Windows 8's use of the UEFI Secure Boot

Colin Watson cjwatson at
Tue Sep 27 08:41:53 UTC 2011

On Tue, Sep 27, 2011 at 10:58:33AM +0800, Goh Lip wrote:
> On 27/09/11 02:49, Colin Watson wrote:
> >On Sun, Sep 25, 2011 at 11:47:19AM +0800, Goh Lip wrote:
> >>I have it running in BIOS msdos partitioned disk and it gets booted
> >>up by grub2. I'll bet it will run in UEFI gpt partitioned disk and
> >>be able to be booted up by grub2. (an article claimed it can only be
> >>booted on UEFI gpt partition - it may happen the 'final release'
> >>could -doubt so- but the 'developer preview' doesn't.)
> >
> >I'm pretty sure that, by the time all this reaches final deployment,
> >GRUB 2 will not be able to boot Windows 8 under UEFI.  That would be far
> >too easy a workaround ...
> "That would be far too easy a workaround ..."
> By this, do you mean that it would be easy to workaround such that
> grub2 can still boot Windows 8?
> OR
> That it will be easy for Microsoft to workaround the UEFI
> 'architecture' such that it is impossible for grub2 to boot Windows
> 8 if Microsoft choose to do so?

I mean that Microsoft consider it to be part of their security
architecture that it will only be possible to boot Windows 8 using a
bootloader signed with a key trusted by the UEFI firmware, at least once
one is using firmware with the "secure boot" capability.  It would be
far too easy a workaround if one could avoid that simply by using an
unsigned boot loader.

Of course, if the firmware doesn't require a signature, that's a
different matter.  But you won't be able to work around firmware
requirements using an unsigned boot loader.

(Do not take from this that I agree with this position; I'm just telling
you how I understand it's likely to be.)

> >>If another article claims that the security feature is a UEFI
> >>feature and not Microsoft related, note that grub2 is CA-certified
> >>and this implies grub2 can boot Windows 8. (grub-legacy is not
> >>CA-certified)
> Perhaps this would explain better...
> but granted, it may be interpreted that Microsoft uses
> CA-certification to block other boot-loaders booting it.

Nothing in that article supports the position that GRUB 2 is
CA-certified.  I can tell you with considerable confidence that it is
not at this time, and that it is not at all clear what we would need to
do in order to do so - would GRUB have to be modified to only boot
signed kernels if we were to avoid our key being immediately revoked?
That wouldn't be pretty.

(Anyway, Matthew Garrett has responded to Microsoft's response ...)

> Still, it is inconceivable that Microsoft would want to 'lock
> itself' out of the substantive and lucrative upgrade market.

It may well be that it behaves differently on prior firmware versions,
but as Matthew Garrett has pointed out, any new system that wants to get
Windows 8 certification must ship with "secure boot" enabled and is not
required to provide an option to disable it.

Colin Watson                                       [cjwatson at]

More information about the ubuntu-users mailing list