did you even bother to read the article?

Of course he didn't.

This is the Z generation where spastics just read the title, then draw their own conclusions and splurge whatever whiny teenage angst they have been building for the last few hours.

MS Lose32 said,
And his concerns about its effectiveness are very valid.

Not Really, If we drop all the small and "not so" effective safeguards, like UEFI secure boot, NX, UAC, Signed drivers, and all the rest, then we suddenly don't have a secure OS at all. You need all the little things to make a working wall. remove one tiny seemingly unimportant rock and the wall is useless.

Miuku. said,

Of course he didn't.

This is the Z generation where spastics just read the title, then draw their own conclusions and splurge whatever whiny teenage angst they have been building for the last few hours.

Yes, I did. And it's not just about this article. The guy has been whining since the rumors/news about UEFI boot came out. And I'm too old to be the Z generation. I'm actually Y gen.

HawkMan said,

Not Really, If we drop all the small and "not so" effective safeguards, like UEFI secure boot, NX, UAC, Signed drivers, and all the rest, then we suddenly don't have a secure OS at all. You need all the little things to make a working wall. remove one tiny seemingly unimportant rock and the wall is useless.

Sure but he's not saying you shouldn't use it, just that it will probably not be all that effective. Going by the track record of those private keys that sooner or leater leak from somewhere, it IS a valid concern.

togermano said,
My new gigabyte UEFI board booted mint fine

That's because it's not locked down. Microsoft wants to encrypt the signing key. So if you were buy a Windows 8 computer, it runs Windows 8 until Windows 9 comes out. Period. No downgrading to 7, Linux, etc. It can also be used to lock you out of Windows releases all together like Apple does with iOS to force you to upgrade. It's bad news...

togermano said,
My new gigabyte UEFI board booted mint fine

It's not a problem with UEFI, it's one of the options that UEFI has called Secure Boot, which is intended to prevent unsigned software from loading itself ahead of the OS

Terracotta said,

That's because it's not locked down. Microsoft wants to encrypt the signing key. So if you were buy a Windows 8 computer, it runs Windows 8 until Windows 9 comes out. Period. No downgrading to 7, Linux, etc. It can also be used to lock you out of Windows releases all together like Apple does with iOS to force you to upgrade. It's bad news...

Evidence of this upgrade lockout, or just speculation?

Terracotta said,

That's because it's not locked down. Microsoft wants to encrypt the signing key. So if you were buy a Windows 8 computer, it runs Windows 8 until Windows 9 comes out. Period. No downgrading to 7, Linux, etc. It can also be used to lock you out of Windows releases all together like Apple does with iOS to force you to upgrade. It's bad news...

You can just go into the UEFI menu (Del, F1, etc) and just set the option "Secure Boot" to disabled. Then install Linux, 7 etc. With the exception of tablets it's completely optional (opt-out).

efjay said,
Evidence of this upgrade lockout, or just speculation?

Just somebody spreading FUD, don't pay attention to it.

Those manufacturers willing to receive certification from Microsoft (to have that "Certified for Windows X" sticker in their PCs among other things) are required to have Secure Boot enabled by default in Windows 8, that's well known I think.

But in non ARM machines, they're required to make it possible to disable Secure Boot too (hence allowing to install any OS without problems). It's mandatory, so I don't see any problem here.

And if what you want to buy is an ARM powered machine, there are plenty of them in the marked without even shipping Windows.

Panda X said,

You can just go into the UEFI menu (Del, F1, etc) and just set the option "Secure Boot" to disabled. Then install Linux, 7 etc. With the exception of tablets it's completely optional (opt-out).


Except that there's no obligation for OEM's to provide the option. And if Microsoft have it their way, there'll never be an option.

WelshBluebird said,
I am a bit confused why its an issue.
Mac's use UEFI yet can still boot linux (and other OS's).

Yes, but Apple isn't Microsoft. The two companies can do the exact same thing, and Apple will pretty much get praise for it from the Linux community, or be ignored. Microsoft will get condemnation. Sigh. Politics. Oh, and never mind that from the beginning people have been told that if their distro provides a key it won't be a problem. again... sigh.

WelshBluebird said,
I am a bit confused why its an issue.
Mac's use UEFI yet can still boot linux (and other OS's).

Macs don't use UEFI Secure Boot.

The difference is Macs don't need signed keys for the OS to boot.

But I guess the Martyr Bluebird didn't bother checking that, had to throw himself on a sword for Microsoft.

WelshBluebird said,
I am a bit confused why its an issue.
Mac's use UEFI yet can still boot linux (and other OS's).

The main issue with hackers and pirates is this UEFI BIOS can stop Windows activation cracks and loaders.

Just hope Microsoft can give me a pro license for Rs. 3000 (~ $50).