Microsoft requires that Windows 8-certified machines use UEF

[Ecky]

From what I've read I thought it meant that windows 8 can utilise a secure boot scenario on uefi that requires any other os being installed to be digitally signed

Some articles seemed to be saying that it can do this and it's no doubt what ms wants, but as per what john hudson said every article I've read about it is specifying oem machines which on it's own kinda suggests it's something that won't be forced, the use of uefi maybe but not necessarily the requirement for digital signage. If it was mandatory why would all the articles be stressing oem?

If that line of thinking is correct, and I wouldn't be at all surprised to learn I read stuff without understanding it properly, then wouldn't it be up to the oem whether to implement it or not? I haven't read anything that specifically says oem's must use it only that they can

I got the impression that it exists and oems might make use of it, do I have it wrong?

[steffen13]

I got the impression that it exists and oems might make use of it, do I have it wrong?

partly yes, partly no.

If OEMs want to have a certification, aka "designed for Windows 8" or something, they need to have this secure boot activated. And in this specification, which lists the requirements which have to be fullfilled if an OEM wants to certify his hardware for Windows 8, does not say "secure boot can be switched off by the user". So to me it seems that the user cannot switch off this secure boot if he bought a certified computer.

But I think, not certified computers may have the option to switch off "secure boot". So it is up to the hardware manufacturer to implement it, but if they don´t, they don´t get the sticker "designed for Windows 8"... and maybe their copies of Windows 8 will cost more, as I think that Microsoft will give some extra discounts to the OEMs who are willing to lock-in their customers.

In general I think this is another move of Microsoft to fight and destroy Linux and other operating systems. Another move which will fail and which will again show how ridiculous these guys are.

[Wrath5000]

I believe certified OEMs can allow the user to disable secure boot as mentioned on the Windows 8 blog here; however, whether or not OEMs will include it is another matter.

I've been reading and re-reading the information available, and am still a bit unclear about all of the implications of what's proposed so far by MS in regards to secure booting. I find it a little hard to believe it will actually protect users from most viruses and trojans. I'm also curious about secure boot on tablets and phones.

I also can't help but get the sense secure boot is a stepping stone of some sort. I'm not saying "the sky is falling," but I'm keeping an eye on Windows 8's development in hopes of more solid information.

[Sonadow]

I believe certified OEMs can allow the user to disable secure boot as mentioned on the Windows 8 blog here; however, whether or not OEMs will include it is another matter.

I've been reading and re-reading the information available, and am still a bit unclear about all of the implications of what's proposed so far by MS in regards to secure booting. I find it a little hard to believe it will actually protect users from most viruses and trojans. I'm also curious about secure boot on tablets and phones.

I also can't help but get the sense secure boot is a stepping stone of some sort. I'm not saying "the sky is falling," but I'm keeping an eye on Windows 8's development in hopes of more solid information.

It protects against rootkits, which is a valid concern for Microsoft. Considering how XP was victim to countless such attacks, it makes perfect sense that Microsoft will want to prevent that with any means possible. At the very least, I don't see anything wrong with MS insisting that OEMs implement Secure Boot to ensure that the silly Average Joe doesn't nuke his OS due to user stupidity. Don't forget that something similar to this already exists on Apple's Macs, albeit in a much more watered-down form. As far as I am concerned, even if MS has got malicious intentions in stipulating such a requirement, at least 90% of the existing Windows users who purchase ready-made systems such as notebooks and workstations from OEMs and lack the knowhow to upgrade/downgrade an OS, fool around with the BIOS/UEFI menu or even appreciate computers for what they are stand to benefit the most, since they are the typical people who will stupidly disable Windows' UAC or select 'Yes' to any installation prompt that shows up, regardless of whether they even know what is being installed to begin with, thus getting themselves infected with some nasty rootkit and blaming MS for their own woes when it is a typical case of PEBKAC. At least, I am willing to cut Microsoft a huge chunk of slack here, since they have shown with Windows 7 that they still have got what it takes to deliver a solid product when given sufficient egging on from their customers.

