What is the impact of Windows 8 with UEFI on normal users?

I am a normal man-in-the-street computer user and so do not really understand what this is about, but I want to. Can someone please explain to me if:

The Windows 8/UEFI secure boot thing will make it impossible to run normal/legacy applications in Windows 8 (as they will be unsigned)?
It will turn Windows into an Apple-like system where only Microsoft approved applications can be run?

As I say, I'm a normal user, and that is the overall impression I have from reading all the blogs, etc about it.

If, on the other hand, all it does is make sure the system is booting a signed OS, how does this prevent malware (which is what at least two Microsoft blogs that I read seemed to be saying), given that most malware is not part of the boot process? The only way I can see this making sense is if it is ensuring that all OS components are signed. Is that it?

Like I say, I'm a mortal, so please don't get technical on me, but rather explain how it will affect me, the user.

Sam

Posted 2011-11-29T16:40:12.633

Reputation: 71

Answers

It will make it possible for Microsoft, in cooperation with specific motherboard vendors, to lock specific motherboard models to only boot to operating systems signed with a Microsoft-supplied key. You will still be able to run any application you want once the operating system is installed. The only thing that is locked is the boot loader.

At present, no motherboard vendors have any plans for such locking, several have expressed a strong disinclination to ever allow it, and Microsoft has claimed they are not asking for any such locking. You're safe for at least the next decade or so.

Even if the equation changes and such locking does begin to occur, the relatively open and accessible nature of PC hardware and the operating environment in general would make cracking the required digital signature lock a relatively simple operation for hackers.

What will more likely happen is that large IT departments are asking for a way to prevent users of institution-owned equipment from installing non-sanctioned operating systems. We might see vendors offer customized locking, where they pre-set the board with a key supplied by the IT department, and Microsoft adding a feature to sysprep that allows IT to use the matching key in their installer image.

The largest side effect here is that many of these businesses also lease their equipment, and there is a significant and growing market for 3-year-old off-lease merchandise. Locked motherboards could impact the value of this equipment.

Joel Coehoorn

Posted 2011-11-29T16:40:12.633

Reputation: 26 787

1+1:in cooperation with specific motherboard vendors. This is the big key. I have yet to talk to someone who will agree that this would be a big threat to other OSes. I think SOPA is a bigger and far greater concern. – surfasb – 2011-11-29T17:32:10.697

Secure boot has already been hacked, another worthless Microsoft endeavor...http://insanetek.com/news/1-web-and-industry-news/900-windows-8-qsecure-bootq-already-hacked

– Moab – 2011-11-29T17:35:04.717

I am not a lawyer, but I believe it would be illegal to force vendors to lock motherboards to Windows as it would amount to product tying--tying motherboards to Windows would deny consumers their choice of a different operating system.

– bwDraco – 2011-11-29T17:42:59.567

First, some definitions:

Secure Boot is a feature of UEFI, which allows the firmware to verify that the boot loader is cryptographically signed, and the certificate can be traced back to one of the root certificates stored in the firmware. This feature prevents unauthorized boot loaders on platforms where this feature is enabled. Only very small minority of malware uses boot loaders in any way.

From Windows engineering team blog:

For Windows customers, Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8 have secure boot enabled by default, that firmware not allow programmatic control of secure boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent unauthorized attempts at updating firmware that could compromise system integrity.

This means that nothing prevents OEMs (computer manufacturers) from including a "BIOS" feature that enables/disables secure boot via the user interface. (I use quotes for the lack of better name of a pre-boot environment where you configure comptuer settings. It is called BIOS now buy I doubt that people will call UEFI "the UEFI") Thus, you will be able to boot Linux or use some other unsigned boot loader. How this feature will be implemented is yet to be seen, of course.

I think that this feature will be used by some OEMs to completely lock down their computers. If you cannot use any bootable media except some authorized one, you cannot really switch to other OS or even install Windows from a non-OEM-supplied disk. But for the vast majority of users nothing will change, as this feature will have very small impact on them.

haimg

Posted 2011-11-29T16:40:12.633

Reputation: 19 503