News

Microsoft Clarifies Windows 8 Dual-Boot Issue

• By Kurt Mackie
• September 25, 2011

Microsoft recently debunked the claim that Windows 8 will not allow Linux OSes to coexist in a dual-boot configuration on PCs, based on use of the Unified Extensible Firmware Interface (UEFI) standard.

Tony Mangefeste, who works with the Microsoft ecosystem team, wrote in a Thursday blog post that dual boot with Linux OSes -- even Linux OSes that lack trusted certificates -- can be supported on Windows 8, but the user must first turn off a "secure boot" security feature in the firmware, which Microsoft doesn't recommend doing.

Mangefeste also noted that a setting exists in the Samsung tablets running Windows 8 that were released at Microsoft's Build conference last week where users can make this change. However, these Windows 8 "developer preview" machines aren't necessarily reflective of final product products. Microsoft would be expected to add or remove features at will at this point, since code-named "Windows 8" is still at the prebeta stage.

The controversy was spurred, in part, by a blog post by Matthew Garrett, a Red Hat developer focused on power management and mobile Linux technologies. Garrett subsequently wrote that Mangefeste's explanations do not contradict his assertions. Garrett claims, among other points, that "Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option."

Microsoft is requiring that certified systems ship with secure boot by default. Whether it will let the user disable that feature in the final build of Windows 8 remains to be seen.

Secure Boot Not Supported on Linux
Windows 8 can run using BIOS system firmware or it can run on UEFI firmware. Microsoft's OEM firmware partners can make the choice on which to use. Possibly, firmware vendors will simply opt to meet Microsoft's requirements, shipping machines with secure boot turned on, since the vast majority of PCs run Windows, Garrett pointed out. Linux apparently has some technical issues, perhaps mostly affecting hobbyists, that might make using unsigned certificates a necessity. Garrett says that Linux doesn't support secure boot now, but he also shrugs off the limitation, saying it's "about a week's worth of effort" to add that support.  

The whole dual-boot argument associated with Linux seems to be "much ado about nothing" since even Windows 7 presently is not slated to have support for a dual-boot configuration with Windows 8. That point was underscored in a panel session at Microsoft's Build conference, "Delivering a Secure and Fast Boot Experience With UEFI." Speaker Arie van der Hoeven, a Microsoft principal lead program manager, was asked directly about the dual-boot capability and secure boot protection in Windows 8.

"If you are dual booting, it depends on whether you are booting into another trusted operating system, van der Hoeven said. One discussion we are having is…[with] this first firmware OK boot manager OK handshake, you can't have a version of that that works with Windows 7. Windows 7 doesn't have the ability to check firmware. The firmware can check and make sure it is assigned a Windows 7 boot loader. Truly, right now today, if you want to have secure boot and you want to dual boot Windows 8 and Windows 7, you need to turn secure boot off in firmware. We are thinking about having a way that you can go ahead and make that work, but that's not POR [plan of record] today."

Microsoft is moving to support UEFI standards for booting the OS, while the BIOS system is seen as more of a legacy approach. However, right now, Microsoft is testing Windows 8 on machines that are about 90 percent BIOS based, van der Hoeven explained.

BIOS systems, which stem from the 1980s, only work with x86 and x64 hardware. The spec was not designed to work with Itanium hardware. UEFI arose, in part, to address that Itanium shortcoming, van der Hoeven explained. BIOS systems are further limited to a boot disk size of 2.2 TB, and UEFI expands on that size. BIOS systems still use "ugly" screen menus because they are based on VGA graphics.

Moreover, all ARM-based processors use the UEFI model, van der Hoeven said.

A little bit of UEFI already runs in the background of current BIOS systems, van der Hoeven said. However, the element that Microsoft has focused on with UEFI for Windows 8 is the ability to expose UEFI to the operating system through UEFI runtime services. This runtime allows the OS and firmware to communicate about white-listed and black-listed certificates. It can help ward off rootkits and "bootkits" that may shield the presence of malware. Van der Hoeven said that Microsoft can add untrusted certificates to a blacklist via Windows Update under this UEFI scheme. All firmware and software in the boot process must be signed by a trusted Certificate Authority, he added.

Windows 8 To Require Secure Boot
Secure boot is not Microsoft's proprietary firmware validation procedure but is specified in UEFI 2.3.1 in Chapter 27. It's optional to use according to the spec, but Microsoft is requiring secure boot in certified Windows 8 systems. Secure boot operates in the boot path to ensure that only verified loaders will boot Windows 8, and it prevents malware from switching the boot loaders. Today's PCs do not have this protection, according to Mangefeste.

"In most PCs today, the pre-operating system environment is vulnerable to attacks by redirecting the boot loader handoff to possible malicious loaders," Mangefeste wrote in the blog. "These loaders would remain undetected to operating system security measures and anti-malware software."

Microsoft also plans to enable "early launch antimalware" as part of the boot path to provide better protection to Windows 8 users.

Van der Hoeven said that Microsoft is seeing a shorter POST time with UEFI. It works by creating a small hyper file during the shutdown of user applications and the user state. The hyper file is read during the next bootup, enabling a shorter startup time. Van der Hoeven said that a five- to six-second startup time will be the default experience on Windows 8. Users will also get that experience when using BIOS instead of UEFI.

UEFI in Windows 8 will also provide "native support for encrypted hard drives," which will become a "commodity item in the Windows 8 timeline," van der Hoeven said. This encryption works seamlessly with BitLocker in Windows 8. It will eliminate a data security management problem currently associated with BitLocker.

"If you are managing an enterprise, and you have a bunch of desktops that are connected with an Ethernet cable, or you have a bank of servers that you really want to have great data protection on, and you want to have that data BitLocker protected, today you have a big problem," van der Hoeven said. "Because if you try and remotely reboot all of those systems and they have BitLocker, you have to send a tech in there and hit a pin code every time you boot up. With UEFI and DHCP, you can store those pin codes in a remote server, and as long as those desktops are connected to the remote server, they will automatically reboot."

Finally, for those interested in seeing what Microsoft's new "blue screen of death" will look like for Windows 8, van der Hoeven obliged with a screen shot. It's still blue, but a little more "friendly."

[Click on image for larger view.]

The new Windows 8 blue screen, indicating system failure.