What the other 10% of the world should be (rightfully) concerned with is how OEMs are going to implement the UEFI Secure Boot feature in a way that does not shift control of a machine over from a user to the OEMs themselves. Once again, this is a non-issue on the DIY desktop front, as I am confident that just about any half-decent aftermarket mobo vendor knows that the DIY market, while adventurous and pro-Windows by nature, place a lot of importance on the degree of control they have on their system. And for such manufacturers who make advanced BIOS settings such as DRAM frequency, CPU clock speeds and multiplier settings, fan speeds and even vCore tweaks available on the factory-installed BIOS, I'm sure that adding the option to disable Secure Boot is not going to take much effort to do so. In addition, most aftermarket mobos do not ship with onboard TPMs as well, so technically it is not going to be possible for Secure Boot to run on such DIY PCs.

That just leaves notebooks as the most likely candidate to be heavily neutered when Windows 8 and Secure Boot starts becoming mainstream, as it is generally accepted that most OEMs are only interested in providing the bare minimum needed to get their notebooks certified for the Windows badge. Just take a look in any notebook BIOS today and you will realize how limited it is as opposed to what you can get from aftermarket boards. However, OEMs have the liberty of shipping notebooks without the TPM (of course, this might result in them having to pay more for the Windows licenses), and based on what I have read up somewhere, it seems that Microsoft is claiming that Secure Boot can be implemented without a TPM, although the boot protection will only be offered if the TPM is present. Therefore, it is possible to see 'Certified for Windows 8' notebooks shipping with Secure Boot enabled but without a TPM, thus meaning that there is nothing to prevent an alternative OS such as your Linuxes, BSDs and *NIXes from being installed on such a system.

And of course, the last resort is to simply shop for notebooks that have been known to feature TPMs but provide the option to disable them at the BIOS/UEFI level, much like what Lenovo, Dell and HP have been doing on some of their offerings. Of course, this means that users will have to pay more for their notebooks, as it is the business-grade notebooks that usually offer direct access to the TPM via the BIOS/UEFI menu. And if all else fails, the Macbooks ship with a TPM that exists only to prevent users from downgrading Mac OS X to a prior release, and not to block the installation of alternative OSes. So there definitely are ways to ensure that Linux plays nice with your new notebooks once Windows 8 is released and a whole bunch of 'Certified for Windows 8' notebooks start to hit the market. Chances that budget-oriented OEMs will allow users to fool around with the TPM (if it exists) is slim, but it is something worth hoping for. At the very least, speaking from my experience, my Acer notebook reportedly ships with a TPM installed (since the POST status talks about how the TPM has passed the initialization) and there are no BIOS setting to disable it at the hardware level, but I have got Mandriva Free 2009 running off it as the one and only OS on that machine without any issues/

[Sonadow]

Oh, and one last thing: to all those whining about how MS letting the OEMs make the final decision smacks of anti-competitiveness, grow up. This is the whole monopolist judgment passed against Microsoft coming to bite consumes in the ***. Microsoft is only allowed to stipulate the bare minimum needed for OEMs to ensure that their machines run Windows decently, no more, no less. Adding any additional clauses regarding Secure Boot will be overstepping its boundaries, and the courts will be on MS's tail immediately. Since the courts cannot keep their meddling hands out of the corporate world, i think it's high time MS started using the courts' judgments against them in a fair '***-for-tat' move. And lastly, the OSI, FSF and various major Linux vendors had YEARS to ensure that the Secure Boot instruction the UEFI specifications would be a win-win for all, but what where they doing all these years while Apple, Microsoft and other major players were actively working on finalizing the UEFI specifications? As a Linux users of 4 years, i hope this is the kick that the open source world needs to wake its idea up and establish a greater presence in such standards formation.