Windows 8 on ARM Won't Dual Boot Non-Windows OSs, Thanks to Secure Boot Can't Be Disabled

Windows 8 loaded on ARM machines will be different from its x86 counterparts, both in terms of hardware and specification capabilities. Devices running ARM versions of Windows 8 "will not be able to run other operating systems" such as Linux, thanks to "UEFI Secure Boot" features unveiled back in September last year.A version of Secure […]

Windows 8 on ARM: Secure can't be disabledWindows 8 loaded on ARM machines will be different from its x86 counterparts, both in terms of hardware and specification capabilities. Devices running ARM versions of Windows 8 "will not be able to run other operating systems" such as Linux, thanks to "UEFI Secure Boot" features unveiled back in September last year.

A version of Secure Boot is built into many mobile devices - namely phones and tablets - in order to avoid bootloader mobile attacks and, obviously, to keep things locked down. Windows Phone, for example, prevents folks from installing anything into the bootloader nor can they run off-brand software.

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled.

A system that ships with Secure Boot enabled and only OEM and Microsoft keys will not boot a genric copy of Linux until unless any of the following two alternatives:

  1. Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems,
  2. or alternatively each OEM to include their own key and sign the pre-installed versions of Windows. "This approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy."

Microsoft's document entitled "Windows 8 Hardware Certification Requirements," published on December 16, 2011, reads;

"On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services must not be possible."

And, for the ARM devices, the document states that Secure Boot can't be disabled on these devices: "Disabling Secure must not be possible on ARM systems."

Later in the document, Microsoft says that you can disable Secure Boot on larger systems, however, noting in the design documents:

"MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems."

This confirms that it is indeed possible to disable Secure Boot - but only on non-ARM systems (i.e. traditional PCs.) In other words, it would appear that Microsoft is still locking out GNU/Linux from installation on ARM-based Windows 8 machines.