It might be impossible to install your favorite Linux distro on upcoming Windows 10 laptops…because of a sticker.
Specifically, the “Designed for Windows 10” sticker. It turns out Microsoft doesn’t send those out to just anyone: they need to be earned. And much like your 3rd grade teacher, Microsoft has a list of rules and regulations governing who does and doesn’t get stickers.
It’s these rules that might make certain Linux distros impossible to install on upcoming computers. Specifically, it’s the wording surrounding something called Secure Boot.
Confused? Infuriated? Let’s sort this out.
What Is UEFI, and Secure Boot?
Longtime computer users are no doubt familiar with the BIOS, but that technology has been outdated for years. In its place, modern systems use something called the United Extensible Firmware Interface (UEFI). We’ve explained what UEFI is, but to summarize it’s a firmware on your motherboard that allows your operating system to talk to your hardware. From the user’s perspective it’s generally much prettier than a traditional BIOS, and includes a lot more features.
When you turn your computer on, it’s the UEFI that decides which operating system to boot. One feature of UEFI, called Secure Boot, only allows operating systems signed with a digital signature. Windows 10, naturally, has a valid signature. So do some Linux distros – including Ubuntu, Fedora, and OpenSUSE.
But a number of major Linux distros don’t have a signature. Linux Mint 17, a really great Linux distro includes the following instructions in its release notes:
“If your system is using secureBoot, turn it off.“
The problem: turning Secure Boot off might not be possible on upcoming computers.
Why Are Linux Users Upset About This?
Secure boot isn’t new: Windows 8 supported it, and Linux users might recall some controversy. For Windows 8, Microsoft required Secure Boot be enabled if computer makers wanted the coveted sticker.
Open source advocates revolted, and in part because of this backlash Microsoft added a new rule: the user must be permitted to turn secure boot off. This made it annoying to install unsupported operating systems – the user needed to enter the UEFI and turn Secure Boot off before starting – but it was still possible.
That might change. In March Ars Technica reported that Microsoft is telling PC manufacturers they can remove the option to disable secure boot.
It’s worth noting that Microsoft isn’t requiring companies like Lenovo and HP to block out distros like Linux Mint. But as Ars Technica’s Peter Bright explains, the change makes it possible:
“Should this stand, we can envisage OEMs building machines that will offer no easy way to boot self-built operating systems, or indeed, any operating system that doesn’t have appropriate digital signatures.“
This could leave users of distros like Linux Mint – which currently don’t offer signatures or a workaround – locked out of such systems.
The End of Desktop Linux? Probably Not.
Don’t believe any doomsayers out there: this alone won’t kill off desktop Linux. The user base is loyal, and the developers are clever at finding workarounds. Additionally, it’s unlikely every OEM out there will decide to block other operating systems entirely: even if developers don’t find a workaround, you’ll likely be able to find a device on which Secure Boot is optional.
Having said that, Secure Boot being enabled by default, and impossible to turn off, will be yet another barrier to new users hoping to try out Linux. I’m personally concerned about what this means for my favorite live CDs (or USB keys), which are a common way for new users to try out Linux distros. These are generally run by small teams, unlikely to buy keys. Will they become next to impossible to use on some laptops?
If so this could limit Windows users in all sorts of ways, because live CDs can be very useful even if you don’t intend to install Linux. You can, for example, kill Windows viruses with an Ubuntu live CD, or manage your partitions using PartedMagic – but not if those distros refuse to boot.
In the short term, if you like using live CDs or a Linux distro that cannot handle Secure Boot, you need to read up on a given computer before buying it and ensure it’s possible to turn Secure Boot off. In the long term, workarounds might emerge, but we don’t know what those will look like yet.
I want to know what you think: should Linux users be worried bout Secure Boot? Or is this all a lot of hype over nothing? Let’s discuss the whole thing in the comments below.