Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft could ban Linux installations on Windows 8 machines under its secure boot protocol according to academics.
The protocol was part of the Unified Extensible Firmware Interface (UEFI) (pdf), a more secure and efficient replacement for the BIOS.
Microsoft’s principal lead program manager Arie van der Hoeven said the secure boot protocol “reduces the likelihood of bootkits, rootkits and ransomware”.
But the secure boot protocol introduced into a draft UEFI specification release could ban Linux --which supports UEFI -- FreeBSD, and bootable applications from Windows 8 machines.
All Microsoft Windows 8 machines ship with secure boot enabled.
A ban would be enforced by a white- and blacklist system that permits or denies software execution in conjunction with Microsoft signing keys.
Only “trusted certificate authorities” and OEM vendors could sign keys for software.
An operating system with the correct Pkek keys -- which allow an operating system and firmware to communicate -- can add additional keys to the white- and blacklists.
Hardware with unsigned firmware would fail to properly execute, researchers said.
It could also prevent unsigned custom built kernels from being used according to Cambridge University PhD student and Linux blogger Matthew Garrett.
“In the near future the design of the kernel will mean [it] is part of the bootloader [which] means that kernels will also have to be signed, making it impossible for users or developers to build their own kernels. Finally, if we self-sign, it's still necessary to get our keys included by every OEM.”
Yet Microsoft said at it's Build Windows conference it was looking into dual-booting for Windows 8, although this may not help users seeking to run unsigned custom Linux boot loaders.
Ross Anderson, a professor at the university with expertise in cryptography and protocols, said UEFI was a reversion to the Trusted Computing model.
Garrett said there was “no indication” Microsoft would ban vendors from producing firmware to disable secure boot, but added “experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market”.
“It's almost certainly the case that some systems will ship with the option of disabling this. It's probably not worth panicking yet, but it is worth being concerned.”
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.