Yes, UEFI 'secure boot' could lock out Linux from Windows 8 PCs

To be certified as a fully-compliant, bona fide Windows 8 logo device, a prospective PC must replace its aging BIOS with the new-fangled Unified Extensible Firmware Interface (UEFI). On the outset, this is certainly a good thing — UEFI is the reason that Windows 8 can detect rootkits and malware at boot time, and it’s part of the reason that Windows 8 can start so quickly — but UEFI could also be used to block other operating systems, such as Linux, from being installed.

Dubbed “secure boot,” UEFI has the capability to prevent any unsigned executables or drivers from being loaded. In other words, a Windows 8 PC could be set up so that it only boot from files that have been signed by Microsoft or an OEM vendor; and obviously, an open-source, build-it-yourself Linux boot loader isn’t going to be signed by Microsoft. The way this works is that every UEFI firmware chip is pre-loaded with a secure key. If the OS knows this key, it can add and remove drivers and executables from a whitelist (or blacklist, in the case of known-bad drivers or malware); obviously this is good (or at least interesting) from a security standpoint.

Now, there are two scenarios: the secure key can be made available to the machine’s owner (via a sticker on the case, or something), or the key will be kept private to Microsoft and its vendors (OEMs). In the first case, installing Linux will be possible; in the second, it won’t be. Microsoft has already said (at the Build Windows conference) that it is investigating dual boot, so there’s probably no need to panic just yet — but if you’re a power user, then you should at least be worried.