News

Windows 8 Dual Boot Possible If 'Secure Boot' Disabled

Microsoft addressed a claim that Windows 8 will not allow Linux operating systems to coexist in a dual-boot configuration on PCs, based on use of the Unified Extensible Firmware Interface (UEFI) standard.

The debunking of that claim was carried out Tony Mangefeste, who works with the Microsoft ecosystem team, in a Thursday blog post. Mangefeste claimed that dual boot with Linux OSes can be supported on Windows 8, even Linux OSes that lack trusted certificates, but the user must first turn off a "secure boot" security feature in the firmware, which Microsoft doesn't recommend doing.

Mangefeste also noted that a setting exists in the Samsung tablets running Windows 8 that were released at Microsoft's Build conference last week where users can make this change. However, these Windows 8 "developer preview" machines aren't necessarily reflective of final product products. Microsoft would be expected to add or remove features at will at this point, since code-named "Windows 8" is still at the prebeta stage.

The controversy was spurred, in part, by a blog post by Matthew Garrett, a Red Hat developer focused on power management and mobile Linux technologies. Garrett subsequently wrote that Mangefeste's explanations do not contradict his assertions. Garrett claims, among other points, that "Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option."

Microsoft is requiring that certified systems ship with secure boot by default. Whether it will let the user disable that feature in the final build of Windows 8 remains to be seen.

Secure Boot Not Supported on Linux
Windows 8 can run using BIOS system firmware or it can run on UEFI firmware. Microsoft's OEM firmware partners can make the choice on which to use. Possibly, firmware vendors will simply opt to meet Microsoft's requirements, shipping machines with secure boot turned on, since the vast majority of PCs run Windows, Garrett pointed out. Linux apparently has some technical issues, perhaps mostly affecting hobbyists, that might make using unsigned certificates a necessity. Garrett says that Linux doesn't support secure boot now, but he also shrugs off the limitation, saying it's "about a week's worth of effort" to add that support.  

The whole dual-boot argument associated with Linux seems to be "much ado about nothing" since even Windows 7 presently is not slated to have support for a dual-boot configuration with Windows 8. That point was underscored in a panel session at Microsoft's Build conference, "Delivering a Secure and Fast Boot Experience With UEFI." Speaker Arie van der Hoeven, a Microsoft principal lead program manager, was asked directly about the dual-boot capability and secure boot protection in Windows 8.

"If you are dual booting, it depends on whether you are booting into another trusted operating system, van der Hoeven said. One discussion we are having is…[with] this first firmware OK boot manager OK handshake, you can't have a version of that that works with Windows 7. Windows 7 doesn't have the ability to check firmware. The firmware can check and make sure it is assigned a Windows 7 boot loader. Truly, right now today, if you want to have secure boot and you want to dual boot Windows 8 and Windows 7, you need to turn secure boot off in firmware. We are thinking about having a way that you can go ahead and make that work, but that's not POR [plan of record] today."

Microsoft is moving to support UEFI standards for booting the OS, while the BIOS system is seen as more of a legacy approach. However, right now, Microsoft is testing Windows 8 on machines that are about 90 percent BIOS based, van der Hoeven explained.

BIOS systems, which stem from the 1980s, only work with x86 and x64 hardware. The spec was not designed to work with Itanium hardware. UEFI arose, in part, to address that Itanium shortcoming, van der Hoeven explained. BIOS systems are further limited to a boot disk size of 2.2 TB, and UEFI expands on that size. BIOS systems still use "ugly" screen menus because they are based on VGA graphics.

Moreover, all ARM-based processors use the UEFI model, van der Hoeven said.

A little bit of UEFI already runs in the background of current BIOS systems, van der Hoeven said. However, the element that Microsoft has focused on with UEFI for Windows 8 is the ability to expose UEFI to the operating system through UEFI runtime services. This runtime allows the OS and firmware to communicate about white-listed and black-listed certificates. It can help ward off rootkits and "bootkits" that may shield the presence of malware. Van der Hoeven said that Microsoft can add untrusted certificates to a blacklist via Windows Update under this UEFI scheme. All firmware and software in the boot process must be signed by a trusted Certificate Authority, he added.

