Windows 8 secure boot feature to lock out Linux

A previously unused feature of the UEFI BIOS specification, the secure boot protocol, is due to become standard as part of the roll-out of Windows 8 - and it seems set to prevent the installation of alternative operating systems.

Currently, systems provided with Windows installed under Microsoft's logo programme - which asks OEMs to adhere to certain rules and regulations in exchange for the right to stick a Windows logo on their kit - can be reformatted and a third-party operating system installed instead.

A feature of the new UEFI specification could end all that, however. A security mechanism called 'secure boot' keeps secret keys within the system, which is then used to sign code that will be executed - including operating systems.

If an operating system isn't signed with a valid key held in the UEFI key store, it won't boot. While that's great news in terms of protection from boot-level viruses - which are making a comeback - that's bad news for alternative operating systems like Linux.

Previously, secure boot has been disabled by default, but changes to the Windows logo programme will require vendors to enable the technology if they want to receive Microsoft validation. Free software enthusiasts warn that the change will prevent end-users from installing third-party operating systems - or even downgrading a Windows 8 OEM install to a previous version of Windows.

Microsoft isn't, strictly speaking, blocking anything - but by mandating the use of secure boot, it places a requirement on third-party OS vendors to create a version which is signed with a secret key. That's something which some licences, including the popular GNU General Public Licence v3, expressly forbid - and still leaves the vendors trying to convince OEMs to include their key in the UEFI key store.

Thankfully, there may be light at the end of the tunnel: while Microsoft mandates that secure boot is enabled by default, there's nothing to stop OEMs providing an option in the BIOS to disable the function. As long as all OEMs provide an off-switch for the secure boot technology, there shouldn't be a problem. If they choose not to include such a function, however, times could get tough for anyone creating desktop operating systems - other than Microsoft, of course.

"It's probably not worth panicking yet," Red Hat's Matthew Garrett explains in a thorough blog post on the matter. "But it is worth being concerned."