Now that some of the information about Windows 8 is coming to light, there are some very disturbing bits being picked up and extrapolated from the announcements and information released.
First, in order to be Windows 8 Certified, new PC’s are going to have to use the new UEFI replacement for the BIOS (Basic Input Output System) firmware built into the motherboards. Why? Because UEFI has a new Secure Boot option.
Oh, that’s good, we all think…
Another aspect of that requirement is that, also in order to be Windows 8 Certified, the new PC’s have to ship with the Secure Boot option enabled.
OK, no problem. Right?
Well, not exactly. The system is designed to prevent rootkits and other malware from running as system-level software. Secure Boot is also reported to control drivers, especially drivers loaded in the early part of the boot process.
The kicker is the mechanism for making it work. The new UEFI "BIOS" will have signature codes stored in it, and any operating system software or drivers that are not signed using (one of) the signatures in the UEFI BIOS list simply won’t run.
I’m sure Microsoft’s Window 8 signature will be in the Secure Boot list. But, what about if you want to load an earlier version of Windows into the new PC. It’s not going to work, because the files weren’t signed. What about Linux? Yeah, sure.
For the average user with a Windows 8 PC from one of the big-name PC makers, that UEFI BIOS is probably going to be as locked down even more than today’s BIOS’s are from those vendors. Their interest is in you purchasing a new PC when something changes. Locking down the UEFI BIOS might make their support life easier, too.
How many of them offer new device drivers for their recent PC’s when a new version of Windows comes is released, or offer BIOS upgrades to handle a new CPU chip? Not many. It’s hard enough getting support for the existing PC while it’s still the current product.
The UEFI BIOS may have an option to disable Secure Boot. We’ll probably find that in motherboards for system builders and hobbyists that like to build their own computers.
The option to allow disabling of Secure Boot may even be an added-cost option for a vendor, when licensing the UEFI BIOS for their PC’s. Today’s PC market is highly price-competitive, so you can guess which option won’t get purchased by the big OEM’s, especially since purchasing it would go against their other interests.
By the way, Microsoft’s response is reported to be something to the effect of "we’re going to require Secure Boot to be enabled, to protect the users and Windows 8, but don’t hold us accountable if the OEM manufacturers lock down the machines blocking any changes."