Windows 8 To Require Secure Boot
Secure boot is not Microsoft's proprietary firmware validation procedure but is specified in UEFI 2.3.1 in Chapter 27. It's optional to use according to the spec, but Microsoft is requiring secure boot in certified Windows 8 systems. Secure boot operates in the boot path to ensure that only verified loaders will boot Windows 8, and it prevents malware from switching the boot loaders. Today's PCs do not have this protection, according to Mangefeste.

"In most PCs today, the pre-operating system environment is vulnerable to attacks by redirecting the boot loader handoff to possible malicious loaders," Mangefeste wrote in the blog. "These loaders would remain undetected to operating system security measures and antimalware software."

Microsoft also plans to enable "early launch antimalware" as part of the boot path to provide better protection to Windows 8 users.

Van der Hoeven said that Microsoft is seeing a shorter POST time with UEFI. It works by creating a small hyper file during the shutdown of user applications and the user state. The hyper file is read during the next bootup, enabling a shorter startup time. Van der Hoeven said that a five- to six-second startup time will be the default experience on Windows 8. Users will also get that experience when using BIOS instead of UEFI.

UEFI in Windows 8 will also provide "native support for encrypted hard drives," which will become a "commodity item in the Windows 8 timeline," van der Hoeven said. This encryption works seamlessly with BitLocker in Windows 8. It will eliminate a data security management problem currently associated with BitLocker.

"If you are managing an enterprise, and you have a bunch of desktops that are connected with an Ethernet cable, or you have a bank of servers that you really want to have great data protection on, and you want to have that data BitLocker protected, today you have a big problem," van der Hoeven said. "Because if you try and remotely reboot all of those systems and they have BitLocker, you have to send a tech in there and hit a pin code every time you boot up. With UEFI and DHCP, you can store those pin codes in a remote server, and as long as those desktops are connected to the remote server, they will automatically reboot."

Finally, for those interested in seeing what Microsoft's new "blue screen of death" will look like for Windows 8, van der Hoeven obliged with a screen shot. It's still blue, but a little more "friendly."

Windows 8 Blue Screen
[Click on image for larger view.]
The new Windows 8 blue screen, indicating system failure.

About the Author

Kurt Mackie is online news editor for the 1105 Enterprise Computing Group.

comments powered by Disqus

Reader Comments:

Thu, Nov 29, 2012 Eddie Wilson United States

I take exception to the fact that Microsoft is telling me that Secure Boot is needed to keep a binary virus from loading into my system when I start up my computer. That will not happen on a properly cared for system. There has not been any danger of that since the days of using floppies to boot up your computer system. Secure Boot simply is not needed except for vendor lockout. If MS wants to lock out their own systems the same as Apple that is just fine. The rest of the OEM and hardware market place has no such right to do so and MS has no such right to ask them to do so. Secure Boot will not help or protect the consumer in any way, shape, or fashion.

Sun, May 6, 2012 Dual Boot http://dual-boot.com

I would say its a security issue if you disable secure boot and hence not worth it.

Mon, Feb 13, 2012 Steve Sol III

Long story short: The big OEMs will provide a simple method to turn secure boot off because corporate and academic IT departments will not purchase a machine they can not maintain. And by maintain, I mean boot the system with a Linux based rescue OS to recover data from a hard drive with a hosed OS, run hardware diagnostics, and/or clone fully configured systems for mass deployment. Some of the more abusive vendors like HP might ship locked down systems to "big box" stores for ignorant consumers, because they want the systems to brick right out of warranty - it drives replacement sales. But even that is not TOO likely.

Thu, Feb 2, 2012 justauser

I don't think the problem of unsecure booting is driving this initiative. I think microsoft believes that its grip is slipping, so seeks to lock down its OS. Windows is a great OS, no argument there, but a loss of versatility will reduce its appeal. At least for me. I would suggest just leaving all the present options open and adding one: a means to reflash the UEFI. In other words, if the issue is unsecure booting, why not just provide a means to reflash the bios or tpm or uefi or pbcak or whatever the silly thing is? So if I let the barrier down and boot up a linux, and gum up my uefi, I can restart with the cd/usb/smart card and reflash the corrupted uefi/bios/tpm/ etc?. So, for Grandma, who only knows where the on/off switch is, UEFI protects her. For the kids, who think they're tekkies, there is the "EFI off" option. For dad, there is the reflash gadget to fix whatever the kids mess up. From now on, as long as I own the machine and the OS. This would have the added advantage of dealing with the inevitable uefi hack. Don't deny it, you know it will happen. Always has.

