Microsoft clarifies Windows 8 UEFI concerns

Microsoft published today the second of two Building Windows 8 blog posts detailing the operating system's new boot capabilities. Today's post focuses on the security aspects of supporting "secure boot" offered with Unified Extensible Firmware Interface (UEFI) computers.

The post comes on the heels of concerns raised yesterday by Red Hat developer Matthew Garrett, where he raised concerns about new Windows 8 machines - those that conform to the Windows 8 Logo program - may prevent alternate and/or older Windows operating systems from booting.

Microsoft's response, while addressing consumer concerns is fairly similar to Garrett's conclusion of how boot security will play out: security keys are signed by the OEM and are used to prevent unauthorized access to boot code. Firmware updaters supplied by OEMs contain the manufacturer's own key. In addition, while secure boot will hopefully be enabled by OEMs, it is up to the manufacturer to allow users to disable secure boot via the UEFI firmware's configuration pane, as is shown in the Samsung Windows 8 preview tablet:

Microsoft's summary of the security-related changes in Windows 8 is as follows:

  • UEFI allows firmware to implement a security policy
  • Secured boot is a UEFI protocol not a Windows 8 feature
  • UEFI secured boot is part of Windows 8 secured boot architecture
  • If desired, Windows 8 utilizes secured boot to ensure that the pre-OS environment is secure
  • Secured boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components
  • OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
  • Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows

Image Credit: Building Windows 8

Report a problem with article
Previous Story

Facebook Timeline: Tell us about your life events

Next Story

Battlefield 3 DLC packs to be released for PS3 owners first

28 Comments

Commenting is disabled on this article.

Microsoft showed us the conversion to beautiful Windows set-up. In the last snapshot this is not seen.

Scrinner said,
I'm surprised nobody has realized the real reason behind this move. It's to block bootloaders. Simple as that.

Not only that. Look at bullet point no. 4 in the diagram, remote attestation: this is the final piece of the DRM stack Microsoft has created starting with Vista. A system can be set up so that the entire stack (Firmware, Bootloader, OS kernel and libraries, Drivers) is digitally signed and can detect that it is so. You can bet that as the capability becomes widespread the Netflixes/Hulus/Cyberlink blu ray players of the world will refuse to run unless it is enabled and reports no abnormalities. Welcome to Palladium 2.0.

I wonder how long it'll be before Microsoft license windows 8 to OEMs on the cheap or free IF they lock the UEFI secure boot to a Windows key?

So this is anti-malware and anti-rootkit feature. That's good.
BTW, as you can see, malware cannot flash UEFI "BIOS" because of the feature.

RealFduch said,
So this is anti-malware and anti-rootkit feature. That's good.
BTW, as you can see, malware cannot flash UEFI "BIOS" because of the feature.

I don't have any recollection of malware actually modifying the BIOS.

McCordRm said,
Speaking of UEFI... anywhere I can get an updated list of motherboards that use it?

Actually, UEFI is often a highlighted feature (where present). The list is still shorter than I'd prefer - however, it *is* growing. Two major standouts are ASRock (over half their LGA1155 motherboards support UEFI) and Biostar USA (all their LGA1155 motherboards, and all AM3+ motherboards since June 2011). Biostar's T-Series LGA1155 motherboard line (due to their top-to-bottom UEFI support, and that they are aimed at *everyday*, not enthusiast, BYOPC builders) should be of particular interest.

PGHammer said,

Actually, UEFI is often a highlighted feature (where present). The list is still shorter than I'd prefer - however, it *is* growing. Two major standouts are ASRock (over half their LGA1155 motherboards support UEFI) and Biostar USA (all their LGA1155 motherboards, and all AM3+ motherboards since June 2011). Biostar's T-Series LGA1155 motherboard line (due to their top-to-bottom UEFI support, and that they are aimed at *everyday*, not enthusiast, BYOPC builders) should be of particular interest.

ASUS any Gigabyte also support UEFI

My ASUS machine with it is an LGA1155 and the Gigabyte machine is a FM1 (AMD)

This is probably their mechanism for stopping Windows 8 loaders. However, it might cause problems with bootloader chaining? I'm not sure.

