James Delahunty
22 Sep 2011 9:21
Security measure could impact on Linux dual-boot options.
In order for a PC to be sold bearing a "Designed for Windows 8" logo, it must ship with secure booting (enabled by UEFI) enabled. This could pose problems for users who wish to install (an unsigned) open-source operating system.
For most users, the solution would simply be to disable the secure booting in the UEFI settings. That will not effect Windows 8 booting. However, this does mean that the hardware vendor is responsible for making it possible to disable the security feature.
Why protect the bootpath? In recent years, malware authors have resorted to attacking the bootpath to get around security features in Windows. As an example, the TDL-4 rootkit utilizes a bootkit to disable the Windows kernel mode code signing policy of the 64-bit version of Windows 7.
The only airtight way to counter the threat is to protect the bootpath by requiring that all firmware and software involved in the boot process have been signed by a CA. Google has done the same thing with its Chromebooks to avoid bootpath attacks. Google mandates that a Chromebook feature a physical switch (under the battery component) which would allow it to be disabled.
In most cases, this shouldn't be a problem for users who buy PCs and want to have a second OS boot option, but really it depends on the OEM.