Updated: May 15, 2015
Recently, I've come across a somewhat sensational article by Arstechnica, telling us how Windows 10 will make mandatory Secure Boot thingie a thing of reality, and in future, we may end up with devices that do not allow any custom OS installs. Normally, I tend to steer away from this kind of news, and definitely not link to them, but this one is written with reasonable enough clarity to warrant a hyperlink. However, the essence of the story definitely needs some debating.
Since I'm aways 100% right, you surely want to know what I think. I've given you some rather accurate predictions in the past, on all sorts of things, technologies and devices, and I'm going to do it again. This will let you know what you need to do and how to prepare for the future. Let us.
What is this all about
In layman's terms, UEFI is the next generation of BIOS. This thing takes care of the preboot setup, initializes hardware, a few other fancy things, and then lets you run your operating systems as you please. One of the available features is Secure Boot, a method of allowing only operating systems with the "right" digital signature slash certificate to boot. Microsoft has been using this on recent Windows 8 machines, especially laptops as a potential security measure against malware that take over the system in the early stage of the boot process by corrupting the kernel and associated drivers. So far so good.
Moreover, for Windows 8, Microsoft required vendors, if they wanted to be certified for the Windows logo sticker, golly my my what excitement, to allow the Secure Boot function to be fully switchable in the UEFI menu for x86 platforms, and fully locked for Windows RT systems.
Now, the story tells us, the option to allow users to turn Secure Boot on/off will be up to the OEM discretion. In other words, a couple of years from now, you may buy a laptop or a desktop that does not permit Secure Boot to be toggled into another state, and you may end up with a system that can only use the preinstall Windows and no other custom images, like your favorite Linux distro. This is where the fun begins.
Before we discuss the ramifications of the aforementioned, let's take a look at the computing market around us. 90% of systems run Windows. Fact. This means roughly nine out of ten people will not give any shit when it comes to any considerations on what they may or may not run. Alas, that's how democracy works. The rest of the worry is for the minority of system enthusiasts and Linux people.
Furthermore, the OS lockout feature has featured massively on tablets and mobile devices, but since they came about as a happy, shiny new form factor and usage novelty, no one complained and no one still complains about the restrictions in this space. Even some laptops come with serious limitations, like Chromebooks, for instance. You get a product for a certain price, and part of it includes not tampering with the OEM setup. Fair game, the world seems to think, because everyone is consuming mobiles and tablets like mad.
The BIOS lockout features have been around for a long while. Some hardware vendors do choose to present only limited subsets of hardware features and options in the BIOS menu, and recently, the UEFI menu. Their considerations vary between support, expertise, can't be arsed to code, and general suitability of their platforms to their intended market audience. Microsoft requirements only play one part in the equation.
As far as the world is concerned, there's nothing wrong with this. Again, the only folks complaining are: 1) anti-Microsoft people 2) folks who see civil liberties and freedoms being at stake through the spectacles of computing technology 3) Linux users 4) bloggers who complain for the sake of complaining, and the fear they not be able to do something even if they never intended to do it in the first place, such is the human nature.
What now? Can we use UEFI and Secure Boot?
Again, before we discuss Microsoft's world domination plans, let's talk some more about the technology. How limiting and/or restricting it really is. Predicting future is tricky, so we must use past experience to form our ideas and opinions. Since I don't like fearmongering, we will focus on actual, real examples.
For me, the UEFI story began in 2011, with the purchase of a couple of desktops with Asus motherboards, both equipped with UEFI plus Secure Boot. I was able to switch the latter off, as well as use the Legacy Mode for backward compatibility. No problem there.
In 2013, I bought my Asus Vivobook and did an extensive dual-boot setup there, with Ubuntu as the Linux candidate. Once again, I was able to turn Secure Boot off, but more importantly, use Ubuntu even with Secure Boot on. Indeed, Trusty did all and everything you could hope for, and it offered a smooth and seamless experience.
2014, another challenge. I bought a gaming laptop, Lenovo Idepad Y50-70. It came with all the wonders of modern technology, and none of these interfered with my fun and pleasure. Again, I was able to boot Ubuntu on the system without any problems.