Dessimat0r said,
This is probably their mechanism for stopping Windows 8 loaders. However, it might cause problems with bootloader chaining? I'm not sure.
Doubt it, from how I understand it, this feature can be completely disabled. It can however be enabled in something like a corporate environment where they want to maximize system security. OEMs might even enable it (and make it unchangeable) so customers can't complain to them when the customer breaks the system by changing the boot loader.

For system builders that have full control over their system, this security feature doesn't do ANYTHING to stop Windows 8 loaders.

Well this should shut up the "OMG Microsoft is going to kill Linux with the Windows 8 bootloader!!" crowd that's been festering online the past few days. People quick to judge, after the fact they'll turn and be "Oh, ok, as long as <insert condition for so-called satisfaction here> is met, that's fine."

What still worries me (to a point) is this:

In addition, while secure boot will hopefully be enabled by OEMs, it is up to the manufacturer to allow users to disable secure boot via the UEFI firmware's configuration pane

Considering how restrictive many typical computer BIOSs are (especially big brands like HP, Compaq, Dell, etc), assuming that they will offer the option to turn off Secure Boot is not a sure thing. Hell, many of them didn't (and still don't) allow users to control basic options like VT support in the BIOS.

roadwarrior said,
Considering how restrictive many typical computer BIOSs are (especially big brands like HP, Compaq, Dell, etc), assuming that they will offer the option to turn off Secure Boot is not a sure thing. Hell, many of them didn't (and still don't) allow users to control basic options like VT support in the BIOS.

This is nothing new though really, OEMs usually remove useful functions from the BIOS or, in this case, UEFI. This alone is the reason why I built my own computer with a board that uses UEFI.

roadwarrior said,
What still worries me (to a point) is this:
Considering how restrictive many typical computer BIOSs are (especially big brands like HP, Compaq, Dell, etc), assuming that they will offer the option to turn off Secure Boot is not a sure thing. Hell, many of them didn't (and still don't) allow users to control basic options like VT support in the BIOS.

then thats why you have to (always) read about the computer you are getting and about everything you are buying. to be sure thats what you want and need.

anyways that would be OEM thing not Microsoft fault if OEMs want to use this feature and dont let it disable.
so you have to check that if you are going to get a computer, and you wants to install Linux or something.
its not like all people need it or care about it since some people only want a computer and they dont even know what Linux is, so they wont install Linux anyway. but if you know about comps and you want to install Linux you should check that.

neo158 said,

This is nothing new though really, OEMs usually remove useful functions from the BIOS or, in this case, UEFI. This alone is the reason why I build my own computer.

To get a nice sleek machine, we can't build our own laptops, or tablets for that matter. There are some DIY laptop kits but the cases tend to be near the level of desktop replacements.

roadwarrior said,
What still worries me (to a point) is this:
Considering how restrictive many typical computer BIOSs are (especially big brands like HP, Compaq, Dell, etc), assuming that they will offer the option to turn off Secure Boot is not a sure thing. Hell, many of them didn't (and still don't) allow users to control basic options like VT support in the BIOS.

Most likely only Tablets will be perminantly enabled.

roadwarrior said,
What still worries me (to a point) is this:
Considering how restrictive many typical computer BIOSs are (especially big brands like HP, Compaq, Dell, etc), assuming that they will offer the option to turn off Secure Boot is not a sure thing. Hell, many of them didn't (and still don't) allow users to control basic options like VT support in the BIOS.

Actually, neither Dell or HP are very restrictive on that front at all (both have long allowed user-installable updates to their BIOSes; same applies to their UEFI-supporting desktops and servers). While PCs in enterprises are often tightly locked down, it's usually due to the enterprise's policy - not that of the OEM.

br0adband said,
Well this should shut up the "OMG Microsoft is going to kill Linux with the Windows 8 bootloader!!" crowd that's been festering online the past few days. People quick to judge, after the fact they'll turn and be "Oh, ok, as long as <insert condition for so-called satisfaction here> is met, that's fine."

