Modern PCs ship with a feature called “Secure Boot” enabled. This is a platform feature in UEFI, which replaces the traditional PC BIOS. If a PC manufacturer wants to place a “Windows 10” or “Windows 8” logo sticker to their PC, Microsoft requires they enable Secure Boot and follow some guidelines.
How Secure Boot Secures Your PC’s Boot Process
Secure Boot isn’t just designed to make running Linux more difficult. There are real security advantages to having Secure Boot enabled, and even Linux users can benefit from them.
A traditional BIOS will boot any software. When you boot your PC, it checks the hardware devices according to the boot order you’ve configured, and attempts to boot from them. Typical PCs will normally find and boot the Windows boot loader, which goes on to boot the full Windows operating system. If you use Linux, the BIOS will find and boot the GRUB boot loader, which most Linux distributions use.
However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the difference between malware and a trusted boot loader–it just boots whatever it finds.
Secure Boot is designed to stop this. Windows 8 and 10 PCs ship with Microsoft’s certificate stored in UEFI. UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft. If a rootkit or another piece of malware does replace your boot loader or tamper with it, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.
How You Can Disable or Control Secure Boot:
If that was all Secure Boot did, you wouldn’t be able to run any non-Microsoft-approved operating system on your PC. But you can likely control Secure Boot from your PC’s UEFI firmware, which is like the BIOS in older PCs.
There are two ways to control Secure Boot. The easiest method is to head to the UEFI firmware and disable it entirely. The UEFI firmware won’t check to ensure you’re running a signed boot loader, and anything will boot. You can boot any Linux distribution or even install Windows 7, which doesn’t support Secure Boot. Windows 8 and 10 will work fine, you’ll just lose the security advantages of having Secure Boot protect your boot process.
You can can also further customize Secure Boot. You can control which signing certificates Secure Boot offers. You’re free to both install new certificates and remove existing certificates. An organization that ran Linux on its PCs, for example, could choose to remove Microsoft’s certificates and install the organization’s own certificate in its place. Those PCs would then only boot boot loaders approved and signed by that specific organization.
An individual could do this, too–you could sign your own Linux boot loader and ensure your PC could only boot boot loaders you personally compiled and signed. That’s the kind of control and power Secure Boot offers.
What Microsoft Requires of PC Manufacturers
Microsoft doesn’t just require PC vendors enable Secure Boot if they want that nice “Windows 10” or “Windows 8” certification sticker on their PCs. Microsoft requires PC manufacturers implement it in a specific way.
For Windows 8 PCs, manufacturers had to give you a way to turn Secure Boot off. Microsoft required PC manufacturers to put a Secure Boot kill switch in users’ hands.
For Windows 10 PCs, this is no longer mandatory. PC manufacturers can choose to enable Secure Boot and not give users a way to turn it off. However, we’re not actually aware of any PC manufacturers that do this.
Similarly, while PC manufacturers have to include Microsoft’s main “Microsoft Windows Production PCA” key so Windows can boot, they don’t have to include the “Microsoft Corporation UEFI CA” key. This second key is only recommended. It’s the second, optional key that Microsoft uses to sign Linux boot loaders. Ubuntu’s documentation explains this.
In other words, not all PCs will necessarily boot signed Linux distributions with Secure Boot turned on. Again, in practice, we haven’t seen any PCs that did this. Perhaps no PC manufacturer wants to make the only line of laptops you can’t install Linux on.
For now, at least, mainstream Windows PCs should allow you to disable Secure Boot if you like, and they should boot Linux distributions that have been signed by Microsoft even if you don’t disable Secure Boot.
0 comments: