UEFI is a technology that forces a computer to only load a digitally signed operating system. This has some security benefits, as it makes parts of the operating system unbootable if they become infected, since the viruses won’t be digitally signed by a reputable vendor.
Great idea, right? From a security perspective, absolutely. The more attack vectors for viruses we can eliminate, the better off we’ll be. But Microsoft’s policy on ARM systems shows how it can be abused.
There was some concern that Microsoft would use UEFI to lock anything but Windows out of PCs. As a monopoly, Microsoft can’t afford to do that. Bill Gates was willing to take chances with the Department of Justice; Steve Ballmer has been less so.
But Microsoft takes a lockout stance on ARM-based systems. Microsoft can get away with it there, because Microsoft isn’t a monopoly on ARM. And on phones, we’ve never switched operating systems. We’re used to buying an Android phone if we want Android, an Apple phone if we want IOS (the Apple variety, not Cisco), or a Windows phone if we want Windows.
But what about when 4-core ARM-based PCs come along for $200? The majority of people will be happy running Windows on those, but I can certainly understand wanting to run Linux on them. I’d think about it–the price would be right, and I don’t like watching my Linux skills atrophy.
Long-term, the solution probably is for someone to release a digitally signed Linux distribution. It’s questionable whether the GPL will allow that, but the authors of boot-critical components (like the bootloader) could relicense that code, or someone could write alternatives and license them under something more permissive. I don’t completely like that answer, because it would impede compiling custom versions of that code. The vendor-compiled code would boot, but yours wouldn’t. That’s not something casual users do, of course, but it’s part of the culture. And it certainly limits Linux’s usefulness for computer science/computer engineering students who are deeply studying operating system internals.
Personally, I’d be willing to live with those limitations, under the right conditions. But I’m not everyone.
And to me, the more interesting thing about this is that it shows Microsoft hasn’t really changed much. When the system allows them to be abusive, they’re still perfectly willing to be abusive.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.