Windows 8 Branded PCs Could Prevent Other Operating Systems From Being Installed

James Bruce 27-10-2011

windows 8 limitations“Secure Boot” is a new Windows 8 technology that’s required of OEM computers if they are to feature the Windows 8 Compatibility Logo. It’s designed to protect against malware at the boot level by preventing ‘unauthorised’ code from launching during system boot. However it’s been revealed that it may also prevent non Windows 8 operating systems – such as Linux – from being able to install or run.


How Does It Work?

Newer PCs are increasingly using a replacement for the old BIOS called UEFI (Unified Extensible Firmware Interface). It’s a technology that’s been built into Apple Macs for years now, but basically it allows for faster boot and more efficient hardware access by the operating system. It’s also the main reason OSX is difficult to install on PCs, so if you have any hackintosh experience you’ll know about having to run an EFI emulation.

The UEFI specification contains a firmware validation method, which works by defining certificate keys for which boot code is ‘secure’ and therefore allowed to run during boot. Microsoft supplies these keys to manufacturers, who include it on their machines, and only boot code which has a corresponding secure key is allowed to boot.

windows 8 limitations

windows 8 blocks linux

Basically this prevents malware from launching at a boot level, so it’s potentially mitigated a large number of security threats. The problem with malware that runs at the boot level is that it’s very difficult for regular anti-malware to protect against or remove, as by the time the anti-malware app has loaded (after windows boot), it’s already there.


Unfortunately, with Secure Boot enabled, you’ll also be prevented from launching any boot code for which for the machine doesn’t have the appropriate certificate keys. Now, it is entirely possible for other organisations to provide secure keys to manufacturers – like a set of keys for Ubuntu for example – but manufacturers are under absolutely no obligation to incorporate these; and without them, the other OS just won’t install or boot.

So is it time to say goodbye to installing another OS?

Microsoft’s Response

In response to the concerns that this might prevent other operating systems from being installed, Microsoft has stated that secure boot is optional, and can be turned off from within the pre-boot setup screen. Here’s a screenshot from the MSDN Windows 8 blog post on the topic, clearly showing it’s optional on the Windows-8 based Samsung tablet that was offered to //BUILD/ participants where Windows 8 was first demoed What You Can Expect To See In Windows 8 No sooner had the dust settled over the bumpy transition from Windows Vista to Windows 7, than Microsoft started fueling interest around its upcoming new operating system, codenamed Windows 8, which is expected to be... Read More .

windows 8 blocks linux


So, End Of Story?

Not entirely it would seem. As Matthew Garret notes:

Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we’ve already been informed by hardware vendors that some hardware will not have this option.

That’s right – although some manufacturers may choose to make the Secure Boot setting optional and therefore able to be disabled by the user – gaining certifications for Windows 8 compatibility does not require it, and some have explicitly stated it will not be optional on their machines (though there are no details on precisely which manufacturers have stated this yet).

Microsoft has thrown the ball to the manufacturers court, and it could go either way. The PC business is incredibly competitive, so getting that Windows logo is all important, that’s a given. On the one hand, manufacturers will be keen to offer the best computing experience to the majority of their customers and if that means mitigating yet another security threat (and the inevitable support calls they need to deal with boot-level malware), then they’ll go for it. Other operating systems can still be run, if they provide certificate keys and if the manufacturers agree to include them. On the other hand, I suspect a real PR backlash will be forthcoming against any PC makers that do decide to force Secure Boot onto the user, so it may be a non-issue in the end.

What Can You Do About It?

The Free Software Foundation is running a petition encouraging computer makers to support Secure Boot in a way which ensures the user has control – specifically, the option to turn it off entirely. Be sure to head over and sign now if you’re at all interested in consumer freedoms and the right to run alternative operating systems on your own PC.


windows 8 limitations

Also, be sure to share this post with all your friends to explain the issue and why they should care, getting them to sign the petition too.

Source: Free Software Foundation

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Tyler Roemhildt
    November 18, 2011 at 2:13 am

    Makes sense to me,

    read "In response to the concerns that this might prevent other operating systems from being installed, Microsoft has stated that secure boot is optional, and can be turned off from within the pre-boot setup screen."

    This is a security feature intended for mainstream PC users. What percentage of PC users will want to install Linux vs the number of people that get infected with viruses because of the lack of a feature like that? I'm not educated on the infection rates, but I know that less than 1% of people will want to install Linux.

    Besides, anyone with the knowledge of how to install Linux could easily learn how to disable secure boot. Linux people tend to be pretty tech savvy.

    • muotechguy
      November 19, 2011 at 10:00 am

      Read again Tyler. The problem is that the option to turn off secure boot is on the OEM side, and in order to be giving the microsoft approval is doesnt HAVE TO be an option. So many OEMs *may* choose to make it non-optional, which is the whole problem here. 

  2. Klaus Fiedler
    October 29, 2011 at 5:43 pm

    Will anything be set up to prevent Windows's bootloader from chainloading another bootloader like grub or whatever? Worst case I can imagine having to create a setup where the lockdown bootloader is set to chainload a contemporary windows BL, say the one from Windows 7, which in turn chainloads the bootloader that starts the OS.

    Maybe future bootloaders will be locked down but not operating systems. If I've seen what the the open source community is capable of, I doubt even those will be able to stay locked down for very long.

    • James Bruce
      November 3, 2011 at 10:01 am

      Yes, it sounds as thought chaining bootloaders wont be possible under this system. 

      As for the open source community effectively hacking these security measures, I have no doubt they will. Is that a good thing though? Remember, the whole point of this is to protect consumers from malware. It's all well saying this will open up to installing other OSes, but it would also totally invalidate the security measures and brind a new wave of bootloading malware, surely?

  3. Rob Hindle2008
    October 29, 2011 at 10:41 am

    1.  What if you have a Win7 PC and want to upgrade to Win8, surely not disallowed and presumably PC is "old" BIOS
    2. What about those useful bootable linux "rescue" CD/DVDs, surely a bad move to block them

    • James Bruce
      October 29, 2011 at 11:13 am

      1. Of course, you will be able to install on a BIOS style PC too. UEFI Secure Boot will only be for new OEM computers. 

      2. Yes, it will block those.