Tue, Oct 25, 2011

Microsoft, being it's quick to ignore security leaks self, now closes the OPTION for people to use something other than what THEY dictate. I work, and have worked with, Windows systems from the very early days, from Windows BOB to the latest and greatest. The only reason that they have hardware support is due to financial force. I can't tell you how many drivers I've installed for their OS's, simply to have them conflict/break/crash the systems that were working properly. Now, that being said, that's due to developers finding loopholes in the libraries used, etc. If Microsoft would go back to the beginning, implementing solid testing from the most basic aspects, and fix the countless issues that get implemented with each new release, instead of providing even more bogus backdoors and bugs, then I'd back them up. Until then, my systems at home will remain predominately linux based, except for the 1 system that runs games. Linux may not have all the hardware support of the Microsoft wagon, but atleast they don't try to keep someone from using the best tool for the best job, and don't try to implement more bugs than they fix. Microsoft, get your head out of the clouds, and come down to earth, where a majority of your users are.

Wed, Oct 5, 2011 god everywhere

you don't need windows if you have a life you just need buy a $200 license ________________________________________ Look toward the light windows users it will save you

Wed, Sep 28, 2011

take a puff of this man its some good sh#%___________________________________ PEACE LOVE AND OPEN SOURCE ______________________________________

Wed, Sep 28, 2011

-----------A_N_D_R_O_I_D-----------

Wed, Sep 28, 2011 god some where in the sky

_______---L---I---N---U---X---________

Wed, Sep 28, 2011

"""This security feature of w8 is all about protecting the drivers for hardware and manufacturers have historically neglected"""" ---------Sorry it is not---------------- Linux distribution will need to have certified keys from the manufacturer in-order to boot. "Now", why should hardware standards be controlled by Microsoft. """" If Linux is so great why the dual boot anyway? Still need direct x, FireWire or iTunes? Ps my captcha was km69 Keyboard mouse, grow up!""""" I don't dual boot. I don't use FireWire. I don't use Itunes and I don't use wireless keyboards. I only use Linux and Android and I want someone or anyone who wakes up from the nightmare of Windows, the choice of a truly great OS. You sad lost child.

Wed, Sep 28, 2011 Pablo

Read the article Linus. Just disable the protection and you can dual boot up novell 4.11 if you want. This is a new protection from viruses taking control of your hardware that MS has dedicated millions to thwart so you can play games and tweet better. Protection that you don't have anyways on any OS before this, so it's no loss to disable if you want to surf the net with a free windows nock off instead. Mac didn't even support dual boot until the switched to pentium chips, copying MS. Where's the linux fan boy who knows how to get Linux to run the dishwasher, and believes that machines will rise up? You think you can dual boot your ipad2 any easier. Just use virtualization, if you can afford it. Wait, its cheaper than buying a second system. This security feature of w8 is all about protecting the drivers for hardware and manufacturers have historically neglected, if not ignored security at the hardware layer and viruses are exploiting this vulnerability more and more because the OS is so secure they go after the drivers and other week links like Flash. If Linux is so great why the dual boot anyway? Still need direct x, FireWire or iTunes? Ps my captcha was km69 Keyboard mouse, grow up!

Tue, Sep 27, 2011

find the light Microsoft slaves

Tue, Sep 27, 2011 god some where in the sky

_______---L---I---N---U---X---________

Tue, Sep 27, 2011 90's rocker

secure UEFI. Meaning a hardened boot process. This hardened boot means that "all firmware and software in the boot process must be signed by a trusted Certificate Authority (CA)," according to slides from a recent presentation on the UEFI boot process made by Arie van der Hoeven, Microsoft Principal Lead Program Manager. It's the secure booting that puts Linux on the spot, because it means in order to be bootable on one of these Windows 8-certified machines, the Linux distribution will need to have certified keys from the manufacturer. Garrett mentions: who's to say the OEMs are going to provide keys for Linux to hook into? Sure, they have to provide keys for Windows 8 if they want to be able to sell Windows 8 on their hardware, but there's no rule that says they have to provide keys for anyone else. Microsoft will argue--in fact, has argued in a rebuttal on this matter on Sept. 22--that this is a security matter for Microsoft Windows deployments, and they are in no way influencing what the hardware vendors are doing with their keys. Microsoft is not preventing other operating systems' keys from being handed out, and it's not their problem if the OEMs aren't accommodating to other operating systems. The funny thing is, they're right. In one fell swoop, Microsoft has shifted the blame from their requirements to the actions (or inactions) of the OEMs. And why should the hardware vendors feel any pressure to provide keys, as Garrett summarizes?