Last but not the least, I have another machine in my possession, and it's another Lenovo platform. In fact, it's a dedicated Linux testing machine, and I've already done a fair share of games on it. This is where we start to see some rather interesting results. Netrunner cannot use this laptop, not only because of Secure Boot, but also because it won't boot in the UEFI mode. But it does work pretty well in the Legacy mode. PCLinuxOS is another distro that fails, utterly. Ubuntu works without a hitch. And so does Linux Mint, which is based on Ubuntu. Then we also had Vivid, in its Ubuntu and Kubuntu flavors, and we get mixed results, once again. Those are the test so far. All the options are available in the UEFI menu, and you can toggle them on and off. Six systems, two hardware vendors, no limitations on the OEM side.
We do see problems with Linux already, and this is before we discuss Windows 10 and any future optional OEM lockout. Even on systems with the current set of freedom, which means no OEM restrictions for Windows 8 platforms, Linux does not run seamlessly.
We have distros that work well, and we have others that do not quite work so well. Secure Boot on its own does not present a problem, it's the fact that support for this feature has not been implemented in all distributions. Netrunner is based on Ubuntu, and yet, notice the differences. Even with Secure Boot turned off, UEFI poses a problem for some of the systems out there. So it's not just Secure Boot, and definitely not Microsoft.
Before we focus on what might happen in the future, we should focus on the present. In the current reality, there are no restrictions. My experience shows that the vendor and Microsoft side is pretty consistent. It's my favorite operating system that's not behaving.
UEFI poses a challenge for Linux, Secure Boot notwithstanding. This one might also cause issues, but so far, it's usually a combination of the two. My experience shows that distros that support the first, support the second, and I've not yet come across a case where the distro fails to boot just because of the Secure Boot feature being enabled.
Furthermore, our past experience shows us that there have been no configuration issues with UEFI and Secure Boot. They might happen one day, but then you could also be killed by a meteor. However, if past is our only indicator, things aren't as bad as they sound.
And now the future ...
Finally, let's discuss the what if scenario. What might happen one day. There are two major considerations here. One, will there be any restriction of access and use for other operating systems other than the ones mandated by the OEM vendors? Two, what will this restriction mean for Linux people, if and when it happens?
Now, if you were born before 2004, you will definitely remember stories from back then. Remember Vista and TPM? Well, there was a story circulating the Internet in those days about Vista shipping with TPM that prevents unsigned, unapproved software from running. It was just as bad as the UEFI story now.
A few years later, we had Windows 7 and BitLocker. Then we had Secure Boot and Windows 8, and Linux still runs just fine. Now, finally, it's Windows 10. The same stuff over and over. Every few years, there must be something to disrupt the peace and quiet of the collective mind of geekdom worldwide.
Linux folks, remember, this is only one small piece of it. There are worse things. Like systemd, Wayland versus X, Linux kernel switching version to 3.0, KDE 3.5 dying, Gnome 2 dying, and so forth. Yet, we are still here, and things still work, and probably much better than ever before.
What has this got to do with Microsoft?
Now we get to the sensational part. Microsoft is allowed to lay down terms on what vendors ought to do if they want to get approval from Microsoft. Fair game. The same way a car shop must adhere to certain rules and regulations if it wants to be listed as an official repair center by auto manufacturers and insurance companies.
Microsoft stated that the lockout will be mandatory on mobile devices, which is already true for most vendors out there, so this one is nothing special. On the desktop platform, the lockout is optional. In other words, Microsoft leaves the choice at the discretion of the OEM vendor. Here, we can only use our past experience as a weather gauge. Accurate and true? Maybe. But that's all we have.
Now, the focus shifts to hardware vendors. Will companies like Asus, Lenovo, HP, Dell, and others allow users to disable certain features in the UEFI? Maybe. Can we trust them? Maybe. Again, we can only deduce from years and decades of company strategies and general friendliness to the Linux community where the future direction is going to be.
What you need to do
Let's assume that the worst has happened. Some if not all vendors do not allow Secure Boot to be modified on desktop platforms. As a user, you now need to decide whether you want to buy hardware from such vendors. Then, if you do decide to buy, you need to ask yourselves, can your favorite Linux distro run there?
