Updated: February 20, 2013
Recently, at a rate of about once a day, a new article comes blaming Microsoft for being evil and using their Secure Boot thingie to monopolize the desktop and prevent Linux from taking over. On top of that, Microsoft notwithstanding, lots of people are blaming UEFI for not letting them boot various Linux distributions.
I would like to use this opportunity to dispell myths and fears and pure, simple disinformation, as most of the articles written on this topic are nothing more than FUD designed to generate controversy, traffic and revenue. So let's see what gives, and why UEFI is all right, and why there is no problem whatsoever.
The acronym stands for Unified Extensible Firmware Interface. It is a standard that defines the interface between operating systems and platform hardware. Essentially, it replaces BIOS in this function. UEFI is more modern and supports all kinds of things, like remote connectivity, mouse navigation inside its menus, and suchlike. You also get support for very large disks, and a whole lot of other services.
Another feature added in version 2.2 of UEFI is Secure Boot. This capability can be used to restrict the hardware platform to allow booting only operating systems that have a valid digital signature. In a way, this is somewhat similar to what happens when you connect to HTTPS sites, like your bank.
In the Setup mode, UEFI enumerates the hardware and writes relevant public keys, known as the Platform keys, to the firmware. In the User mode, it allows only operating systems that have a matching private key to boot. In most cases, the private key will include the enumeration of hardware devices and the kernel's digital signature. Hence the term, Secure Boot, because if the operating system gets changed in a significant way, or the hardware is tampered with, this could be an indication that something is wrong, and you might not want to boot your machine. In order to allow changes and kernel updates, additional keys can be stored, but they must be related to the platform key. Moreover, custom modes allow adding new keys for other operating systems. This is much like the digital certificate of a website. If the site gets tampered with, the signature will no longer be valid, and you might not want to proceed.
And this is where drama begins. Microsoft Windows 8 supports Secure Boot. However, this feature was instantly publicly subverted into a conspiracy that Microsoft intends to use the feature to lock out other operating system vendors, namely Linux, from behind able to boot their stuff on the same hardware.
Indeed, what's there to worry about? You simply enter your UEFI menu, change the Secure Boot configuration to either Setup or Custom modes, and make relevant tweaks. And this is where problems start.
Because of the GPL restrictions, it might be impossible to change the GRUB bootloader to use digital signatures. The exact reasons are not really important, but it has nothing to do with Microsoft. Furthermore, a generic signing key could be used for the bootloader, which would satisfy the licensing concerns, but then, how do you persuade OEM to ship this key along with the Microsoft one? Again, nothing to do with Microsoft.
Lastly, several pre-boot bootloaders are being developed, which would be used for signing, and then handing off the boot sequence control to GRUB in the normal way. These things are called shims, and there are several variants in the works. There ought to be an official bootloader out there, now, do search the Web for more info if you really care. Again, unrelated to any conspiracy theory by Microsoft.
And did I say that Secure Boot can be DISABLED completely, and that this is not a concern whatsoever? This is the one thing that seems to enrage the crowds most.
The thing is, Microsoft want platforms shipping Windows RT, which means ARM, which probably means tablets and smartphones, to have their UEFI locked down in such a way to prevent tampering with the Secure Boot mechanism. If you think about it more carefully, this is no different than what Apple or Google do with their phones, where you must load custom firmware to be able to so-call jailbreak them. However, no one clamors about that, and everyone seems to go wild when Microsoft want to do the same thing.
On the same note, Microsoft also requires OEM vendors to allow full control of the Secure Boot on x86 platforms, which stands for your desktops and laptops and such. Which brings us to OEM vendors.
Let's take a look at the market figures. Normally, you will have some uptight MBA graduate strutting up and down the stage, telling you how excited he is, and emphasizing the word penetration, in regard to markets, that is. And you may assume that Microsoft wants to fight aggressively for every square millimeter of the proverbial turf.
Indeed, Microsoft definitely want to ensure their market share. But given the restrictions and lack thereof, for Windows and Windows RT, there does not seem to be any real problem. Moreover, some simple statistics. 90% of all computers are running Microsoft Windows, one version or another. Roughly 90% of all computers come preinstalled, and their users never bother changing anything. Some 90% of people will never think about dual-booting or using any other operating system other than the usual crap that comes by default. Linux never was and never is an issue.