Tue, Sep 27, 2011 god sky

80's rock is really bad it's time for you to join us in 2011 and to all of my misguided Windows users Install Ubuntu and don't look back, if do you will only see darkness.

Tue, Sep 27, 2011

-------80s Rocker------ I don't think you understand what is happening? This is not about Linux its about Microsoft defining a new hardware standard. Should a software corporation have that much control over the hardware market? No. What happens when one corporation controls a market??______________________________________________________________________ """""""""" What incentive would that motherboard manufacturer have in supporting other operating systems??""""""""""""""""" If I am showing my stupidity, then I must be just a another stupid Linux user.

Tue, Sep 27, 2011 jim

Perhaps Microsoft needs to make a blue screen of death for innovation. :(

Tue, Sep 27, 2011 80s Rocker

Why can't any of these blogs keep the spacing in post. What I type in is what user should seen. There is no excuse for not having a better experience when posting.

Tue, Sep 27, 2011 80s Rocker

Linux users who are posting here are showing their stupidity and hatred to MS. 1) You can uninstall Windows 8 and install Linux and run it without any issues. 2) You cannot dual boot with Linux because they do not support it. That is a problem with Linux not MS. So if you want to dual boot then get the version of Linux you are running to support it. Based on comment made in article, this should not be hard to do. 3) There also seems to be a workaround doing a triple boot machine with Win7, Win8 and Linux and making Win7 the default. Also wonder if the same would work if you install Linux first and made it the default boot partition then installed Win8 and made it the secondary. So for all you lazy people who are already seeing dollar signs and an easy way to get MS money, give up know. There is not case against MS and they are actually making their OS more secure. I for one like that. Maybe you should sue Linux because it does not support secure boot.

Tue, Sep 27, 2011 jim mars

""" I don't think anyone could argue against the uefi architecture in attempting to make PCs more secure at boot-up. If Microsoft want to incorpoate this process into Windows 8 then it is their choice and perfectly acceptable for them to do so. """ No. It comes down to economic manipulation, if a motherboard manufacturer needs to spend money on supporting uefi security to satisfy Microsoft's requirements; what intensive would that motherboard manufacturer have in supporting other operating systems?? """Many purchasers of Windows 8 will be grateful for this development.""" No. Most purchasers of Windows 8 will never know what uefi is, however Linux user may need to spend $150 to $300 on a non-Microsoft certified motherboard and that should be a crime.

Tue, Sep 27, 2011 LONDON

I don't think anyone could argue against the uefi architecture in attempting to make PCs more secure at boot-up. If Microsoft want to incorpoate this process into Windows 8 then it is their choice and perfectly acceptable for them to do so. Many purchasers of Windows 8 will be grateful for this development. What is NOT acceptable, however, is for the customer who, after all, is buying a "machine", to be prevened from switching this facility off if they wish to take that risk. PC buyers, not necessarily confined to Linux users, must be allowed to exercise that choice at their own risk. Microsoft may wish to reflect on the reaction of the EU to their integrated browser and it may be advisable ( politically ) for Microsoft, in backing this process, to ensure that an "off switch" is made available by firmware manufacturers. Unfortunately, outside of the EU, such issues are not given sufficient thought until a multi-million Dollar fine results. Whether the fine lands on the desks of Microsoft or the firmware manufacturers is a moot point but one thing is for sure, the legal eagles will be gearing up for this new " business opportunity".

Tue, Sep 27, 2011 jim

So much anger """ Serious you Linux bigots...no one is saying you can't purge Windows 8 from your box and single boot Linux. Have at it. Oy...you people need a life. """ This new type of biso is not supported by Linux and if you don't have something intelligent to add please express your anger of Linux user on another site.

Mon, Sep 26, 2011 London

How would bootable recovery disks such as Norton Ghost work or will Microsoft provide such a tool instead ?

