UEFI SecureBoot ends commodity computing

Geeky websites around the world are ablaze with Microsoft's new policy concerning the mandatory use of UEFI SecureBoot. A move that will lock millions of tinkering hacker enthusiasts out of their hobby -including the hardware they bought and paid for- and will effectively bar the way for any kind of new grass-roots operating system on the ubiquitous PC platform. The next Linux may never see the light of day. Personally this development saddens me greatly as Ben Franklin's words on security and privacy keep popping into my mind.

We don't need no stinkin' BIOS

Intel, Microsoft and a whole bunch of other computer companies created UEFI some time ago as a replacement for the IBM-inspired BIOS that has lived inside PC's for about 30 years. Indeed, it really is time for a replacement as there are hardly PC's around anymore that feature drives A: and B:, which have been reserved since the old days for a pair of floppy drives. The floppy itself all but died out sometime around the turn of the century, not to mention the dual configuration with both 3.5 and 5.25 inch models for 'compatibility'. The last time I actually paid for such a drive was 16 years ago and even that came from someone's pile of spare parts.

A more pressing problem would be addressing stuff like 64 bit CPU's with their endless seas of RAM. Sure you can have 1M of RAM to do your stone-age DOS Upper Memory Blocks thingy and BIOS ROM-shadowing in. I won't miss that 1MB when my OS turns the CPU into overdrive and engages 64-bit mode, making available the rest of my 8GB's of RAM.

Or how about hard drives that run well into the terabytes these days. Crud like LBA helped us across the 540MB barrier, the 128GB barrier and now the 2TB barrier but in all honesty: this sucks and it won't scale forever. GUID partitioning is more than welcome, as is some general intelligence inside the mainboard's firmware beyond what was available in 1980.

We don't need no stinking UEFI either!

UEFI solves all of the above, but there's a huge snake in the grass here called SecureBoot. This theoretically optional feature allows PC-builders to build into their firmware chips a number of cryptographic keys. These keys match the operating system om the PC's primary boot medium and check for any kind of tampering. In case it finds any kind of mischief, the machine simply refuses to boot. A feature added in the name of security and now mandated by Microsoft for PC-builders to qualify for the Windows 8 logo program. Hence the word 'theoretical' as far as this feature being optional is concerned.

Phrased a little differently, this comes down to the following. Your sparkling new BIOS replacement will have a security 'feature' embedded inside it -beyond your control- that locks the whole machine into only booting the operating systems sanctioned by the original PC manufacturer.

Surely this makes it impossible for any kind of malware to infect a system's boot loader before the OS can even do anything about it. On the face of things, that would be A Good Thing™ if it weren't so nefariously good for Microsoft and Microsoft alone.

All animals are equal

Many a time have I salvaged old hardware from the scrap heap and given it a second life. Most of the time this concerned PC's that wouldn't run the latest greatest from Redmond anymore, which is nothing short of a requirement if you're looking for a remotely safe environment to do your web surfing in. People who do little more than just some e-mailing and surfing don't need a data-center on their desk, they just need a secure software environment. 

Something like Linux, or even a nicely stripped-down FreeBSD environment would do very well in these cases. Especially the older versions are very fast, friendly enough to allow for dummy-proof web browsing and their inherent security plus obscurity keep them very safe from viruses and other threats of the modern Internet. In my direct surroundings this has saved a whole lot of space in various landfills and kept many people happily using their computers way past their economic expiration date.

Now let's see how that pans out with a machine using UEFI and SecureBoot. Linux and FreeBSD are OS'es that cater to tinkerers, and slimming down an OS to revitalize some older hardware definitely qualifies as tinkering in my book. Things like building a kernel with only the bare minimum set of drivers, for instance. That saves a huge wad of RAM on older machines and makes a considerable difference in performance. Sadly though, SecureBoot will prevent you from doing this. The reason? Your custom kernel won't have the proper manufacturer-sanctioned cryptographic signature, nor will you have any reasonable means available to amend this situation.

Let me reiterate that: you can not *EVER* install any other OS except one for which the original manufacturer provides a key. That not only means that the days of compiling and running your own flavor of Linux are over. It also means that when Microsoft comes around to Windows 9 or 10, and your system is stuck with keys for just version 8, you'll be out of luck. No upgrade for you, at all, ever. Just buy a whole new PC and be done with it.

Sure, but you can disable SecureBoot!

A common response to this development seems to be: "Yeah, sure, but you can disable this SecureBoot feature and still use your Linux like you're used to."

While formally true -for now- it will still put grass-roots initiatives like Linux, the BSD's and Haiku OS at a huge disadvantage. A very bad vibe emanates from a message like "Sure, you can run this new and great OS but you'll have to disable SecureBoot first because it's not authorized to run on your machine." To any sort of layman this translates into "Uhh.. is this communist crap going to destroy my PC?? Like hell I'm going to turn off my secure boots! I don't want no viruses mailing my ̶s̶t̶a̶s̶h̶ ̶o̶f̶ ̶a̶m̶a̶t̶e̶u̶r̶ ̶g̶a̶y̶ ̶p̶o̶r̶n̶ private banking information onto the leaky wikis behind my back!"

So there you have it. SecureBoot turns your generic IBM-compatible PC hardware into a Microsoft Windows Computer, locked to a single version and fully prepared for planned obsolescence.

It's a sad day when Freedom gets exchanged for a little bit of temporary safety.. if SecureBoot will even give you that, which remains yet to be seen.

PS: Did I mention that mandatory SecureBoot will lock out Windows XP, Vista and 7 as well? I didn't? Well, it will. This isn't just about pink-o Linux users. Thought you should know..