September 23, 2011, 12:59 PM — Is Microsoft using a next-generation computing boot-loading technology to lock out the use of Linux and other OSEs on certain computers? While Microsoft has denied malicious intent, one Red Hat developer maintains that this may be the case.
Microsoft is mandating the use of the UEFI (Unified Extensible Firmware Interface) secure boot-loading capability with Windows 8 in such a way that "the end user is no longer in control of their PC," charged Red Hat developer Matthew Garrett in a blog entry posted Friday.
Microsoft has claimed that this charge is based on a misunderstanding of the company's intentions. "At the end of the day, the customer is in control of their PC," said Microsoft program manager Tony Mangefeste in another blog posting from Microsoft.
The controversy took root on Tuesday, when Garrett pointed out in a blog posting that Microsoft-certified computers running Windows 8 may not be able to be loaded with copies of other OSes, such as Linux. Users could not install Linux as a second OS, or replace Windows with a copy of Linux, Garrett argued.
Windows 8 will require its host computer to use the UEFI, the low-level interface between the computer firmware and the OS. Marketed as a replacement to BIOS, UEFI provides a secure boot protocol, which requires the OS to furnish a digital key in order to be loaded by the machine. UEFI then can block the operations of any programs or drivers unless they have been signed by this key, a move that should prevent malware from infecting machines by changing the boot-loading process.
With Windows 8, Microsoft will require hardware manufacturers (those wishing to display the Windows logo on their units) to ship their machines with secure boot enabled. Each machine would then require a digital key from Microsoft, the hardware manufacturer or, if it uses another OS, a secure key for that OS.
Users who customize their own versions of Linux, or use a generic OS that does not come with a key, may not be able to run these OSes on machines requiring this secure booting process, Garrett said. Nor would there be any guarantee that OEMs (original equipment manufacturers) even provide the ability for users to add their own keys, or give users the option to run other OSes without a key.
Garrett's blog post subsequently sparked debate in the trade press and Linux user communities.
Responding to the controversy on Thursday, Microsoft has denied that the intent was to shut out Linux. Although he did not mention Linux by name, Steven Sinofsky, president of the Windows and Windows Live Division, noted in a blog post that some of those commenting have used details of the new plan to "synthesize scenarios that are not the case."
The rest of the posting, authored by Mangefeste, noted that Microsoft is concerned only that Windows 8 be protected in a secure boot loader, and that OEMs are free to build in the option of disabling secure boot for running OSes without keys. Other OS providers are responsible for providing their own keys.
"For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision," Mangefeste wrote. "However, [disabling secure boot] comes at your own risk," he added.
"Microsoft's rebuttal is entirely factually accurate. But it's also misleading," Garrett responded in a follow-up blog item, posted Friday. Under the licensing agreement, the equipment manufacturer is under no obligation to provide users with the ability to disable the secure boot capability. Beyond the use of third-party OSes, this approach might also hamper the ability of users to upgrade components such as graphics cards, because there is no requirement to provide the user with the capability of installing additional keys.
"The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft are misusing to gain tighter control over the market," Garrett charged.
Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com