Mon, Sep 26, 2011

Serious you Linux bigots...no one is saying you can't purge Windows 8 from your box and single boot Linux. Have at it. Oy...you people need a life.

Mon, Sep 26, 2011 wrayc

I am able to triple boot between win 7 and 8 as well as linux. Simply select the windows 7 as the default bootloader from windows 8 options. Linux should have already been added to the win 7 bootloader by easy bcd etc.

Mon, Sep 26, 2011 jim no way

I think your a troll, and I know I should not reply but there is so much misinformation about Linux. """" Why should you be allowed to install Linux on a Microsoft powered system? If you want to have Linux on a decent system, then buy it that way. Oh wait, iv yet to see a decent spec system powered by Linux. So build your own spec machine and shut the fuck up.""" ""Why should you be allowed to install Linux on a Microsoft powered system?? "" This is an interesting question. When you buy a license for some software like Photo Shop 7, your buying a license to use that software. You are not buying the software its self. When you buy a computer you are not buying a license to use it. You are claiming ownership of the device. If you want to use your computer to power flickering Halloween lights you can-- its your computer. """ If you want to have Linux on a decent system, then buy it that way. Oh wait, iv yet to see a decent spec system powered by Linux. So build your own spec machine and shut the fuck up. """ Ok allots of anger This statement is just incorrect. If you want a good Linux hardware spec computer then go to System 76 or just do a Google search there are many online stores that sell high end linux computers and no this is NOT spam. read about open source and please don't allow your anger to think or speak for you

Sun, Sep 25, 2011

"Why should you be allowed ...?" Because I own it. Now shut the fuck up.

Sun, Sep 25, 2011

As a antitrust lawyer I am SALIVATING over this!I gotta go because I see a good payday ahead!

Sun, Sep 25, 2011

I called Apple and they support dual boot with linux! Everybody can buy Apple instead of Micro$oft machine and life moves on. Just think Micro$oft is screwing itself and giving business to Apple! HAHAHAHAHA!Apple rules anyway! HAHAHAHA!!!!!!!!

Sun, Sep 25, 2011

It won't happen since using only one operating system would be bad for national security! The military hates Micro$oft!

Sun, Sep 25, 2011

Why not by the machine and then sue Micro$oft! I want some of their money anway since they have deep pockets!

Sun, Sep 25, 2011

I have already started calling all big box retailers telling about this and the majority are horrified with what this is going to do to them! They don't want to be caught in this Micro$oft screwup! One retailer said they would force Micro$oft to make changes to this or they plan to join in to a antitrust lawsuit!

Sun, Sep 25, 2011 justauser

"Why shouuld you be allowed...?" Well, see, it is not a "windows powered system". It is a machine. I paid for it. I will choose what it runs. I will not choose an operating system that excludes all others.

Sun, Sep 25, 2011

why would anyone want to install linux. problems with hardware not working problems when you change hardware. problems with watching video out of the box. no a v chat on yahoo or msn all equal an os that is not user friendly and is about useless cause it doesn't do what is necessary. switching from windows 7 or windows 8 to linux would be the same as switching from a nice cadillac or rolls royce to a car that had just been in an accident and totaled out that you bought from a junk yard.granted windows xp was junk but windows 7 and windows 8 are awsome

Sun, Sep 25, 2011

uefi rules mbr and linux drool

Sat, Sep 24, 2011

Very simply, if I purchase a machine, it ought to belong to me, not to Microsoft.

Sat, Sep 24, 2011 Col Panek Rome, NY

This will make it a lot easier to get the Microsoft Tax rebate.

Sat, Sep 24, 2011

Why should you be allowed to install Linux on a Microsoft powered system? If you want to have Linux on a decent system, then buy it that way. Oh wait, iv yet to see a decent spec system powered by Linux. So build your own spec machine and shut the fuck up.

Fri, Sep 23, 2011 Don Ray Myrtle Beach, SC

You are so ignorant! A customer comes in my store and wants to buy a computer for specs alone and wants to uninstall Windoze 8 and put linux on it and is locked out. Customers who use linux are already pissed off about this. I have been fielding complaints about this all day long Micro$oft has pissed off the Linux community again and will face another antitrust lawsuit over this I am sure!

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.