On that same note, people who use Linux are savvy, skilled and can easily enter the UEFI menu and make changes needed to allow dual and triple and whatever booting on their boxes. Most Linux users will also likely purchase generic hardware, without any operating system installations, so the notion of Secure Boot will never be raised. Much ado about nothing, but drama is more fun.
The only question you need to be asking yourself is this: On OEM hardware that supports and uses Secure Boot, and which comes preinstalled with Windows, on which you might intend to use your own operating systems of some kind, will the vendor respect the requirements and truly allow disabling or modifying the Secure Boot feature?
This is the ONLY relevant question. There's nothing wrong with UEFI and its capabilities, nor even Microsoft's desires, goals and strategies, nor requirements from the vendors. The only question is, will these vendors respect the standard or make changes to the UEFI, as to cripple the functionality and prevent specific user changes? That's the only thing that needs to worry you.
To answer that: Do NOT buy hardware - laptops mostly, that is - which come with limited or restricted UEFI interface. Do not purchase hardware that could limit your usage models. Make sure you buy machines that support: 1) Secure Boot changes 2) Legacy mode that emulates old BIOS. That's all you need to worry about right now.
I bought two desktops, one in 2011, and another in 2012, virtually identical. Both come with ASUS boards, and consequently, ASUS firmware. In both cases, the machines use UEFI, and have support for legacy boot. In both cases, I installed and ran Windows 7, as well as several Linux distributions without any problems WHATSOEVER. The Secure Boot never came up as an issue, because it is disabled or does not exist in the menu or who the hell cares. That's all. Choose your hardware carefully, and when you have full control of your assets, you can make your own modifications any which way you like.
Now, on the far end of the spectrum, you have would-be scary stories about how certain Samsung laptops got bricked after trying to boot Linux on them. This was instantly turned into another Microsoft conspiracy, until everyone figured out that Secure Boot was not an issue here. Rather, the incompatibility between the operating system and the underlying firmware, due to a BUG in firmware, caused the machines to cease living.
Naturally, people were quick to blame UEFI for being evil. The thing is, the problem manifested only in certain boot modes, and only with certain versions of Linux. Moreover, stories about bricked hardware are not new. There have been a million cases like this in the past, sometimes with select items, like DVD burners or routers, sometimes with whole machines. It happens. There are bugs, and then, they get resolved.
There's nothing wrong with UEFI, or Samsung, or Linux. In certain conditions, when you combine various components, problems can happen, and they do. The reason this surfaced is most likely because Samsung did not test Ubuntu or alike on their laptops, which ship preinstalled with Windows. The same issue might have happened in the factories while assembling these boxes, but Samsung would have contacted Microsoft and resolved this silently. Well, apparently not, because the problem manifests in Windows, too. BAM! There goes the conspiracy.
You do not want to know how many hundreds of cases like this happen all the time, with OEM vendors going back to the operating system and hardware companies, and asking for fixes in the firmware. You really do not want to know, and you do not need to care, as a customer.
People also clamoring that their systems, with the Secure Boot enabled, would not boot after making changes to their hardware. Indeed, new hardware components means a new enumeration of the devices, and then the digital signature hash no longer matches the stored key.
This might be a small problem, but it is also easily resolved. You disable the Secure Boot before making hardware changes. We go back to OEM vendors respecting the specifications and standard. Frankly, this will most likely never be an issue of desktops. And with laptops, now really, how often do you change hardware?
UEFI is no devil. It's just different from BIOS, and operating systems will have to be adapted to make use of its capabilities. Simple. Likewise, the Secure Boot functionality is nothing you should worry about too much. What you need to do is, make you purchase hardware from vendors that do not treat their customers as a toilet bowl. That's all.
If you stick by these simple rules and guidelines, your multi-boot experience on hardware with UEFI will be pleasant and hassle free. One day, Linux distributions will all natively and seamlessly support Secure Boot, so that one issue will vanish completely, too. Other than that, all the usual applies, including the slight, remote possibility that your hardware might decide to become a cinder block. But that can happen regardless of what acronym you choose for the day. Now, enough useless drama.