Earlier this week, Sam Varghese wrote an article in iTWire about Windows 10 and UEFI. According to the article, Window 10 will not enable Secure Boot unless the system has a Windows 8-compliant logo. It appears from the article Microsoft is hesitant to answer further questions from the author.
“System BIOS detected a non-Windows 8 logo graphic card. There is no Graphic Output Protocol support detected in this card. Windows 8 feature settings in BIOS will be changed to disabled.”
This will likely not impact users of new systems, as OEMs will ensure their logos are complaint and pominently displayed.
This appears to imply that users upgrading to Windows 10 from Windows 8 may lose the ability to use Secure Boot, unless they buy a new video card or have a recent one.
It also may mean an attacker can simply swap video cards and bypass SecureBoot; so much for tamper resistance in TPM chips…
It seems very strange for an OS vendor to be enabling or disabling firmware features. It is worse to see security features being disabled in the name of marketing. If Microsoft disables Secure Boot on a system, this may mean that Secure Boot is also disabled for any other OS installed on that system, like Linux, via the Micorosoft-signed Shim. So this Windows marketing technique likely impacts non-Windows system security. I am not sure, maybe their change only impacts their own OS, and other OSes on that system will still continue to Securely Boot.
It is also bad that this vendor is default Certificate Authority representing the UEFI Forum. It is also disconcerting to see Microsoft adding additional restrictions to all UEFI pre-OS applications. The UEFI Forum and Intel is letting Microsoft bully Intel-based Windows OEMs. I was reading some ARM slides recently, sorry I don’t have the URL handy for exact quote, but it said something like “no bully in our playground telling us what to run”. I wish Intel had the ability to stand up to the bully in their playground.
Ironically, Microsoft appears to have just learned to play Apple’s game better. Before Microsoft was playing UEFI-based games with systems, Apple was already using EFI to prevent non-Apple OSes on some of their systems. Since APPL and MSFT are OEMs as well as OS vendors, I expect their own systems would use UEFI as a form of “DRM” to keep their OS on their hardware. But Microsoft is now impacting all Windows OEMs, in addition to their own systems, each release of Windows makes more use of UEFI to restrict what OEMs and users can do and let Microsoft have more control over these systems. Chrome OEMs are looking better and better… 😦
More information:
http://www.itwire.com/opinion-and-analysis/open-sauce/68262-windows-10-no-secure-boot-unless-microsoft-tax-is-paid
https://msdn.microsoft.com/en-us/library/dn917885%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/dn756793%28v=vs.85%29.aspx
Firmware Security 