Microsoft published today the second of two Building Windows 8 blog posts detailing the operating system's new boot capabilities. Today's post focuses on the security aspects of supporting "secure boot" offered with Unified Extensible Firmware Interface (UEFI) computers.
The post comes on the heels of concerns raised yesterday by Red Hat developer Matthew Garrett, where he raised concerns about new Windows 8 machines - those that conform to the Windows 8 Logo program - may prevent alternate and/or older Windows operating systems from booting.
Microsoft's response, while addressing consumer concerns is fairly similar to Garrett's conclusion of how boot security will play out: security keys are signed by the OEM and are used to prevent unauthorized access to boot code. Firmware updaters supplied by OEMs contain the manufacturer's own key. In addition, while secure boot will hopefully be enabled by OEMs, it is up to the manufacturer to allow users to disable secure boot via the UEFI firmware's configuration pane, as is shown in the Samsung Windows 8 preview tablet:
Microsoft's summary of the security-related changes in Windows 8 is as follows:
- UEFI allows firmware to implement a security policy
- Secured boot is a UEFI protocol not a Windows 8 feature
- UEFI secured boot is part of Windows 8 secured boot architecture
- If desired, Windows 8 utilizes secured boot to ensure that the pre-OS environment is secure
- Secured boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components
- OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
- Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows
Image Credit: Building Windows 8