UEFI Secure Boot and Your Computer

by Rod Smith, rodsmith@rodsbooks.com

Last Web page update: 10/28/2011

On September 20, 2011, Matthew Garrett, a developer for Red Hat, made a blog post. In it, he pointed out that a new computer feature might pose the risk of limiting users' ability to install and use the OSes they choose to use on their own computers. This new feature, secure boot, is intended as a security measure: For years, some types of computer malware has inserted itself into the computer's boot process, which enables it to hide even from the OS itself. Secure boot is intended to block such nastiness by requiring that key OS files, as well as software components of plug-in cards, be digitally "signed" before the computer will run them. Malware authors would (presumably) be unable to sign their software, and so it wouldn't run. This sounds like a good feature, but there's a catch:

The way secure boot works requires keys to be stored on a chip in the computer's motherboard, and there's no centralized way to add or remove such keys. This means that computer manufacturers will have control over whose software can run on the computers that they manufacture. Microsoft, of course, will always have its keys embedded in PC makers' computers, simply because of its market dominance. What's more, Microsoft is requiring that manufacturers include the secure boot feature, and ship client computers with this feature enabled, in order to attain the right to use a Windows 8 logo on future computers. (Windows 8 is expected to be released sometime in 2012.) Thus, some have accused Microsoft of pushing secure boot as a way of stifling what little competition it has. Whether or not there's truth to this claim, the fact is that a restrictive implementation of secure boot could artificially limit what you, the owner of a PC, can do with it.

Smaller software vendors and open source OS projects such as Linux and FreeBSD don't have Microsoft's clout, and so their keys are unlikely to be included with many PCs. A locked-in secure boot is also likely to cause problems for the manufacturers of plug-in devices, such as video cards, network adapter cards, and so on. Such products often rely on firmware (software embedded in the hardware) to work, and such firmware must be signed in order for a secure boot system to use the plug-in devices. Such vendors would need to negotiate with dozens, if not hundreds, of PC manufacturers to get their keys included on shipping computers. For some, this obstacle is an impossible burden.

Of course, one possible solution is to give owners the ability to add keys to the computers they own or to turn off the feature entirely. In a second blog post on the topic, Matthew Garrett has stated that "we've already been informed by hardware vendors that some hardware will not have" the ability to disable secure boot. This is very disturbing news. Without the ability to control or disable the secure boot feature, computer owners won't really own their computers—the manufacturers and owners of existing keys (such as Microsoft) will. By denying you the ability to run the OS you choose, or to boot a data recovery tool from a CD-ROM, or to install a new video card, you're effectively denied the ability to use the computer that you purchased.

Of course, it remains to be seen just how onerous a problem this will become. If the ability to disable secure boot and/or control the keys it uses becomes a standard feature that owners can easily access, secure boot will become a minor nuisance at worst, and its promise of blocking certain avenues of malware attack will be beneficial. On the other hand, if manufacturers provide owners with few or no options to control the secure boot process, the word "owner" will become an Orwellian joke.

This issue is still months from becoming a real problem, and there's time to stop the train wreck. If you're concerned, I recommend you read more on the issue and then contact major PC manufacturers to let them know that you want to see options included on the next computer you buy to disable secure boot and to add and remove keys from the computer's database. If these features are included, you'll continue to be able to use the types of utilities, OSes, and plug-in cards you can use today. If such options are not available, you'll have paid for a computer but you won't really own it. I've already written to over a dozen PC manufacturers. I recommend you do the same. My letter, and a list of computer manufacturers and their addresses, are linked to below. Although you're welcome to use ideas in my letter, I strongly recommend that you write your own, in your own words. If you've bought a computer from a manufacturer in the past, or if you were thinking of buying one in the next year or two, emphasize that fact.

Another step you can take is to sign the Free Software Foundation's (FSF's) public statement on the issue. You can read the FSF's take on the problem here and sign the statement here.


If you have problems with or comments about this web page, please e-mail me at rodsmith@rodsbooks.com. Thanks.

Return to my main web page.