It was never gonna happen anyway, they'd get bitch-slapped by about everyone concerned about their dominant market position.

roadwarrior said,
What still worries me (to a point) is this:
Considering how restrictive many typical computer BIOSs are (especially big brands like HP, Compaq, Dell, etc), assuming that they will offer the option to turn off Secure Boot is not a sure thing. Hell, many of them didn't (and still don't) allow users to control basic options like VT support in the BIOS.

So buy a different brand, or since it is Windows, build your own computer...

Really, this is not MacWorld, there are more choices than we can even imagine.

By not having the option to disable secure boot, system manufacturers may lose sales (even if only a very small amount) to systems that do. Because of this, I don't see any reason whatsoever why any manufacturer would not include this option.

There were good reasons for the issue to be raised, but I think we can be pretty certain that it's not going to be a problem.

Even if for some reason some manufacturers of certain devices don't include the option, there will be plenty of alternatives that do.

br0adband said,
Well this should shut up the "OMG Microsoft is going to kill Linux with the Windows 8 bootloader!!" crowd that's been festering online the past few days. People quick to judge, after the fact they'll turn and be "Oh, ok, as long as <insert condition for so-called satisfaction here> is met, that's fine."

Microsoft did kill Linux already with Windows 7 and with the help of this idiot: http://www.engadget.com/2009/1...-windows-7-a-big-thumbs-up/

smooth_criminal1990 said,

It was never gonna happen anyway, they'd get bitch-slapped by about everyone concerned about their dominant market position.

+1 and they sure addressed that in a hurry, huh?

roadwarrior said,
What still worries me (to a point) is this:
Considering how restrictive many typical computer BIOSs are (especially big brands like HP, Compaq, Dell, etc), assuming that they will offer the option to turn off Secure Boot is not a sure thing. Hell, many of them didn't (and still don't) allow users to control basic options like VT support in the BIOS.

Let me ask you, if these options are so important to you, why do you even buy OEM computers? Why not build your own?

The vast majority of people whobuy branded PC's will use what it came with, for the tech savvy they will either not buy them; or buy the one that does what they want. If PC makers dont allow the option then sucks for them. Enthusiasts typicaly dont by branded computers.

So your rant is such a waste of time. If you were actually as smart as you try to pawn off, you woudlnt even be comcerned about branded PC's. Companies who buy branded box wont care bec they will use the OS that came with thr PC. if they want something else they buy something else.

I dont see a problem here other than YOU.

roadwarrior said,
What still worries me (to a point) is this:
Considering how restrictive many typical computer BIOSs are (especially big brands like HP, Compaq, Dell, etc), assuming that they will offer the option to turn off Secure Boot is not a sure thing. Hell, many of them didn't (and still don't) allow users to control basic options like VT support in the BIOS.

OEM remove access because they have people who buy pc's they dont want making changes in the bios. Those settings are very technical in nature. They dont want some fool blowing up their system and then trying to sue them for damages.

People who know what they are doing dont buy branded hardware. They buy boards and build their own. You concern is without reason. It wouldnt matter if Dell or HP or anyone else locks the Secure Boot where you can't change it. I can work other means. I typically always own a single branded system and one I built myself for full 100% everything at my fingertips otptions. Sounds like you should so the same.

TechieXP said,

Let me ask you, if these options are so important to you, why do you even buy OEM computers? Why not build your own?

The vast majority of people whobuy branded PC's will use what it came with, for the tech savvy they will either not buy them; or buy the one that does what they want. If PC makers dont allow the option then sucks for them. Enthusiasts typicaly dont by branded computers.

So your rant is such a waste of time. If you were actually as smart as you try to pawn off, you woudlnt even be comcerned about branded PC's. Companies who buy branded box wont care bec they will use the OS that came with thr PC. if they want something else they buy something else.

I dont see a problem here other than YOU.

Wow! You must be smart. You can rant about someone who rants. Stay in school and don't be a fool...oh too late.

If I have 35000 users and of those users 10000 dual boot Linux and Windows and my next refresh comes along and I can't dual boot due to the OEM not allowing us to disable the secure boot can you build us those 10000 computers and give us a 3-4 year warranty?

You made two posts to tell the same guy off...did you make this account just for this? I made this account just to tell you that your stupid. Feel better?