There is no way to get your hands on a PC that doesn’t require proprietary firmware beyond having a boutique manufacturer like Purism build it. And every single hardware maker chose to lock it up tight until the free- and open-obsessed Purism recently realized that manufacturers could choose to disable the feature. The firmware-checking feature in Intel processors allows manufacturers to choose whether or not to lock CPUs down to run manufacturer-provided firmware alone. In practice, this will probably end up harder than it looks, as one recent example drives home.
And, if you want the ability to disable Secure Boot and install whatever operating system you want, you can just buy a PC with such a toggle. If someone gets their hands on your PC, they can’t boot into UEFI and disable or try to install their key. Theoretically, this provides some choice-you can choose to buy a computer without a toggle in the UEFI firmware, locking it to only boot Windows and other approved OSes. In other words, it’s up to every manufacturer to include the toggle or not. That’s the information that Ars Technica noticed in a slide presented at Microsoft’s WinHEC conference. On a PC, Microsoft allows manufacturers to choose whether or not a user can disable Secure Boot. Windows 10 makes the user-configuration toggle optional. Or you could tweak Secure Boot and only allow operating systems signed with your own personal signing key to boot.
So you could always disable Secure Boot and still install any Linux distribution you liked. As part of the certification process that allowed manufacturers to pre-install Windows and put little Windows logos on new PCs, Microsoft forced hardware makers to give users a way to disable Secure Boot and add their own signing keys on Windows 8 PCs. The Linux community was understandably up in arms about this, and Microsoft tossed it a bone. And, in fact, on Windows RT devices like the original Surface and Surface 2, Secure Boot was locked down tight to only allow Windows RT to boot. This prevents low-level malware like rootkits from interfering with the boot process.īut the same feature that blocks rootkits will also block other software, like Linux boot loaders. On Windows PCs, the UEFI Secure Boot feature generally checks to see if the low level software is signed by Microsoft or the computer’s manufacturer.
When you boot a new Windows 8 PC, the Secure Boot feature in the UEFI firmware checks the operating system loader and its drivers to ensure they’re signed by an approved digital signature.