Ubuntu and Mint show us that UEFI + Secure Boot is not a problem, so at the very least, you can use some if not most of the Ubuntu family to continue using Linux. Other distros may not follow suit. But then, there's a bigger question of change. Technologies come and go. Some become really popular that they turn into standards. If you refuse to follow the standard, you may eventually become irrelevant. This is true for all aspects of life, and there's no denying the real moral dilemma.
But wait. Moral dilemma? Maybe. Are you opposed to UEFI and Secure Boot as concepts? Do you hate them on an ideological level, or is this just pure technology that needs to be implemented? For that matter, why would any Linux distro support MP3 or NTFS? Why would any distro support Flash or Samba sharing? Indeed, some do and some do not, spanning across legal, licensing and ideological reasons and considerations.
A couple of years from now, you may realize that Arch or Fedora or maybe Debian do not run on these new platforms. That's evolution in a sense. It's brutal, and I don't think we should ever witness a demise of a distro because of some silly code that's been proven to work in other distributions, but then, Linux flavors have risen and fallen over much smaller and simpler reasons.
Let's not forget that software may have an emotional side to it, but it's what we do with software that really defines our character. Perhaps the platform requires additional support to run the distro, but you can still continue using it the way you like, and for those tasks and hobbies you have.
I fully sympathize with the resentment that people might feel. Just think of Google being the arbiter of search out there. Over the years, that's what happened, that's what it's become. Is it morally right? Probably not, but it does not matter, because that's the reality. You can adapt to it, or ignore it. And luckily, you CAN ignore it.
I think with Linux, it's easier than how you interact with data on the Web. Because if you need to change the way you work and think, that's definitely limiting. But once booted, your distro is the same. There's a small, subtle difference there. If you don't like SEO, Facebook and similar crap, you have a much bigger problem, because those concepts and technologies are tightly coupled to the way you interact with information, and if you create information, your morality is challenged.
With UEFI and Secure Boot, there is no real essential change to information. For some distro developers, they will have to decide between not supporting these supposedly evil technologies and abandoning their users and their morality, and giving up on their own canon and allowing their users to continue consuming their systems in an interrupted manner. So it's not about Linux users. It's about Linux devs.
Will the worst happen?
But we're discussing a future that hasn't come yet. Let's aim for a saner picture. More realistic. The way I perceive it's going to be and happen. Some vendors may decide to go for the full lockout option. Others will play the saint part and allow freedom and access, making them a journalism favorite. That's important nowadays. Let's not forget EU regulations, which could also come down as mighty as Thor's hammer.
Remember Windows 8 Start Screen crap? How it was supposed to kill the desktop and shit? We all complained, installed Classic Shell, and now, Windows 10 is shipping with the menu back in place. So it's not all just bleakness and despair and doom.
Moreover, technology is easy compared to some other problems we face in other aspects of our lives. Even supposedly unhackable devices have been violated in a manner that's more spectacular than the ravishing of Rome and Constantinople combined. Playstation, Xbox, whatever. If it runs code, it can be exploited, subverted, opened. So for hardcode Linux folks, this won't really pose a challenge. In fact, we're clamoring about something that may never be, just because we want to be able to do something. We might never have done it, but this story has triggered some pretty basic instincts. Just think about all those things you never care for, and how they might change or not. You look at them, and smirk smugly. The same applies here.
At the end of the day, there's always bloody revolution, if you choose to go down that way. Just remember, it doesn't happen on Twitter or Facebook. If you want to fight for your ideals, you need to be willing to die for them. Otherwise, you're just seeking attention. BTW, I own a few Microsoft shares, so if you need a good reason to discredit this article, I've just given you free ammo.
There's quite a lot going on in this article, so I'll summarize briefly. For now, nothing bad has happened, except us nerds making noise. We did it before, and we're doing it again. UEFI and Secure Boot are not the bane of Linux. They could be if we choose to do so, or we could be sensible and fix the problem.
All that said, there probably won't be much change in this regard, because few people really care, and the OEM will not want to smear their public image by playing the police state card. In general, this will go down as another snippet of drama of the Internet, but we will continue to be able to exercise our basic human rights, and that's to download pr0n in Linux. We're done here.
P.S. The dragon crystal ball and the devil images are in the public domain.