How Secure Boot Works on Windows 8 and 10, and What It Means for Linux
Modern PCs ship with a feature called “Secure Boot” enabled. This is a platform feature in UEFI, which replaces the traditional PC BIOS. If a PC manufacturer wants to place a “Windows 10” or “Windows 8” logo sticker to their PC, Microsoft requires they enable Secure Boot and follow some guidelines.
Unfortunately, secure boot also prevents you from installing some Linux distributions, which can be quite a hassle.
How Secure Boot Secures Your PC’s Boot Process
Secure Boot isn’t just designed to make running Linux more difficult. There are real security advantages to having Secure Boot enabled, and even Linux users can benefit from them.
A traditional BIOS will boot any software. When you boot your PC, it checks the hardware devices according to the boot order you’ve configured, and attempts to boot from them. Typical PCs will normally find and boot the Windows boot loader, which goes on to boot the full Windows operating system. If you use Linux, the BIOS will find and boot the GRUB boot loader, which most Linux distributions use.
However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the difference between malware and a trusted boot loader–it just boots whatever it finds.
Secure Boot is designed to stop this. Windows 8 and 10 PCs ship with Microsoft’s certificate stored in UEFI. UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft. If a rootkit or another piece of malware does replace your boot loader or tamper with it, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.
How Microsoft Allows Linux Distributions to Boot with Secure Boot
This feature is, in theory, just designed to protect against malware. So Microsoft offers a way to help Linux distributions boot anyway. That’s why some modern Linux distributions–like Ubuntu and Fedora–will “just work” on modern PCs, even with Secure Boot enabled. Linux distributions can pay a one-time fee of $99 to access the Microsoft Sysdev portal, where they can apply to have their boot loaders signed.
Linux distributions generally have a “shim” signed. The shim is a small boot loader that simply boots the Linux distributions main GRUB boot loader. The Microsoft-signed shim checks to ensure it’s booting a boot loader signed by the Linux distribution, and then the Linux distribution boots normally.
Ubuntu, Fedora, Red Hat Enterprise Linux, and openSUSE currently support Secure Boot, and will work without any tweaks on modern hardware. There may be others, but these are the ones we’re aware of. Some Linux distributions are philosophically opposed to applying to be signed by Microsoft.
How You Can Disable or Control Secure Boot
If that was all Secure Boot did, you wouldn’t be able to run any non-Microsoft-approved operating system on your PC. But you can likely control Secure Boot from your PC’s UEFI firmware, which is like the BIOS in older PCs.
There are two ways to control Secure Boot. The easiest method is to head to the UEFI firmware and disable it entirely. The UEFI firmware won’t check to ensure you’re running a signed boot loader, and anything will boot. You can boot any Linux distribution or even install Windows 7, which doesn’t support Secure Boot. Windows 8 and 10 will work fine, you’ll just lose the security advantages of having Secure Boot protect your boot process.
You can can also further customize Secure Boot. You can control which signing certificates Secure Boot offers. You’re free to both install new certificates and remove existing certificates. An organization that ran Linux on its PCs, for example, could choose to remove Microsoft’s certificates and install the organization’s own certificate in its place. Those PCs would then only boot boot loaders approved and signed by that specific organization.
An individual could do this, too–you could sign your own Linux boot loader and ensure your PC could only boot boot loaders you personally compiled and signed. That’s the kind of control and power Secure Boot offers.
What Microsoft Requires of PC Manufacturers
Microsoft doesn’t just require PC vendors enable Secure Boot if they want that nice “Windows 10” or “Windows 8” certification sticker on their PCs. Microsoft requires PC manufacturers implement it in a specific way.
For Windows 8 PCs, manufacturers had to give you a way to turn Secure Boot off. Microsoft required PC manufacturers to put a Secure Boot kill switch in users’ hands.
For Windows 10 PCs, this is no longer mandatory. PC manufacturers can choose to enable Secure Boot and not give users a way to turn it off. However, we’re not actually aware of any PC manufacturers that do this.
Similarly, while PC manufacturers have to include Microsoft’s main “Microsoft Windows Production PCA” key so Windows can boot, they don’t have to include the “Microsoft Corporation UEFI CA” key. This second key is only recommended. It’s the second, optional key that Microsoft uses to sign Linux boot loaders. Ubuntu’s documentation explains this.
In other words, not all PCs will necessarily boot signed Linux distributions with Secure Boot turned on. Again, in practice, we haven’t seen any PCs that did this. Perhaps no PC manufacturer wants to make the only line of laptops you can’t install Linux on.
For now, at least, mainstream Windows PCs should allow you to disable Secure Boot if you like, and they should boot Linux distributions that have been signed by Microsoft even if you don’t disable Secure Boot.
Secure Boot Couldn’t Be Disabled on Windows RT, but Windows RT is Dead
On Windows RT—the version of Windows 8 for ARM hardware, which shipped on Microsoft’s Surface RT and Surface 2, among other devices—Secure Boot couldn’t be disabled. Today, Secure Boot still can’t be disabled on Windows 10 Mobile hardware–in other words, phones that run Windows 10.
That’s because Microsoft wanted you to think of ARM-based Windows RT systems as “devices,” not PCs. As Microsoft told Mozilla, Windows RT “isn’t Windows anymore.”
However, Windows RT is now dead. There’s no version of the Windows 10 desktop operating system for ARM-hardware, so this isn’t something you have to worry about anymore. But, if Microsoft does bring back Windows RT 10 hardware, you likely won’t be able to disable Secure Boot on it.