Monday, October 10, 2011

Microsoft: Linux Dual-Boot Configurations Still "Possible" on Windows 8 PCs


Microsoft: Linux Dual-Boot Configurations Still "Possible" on Windows 8 PCs

Is the whole dual-boot argument associated with Linux much ado about nothing? Even Windows 7 is not slated to have support for a dual-boot configuration with Windows 8.

Microsoft debunked claims that dual-boot configurations with Linux OSes are not possible on Windows 8. However, users must first turn off a "secure boot" security feature in the firmware, which is not recommended by the software company.

On Thursday Microsoft addressed widespread reports that Windows 8 may not allow Linux operating systems to coexist in a dual-boot configuration on PCs, based on the use of new firmware, specifically the Unified Extensible Firmware Interface (UEFI) "secure boot" protocol.

Tony Mangefeste, a member of the Microsoft Ecosystem team, explained in a Build Windows 8 blog post that dual boot with Linux OSes can be supported on Windows 8, even Linux OSes that lack trusted certificates.

Mangefeste noted that a setting exists in the Samsung tablets running Windows 8 that were released at Microsoft's Build conference earlier this month where users can make this change. However, these Windows 8 "developer preview" machines aren't necessarily reflective of final product products. Microsoft would be expected to add or remove features at will at this point, since code-named "Windows 8" is still at the prebeta stage.

The controversy was spurred, in part, by a blog post by Matthew Garrett, a Red Hat developer focused on power management and mobile Linux technologies. Garrett subsequently wrote that Mangefeste's explanations do not contradict his assertions. Garrett claims, among other points, that "Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option."

Microsoft is requiring that certified systems ship with secure boot by default. Whether it will let the user disable that feature in the final build of Windows 8 remains to be seen.

Secure Boot Not Supported on Linux
Windows 8 can run using BIOS system firmware or it can run on UEFI firmware. Microsoft's OEM firmware partners can make the choice on which to use. Possibly, firmware vendors will simply opt to meet Microsoft's requirements, shipping machines with secure boot turned on, since the vast majority of PCs run Windows, Garrett pointed out. Linux apparently has some technical issues, perhaps mostly affecting hobbyists, that might make using unsigned certificates a necessity. Garrett says that Linux doesn't support secure boot now, but he also shrugs off the limitation, saying it's "about a week's worth of effort" to add that support.

The whole dual-boot argument associated with Linux seems to be "much ado about nothing" since even Windows 7 presently is not slated to have support for a dual-boot configuration with Windows 8. That point was underscored in a panel session at Microsoft's Build conference, "Delivering a Secure and Fast Boot Experience With UEFI." Speaker Arie van der Hoeven, a Microsoft principal lead program manager, was asked directly about the dual-boot capability and secure boot protection in Windows 8.

"If you are dual booting, it depends on whether you are booting into another trusted operating system, van der Hoeven said. One discussion we are having is…[with] this first firmware OK boot manager OK handshake, you can't have a version of that that works with Windows 7. Windows 7 doesn't have the ability to check firmware. The firmware can check and make sure it is assigned a Windows 7 boot loader. Truly, right now today, if you want to have secure boot and you want to dual boot Windows 8 and Windows 7, you need to turn secure boot off in firmware. We are thinking about having a way that you can go ahead and make that work, but that's not POR [plan of record] today."

Microsoft is moving to support UEFI standards for booting the OS, while the BIOS system is seen as more of a legacy approach. However, right now, Microsoft is testing Windows 8 on machines that are about 90 percent BIOS based, van der Hoeven explained.

BIOS systems, which stem from the 1980s, only work with x86 and x64 hardware. The spec was not designed to work with Itanium hardware. UEFI arose, in part, to address that Itanium shortcoming, van der Hoeven explained. BIOS systems are further limited to a boot disk size of 2.2 TB, and UEFI expands on that size. BIOS systems still use "ugly" screen menus because they are based on VGA graphics.

Moreover, all ARM-based processors use the UEFI model, van der Hoeven said.

A little bit of UEFI already runs in the background of current BIOS systems, van der Hoeven said. However, the element that Microsoft has focused on with UEFI for Windows 8 is the ability to expose UEFI to the operating system through UEFI runtime services. This runtime allows the OS and firmware to communicate about white-listed and black-listed certificates. It can help ward off rootkits and "bootkits" that may shield the presence of malware. Van der Hoeven said that Microsoft can add untrusted certificates to a blacklist via Windows Update under this UEFI scheme. All firmware and software in the boot process must be signed by a trusted Certificate Authority, he added.

Windows 8 To Require Secure Boot
Secure boot is not Microsoft's proprietary firmware validation procedure but is specified in UEFI 2.3.1 in Chapter 27. It's optional to use according to the spec, but Microsoft is requiring secure boot in certified Windows 8 systems. Secure boot operates in the boot path to ensure that only verified loaders will boot Windows 8, and it prevents malware from switching the boot loaders. Today's PCs do not have this protection, according to Mangefeste.