Microsoft chose to directly respond to confusion surrounding its Windows 8 Secure Boot feature on Thursday.
Microsoft’s Windows chief, Steven Sinofsky, admitted there had been some comments recently that “synthesize scenarios that are not the case” around Microsoft’s work with UEFI. Redhat employee Matthew Garrett speculated that OEM machines that ship with copies of Windows 8 may lock out support for Linux installations. Garrett highlighted Microsoft’s new Secure Build OEM requirements for Windows 8 systems. Sinofsky rejected the claims in a blog post on Thursday and stated that Microsoft is simply taking advantage of new technologies to improve the security of Windows. “We are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available,” said Sinofsky.
Tony Mangefeste on Microsoft’s Ecosystem team revealed that Microsoft is working closely with its OEM partners to improve the security experience of Windows. “Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot,” says Mangefeste. ”We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.” Mangefeste believes the customer is ultimately in control of their PC. “Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility.”
Microsoft chose to highlight the flexible approach by reminding people that the Samsung tablet, with Windows 8 Developer Preview, handed out at BUILD contains the ability to disable the firmware Secure Boot feature. “OEMs are free to choose how to enable this support,” says Mangefeste. “Windows merely did work to provide great OS support for a scenario we believe many will find valuable across consumers and enterprise customers.” Microsoft summarized its work with UEFI:
* UEFI allows firmware to implement a security policy
* Secured boot is a UEFI protocol not a Windows 8 feature
* UEFI secured boot is part of Windows 8 secured boot architecture
* If desired, Windows 8 utilizes secured boot to ensure that the pre-OS environment is secure
* Secured boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components
* OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
* Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows