Windows 8 PC’s, Linux, and the UEFI You may find this article of interest if you dule boot with windows and are thinking about windows 8.

I think it is just another reason to buy from a local supplier who will build you a computer and leave it up to you to install the operating system.

Lap tops now that’s another matter but plenty of refurbs out there with no OS.

We don’t have to worry though. Redhat has paid MS for boot keys, which will soon enough be spread around the Linux ecosystem, and Microsoft will ahve outdone themselves once again.

It really doesn’t worry us, and even if it did, they’re digital keys… We can make fakes!

My personal opinion is hardware manufacturers would be stupid not to allow secure boot to be disabled, as this would lock their PC’s to Win8 … which in my (and a lot of others) opinion will be a flop … so they’d be tying their hardware to an OS that may flop, with no XP downgrade path, and a lot of bitching business customers who STILL prefer XP … too big of a risk, when there’s an easy way out for them … make secure boot disableable ← is that even a word ?

But we’ll have to wait and see … it’s certainly something people need to be aware of, but as the “Designed/Certified for Windows 8” requirement (for x86 PC’s) only says it as to be enabled by default, but DOES allow for it to be disableable (if the hardware manufacturer chooses to implement that) … you just have to be smarter in your buying decisions, and ask if smart boot is disableable before buying.

That does NOT apply to ARM devices, where the “Designed/Certified for Windows 8” requirement expressly forbids the disabling of secure boot.

Personally I disagree with Fedora’s decision to buy a signature … it appears to validate secure boot, and it’s yet to be proven if secure boot will make a PC more secure (even for Windows) … which I seriously doubt.

Interesting article here which suggests …

Canonicals ‘Ubuntu BIOS/UEFI Requirements’ may lock down a ‘secure boot’ enabled system tighter than Microsofts ‘Windows 8 HCR’ (Hardware Certification Requirements):

as (according to the article) “there’s no indication that Canonical will be offering any kind of signing service” … and the rest is pretty much the same as Microsofts Windows 8 HCR as far as secure boot is concerned.

In fairness, it must be said that there’s also no indication that they won’t … and the Microsoft section on secure boot doesn’t mention a signing service either (as far as I can see).

Here’s the relevant section of the Ubuntu BIOS/UEFI Requirements PDF:

[u][i][b]9.5. Secure boot[/b][/i][/u]

Section 27 of the UEFI specification [UEFI 2.3.1] defines “Secure Boot”, a mechanism for authenti-
cating boot images loaded by UEFI firmware. Although the description of the secure boot mecha-
nism is comprehensive, it does not define any policy for ownership of authentication information.

Canonical, in conjunction with industry partners, has released a whitepaper [UEFI-SB] detailing the
issues surrounding UEFI secure boot and Linux-based operating systems.

Canonical will provide keys and signed boot images for use with secure boot functionality. The sign-
ing key will be provided as an x.509-encapsulated 2048-bit RSA public key. OEMs must embed this
key in the KEK and db signature databases, as an entry of type EFI_CERT_X509_GUID. The PK is
left for the OEM to define.

Any machine shipped with Ubuntu must support reconfiguration of the keys used in the secure
boot process, to allow users to use secure boot with their own keys and custom boot images.
The firmware interface should allow a physically-present user to enter the machine in to setup
mode, or manually load KEK, db and dbx entries from disk or removable storage. This require-
ment is compatible with the Windows 8 Hardware Certification Requirements [WIN8HCR], §
System.Fundamentals.Firmware.UEFISecureBoot, item 20.

Any machine shipped with Ubuntu must allow a physically-present user to disable and re-enable se-
cure boot verification functionality. This requirement is compatible with the Windows 8 Hardware
Certification Requirements [WIN8HCR], § System.Fundamentals.Firmware.UEFISecureBoot, item 21.

Systems shipping with secure boot enabled must not use a CSM module for legacy BIOS compatibil-

Due to the very limited availability of UEFI implementations with secure boot functionality, Canon-
ical requires additional testing effort for any SKUs that are required to support secure boot. We re-
quire that a sample SKU be provided early in the enablement process, to allow for this additional

For more information on enabling Ubuntu on a system supporting secure boot, please contact

For those that are interested … here are links to the Ubuntu BIOS/UEFI Requirements and Windows 8 certification requirement (secure boot) PDF’s:

Ubuntu BIOS/UEFI Requirements (seccure boot starts at page 26):-

Windows 8 HCR(secure boot starts at page 119):-

or direct download:

This validates secure boot just as much (if not more) than the Fedora solution … it still remains to be seen how Canonical/Ubuntu are planning on dealing with secure boot on non-Ubuntu-certified systems.

IMHO for the time being Linux devs should plan for (contingency), but DO NOTHING concerning secure boot … validating secure boot allows the hardware manufacturers to NOT include a secure boot disable feature … though it must be said that in the open source world keeping your contingency plans quiet would probably be impossible :slight_smile:

IMO, I think “Secure Boot” will end up flopping, as I think it would slow down performance, not to mention many angry end-users that CAN’T disable it because the manufacturer hasn’t given them that option.

I honestly can’t see why Microsoft just didn’t put the time and money into actually sorting their kernel out, instead of just masking it with the time and money they put into “Secure Boot”.

MS have always tried to tie people into there products and services possibly not what BG intended but I think he lost control of MS many moons ago…

That’s because he isn’t the owner anymore. He sold MS years ago, although he still retains a share in it. Steve Ballmer is the new C.E.O.

I doubt if it will slow systems from booting by more than a few microseconds (whilst it checks the keys), but as UEFI on the whole is (supposed to be) faster than the BIOS it replaces, and pretty invisible to Joe Average … it may even be perceived as having speeded up the boot process.

Further to my last posting, and the article that prompted it … after re-reading the Ubuntu BIOS/UEFI Requirements (secure boot section), it doesn’t appear to say secure boot must be enabled by default like the Microsoft Windows 8 HCR.

Still can’t say I’m happy about them appearing to validate it though … but I suppose there’s little choice.