The Free Software Foundation says that, Microsoft’s own version of “Secure boot” is actually another word for “restricted boot”. But according to Microsoft, they’re just trying to enhance the security of their OS by using the Unified Extensible Firmware Interface (UEFI) (a framework) but the FSF and open source community in general says this is in fact a bad move!.
UEFI (based on the EFI which is supported by GNU/Linux) is basically an updated version of BIOS (not 100% accurate but in a way it’s true). And if you don’t know that BIOS is… then in simple terms, it’s the one that takes care of every thing, hardware health checking & communication, etc till that pretty little Windows logo (or whatever the OS logo that you have for that matter) arrives after you turn on your PC.
So UEFI Secure Boot is bad?
To be honest I did not read their technical specifications (I don’t think most would understand things in it unless you have a certain degree of computer related technical knowledge), except for the FAQ page which explains things in a more non-technical manner.
Anyhow, personally I’m not that impressed by it and from the bits and pieces that I put together, it’s a feature that says it’s there to “enhance” the security of your computer by disabling a user from booting into an OS that’s not “signed” or verified using a software “Key”.
So, who signs these “Keys” ?. Well, according to Matthew from RedHat who pointed it out first…
“The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows.
The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.”
So from a security point of view it could be a good thing but only as long as the users are given the ability to disable this feature thus allowing an unsigned OS to be run (say you just downloaded a GNU/Linux OS that no one ever heard of and wanted to run it :D).
But the concern is, again I’m quoting Matthew…
“There’s no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market…”
So as long as the firmware vendors give user the ability to disable this “feature” we’re gonna be fine but as Matthew says, what if they choose not to?.
So if you think this is a threat to you … then Free Software foundation has started a campaign against Microsoft’s secure boot. They’re basically creating a massive statement and you can include your own statement to that.
If interested, you can get more information from this FSF Secure Boot vs Restricted Boot Statement page. Enjoy! (OK… that’s a dumb thing to say ;-)).