PC enthusiasts generally take the right to install alternate operating systems as a given, but that right may be threatened by PCs designed for Windows 10. According to a new report by Ars Technica, Microsoft is relaxing its requirement that x86 PCs carrying the "Designed for Windows" logo contain an on-off switch for Secure Boot, a UEFI feature that prevents unsigned software from running during the boot process:
At its WinHEC hardware conference in Shenzhen, China, Microsoft talked about the hardware requirements for Windows 10. The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down.
The presentation is silent on whether OEMS can or should provide support for adding custom certificates.
Secure Boot prevents systems from being attacked by malware that compromises the OS before it's loaded, but there are downsides. If Secure Boot is permanently enabled by a hardware vendor, bootloaders (and by extension, operating systems) that aren't signed with a cryptographic key embedded in the system's firmware won't be able to run. This is a pain for users who want to compile and install their own operating systems.
Operating systems that are user-compiled by necessity, like Gentoo Linux, might require complex workarounds for Secure Boot, and there's no guarantee that OEMs will continue allowing end users to modify the database of approved keys in firmware. That said, common Linux distributions like Ubuntu and Fedora have worked with Microsoft to get their bootloaders signed with the company's key, and other, distribution-agnostic workarounds do exist. As a result, Linux won't necessarily be locked out on PCs with Secure Boot permanently enabled.
(Feature image lock icon by dAKirby309 on Webpatashala)