The ARM Windows 8 Lockdown

A lot of people have been asking why the Linux Foundation is concentrating on making sure there’s a Linux Boot solution for Windows 8 PCs that’s compatible with the GPLv3 requirements and not really doing anything about ARM (for which the current Windows 8 hardware requirements mandate no ability either to turn off secure boot or to replace the keys).

The answer to this comes in several parts: firstly in the PC space, Microsoft has an effective headlock on the OEM and ODMs: no desktop PC ships without a Windows compatibility sticker (the situation is different in the server market, but this is specifically about desktop PCs).  Therefore in order to continue simply booting Linux on laptops and desktops, it is a huge priority to find a solution to this problem.  Secondly: in the overall mobile marketplace, which encompasses tablets and smartphones, Microsoft has a very tiny presence: somewhere between 2-5%.  Linux (Android) has the majority presence: by some counts, Android is >50% in this market space with Apple a close second.  Therefore, a Microsoft mandate in an industry where they have no dominance is simply not really threatening (unlike the PC space where they have complete dominance).

The third problem is more philosophical: all Apple phones and tablets are locked down via cryptographic or other means (it’s not exactly the same as the UEFI secure boot lockdown, but it is similar) so it seems unreasonable to attack Microsoft but not Apple for doing this.  Additionally, a lot of Android devices also come locked down out of the box, so we haven’t even got our own house in order yet.  HTC and Samsung have bought into the argument that a flourishing mod rom ecosystem aids sales of mobile devices, so a growing number of Android phones ship with the oem unlock functionality (which turns off the boot lock in exchange for voiding the warranty) and thus we’ve been making considerable headway opening up the Android mobile ecosystem to the mod roms.  In this instance, I’d like to proceed with the economic argument and use persuasion to make at least the Android ecosystem more open.  Since Apple wants to retain a tight leash on what they regard as their hardware, I can’t ever see them doing anything other than battle with their mod rom ecosystems, and Microsoft is pretty much of the same mind set.  In the long run it cuts them off from external sources of innovation and limits their horizons to what their in-house engineers can think of, so I really believe that having Microsoft and Apple employ lockdowns will actually contribute, at least in part, to the rise of Linux on mobile devices.

The final argument is pragmatic: every apple phone and tablet has been rooted within a few weeks of release, so in practical terms, using cryptographic methods to lock determined users out of their own hardware is ineffective.  It’s actually rarely the cryptographic protection that’s broken; most often the rootkits exploit bugs and problems in the actual boot sequence itself.  So if the Surface (or Windows phone) hardware is really enticing, I’ve no doubt we’ll see a Linux variant running on it in the near future regardless of UEFI secure boot.

16 thoughts on “The ARM Windows 8 Lockdown

  1. Arnd Bergmann

    Things may change in the future if we ever see large scale deployments of Windows on ARM for server-class hardware that is also capable of running Linux. Of course there is hope that such systems would be equally successful as Microsoft’s phone and table offerings on ARM hardware.

    1. jejb Post author

      The current Windows 8 Hardware Certification requirements don’t apply to servers (yet). However even assuming Microsoft tries to extend into the server space, most sensible people anticipate Linux will be the primary OS for ARM server hardware (as it is even for x86 Server Hardware), so it’s highly unlikely the ARM server manufacturers will agree to a windows only server except in limited use cases (like Microsoft pays for a specific custom run of systems).

      1. Electric Rider

        You say, ” The current Windows 8 Hardware Certification requirements don’t apply to servers (yet) ”

        I don’t know when it was updated but early in January I found this: Windows 8 Hardware Certification requirements for Client and Server Systems.

        Seems Microsoft did intend to push these same requirements into servers. A google search turns up versions of both documents and it looks like all they did was rename the document. The published versions that do not specify “servers” in the title, do indeed cover Arm systems running a Microsoft server. I just compared the two documents.

  2. ML

    The owner should always have a painless, secure means of taking over control of the system. I just got a new laptop and nuked Microsoft’s secure boot keys (but not before dumping them to a USBkey) so that I could painlessly boot Linux platforms.

    Microsoft’s mandate for ARM is simply an Apple style power grab that should be opposed at both ends (Apple as well as Microsoft,) with crap flung at Android device vendors that don’t provide a means to unlock as discovered.

    I’m sure we would have seen it on x86 as well, but even Microsoft was wise to how much trouble that would get them into. I’m sure had they not imposed the unlock mandate, my new laptop would probably never boot anything but OSes locked down with Secure Boot, putting me permanently on the outside of the security model.

    1. TXGrayCat

      Quoting ML:
      “I just got a new laptop and nuked Microsoft’s secure boot keys (but not before dumping them to a USBkey) so that I could painlessly boot Linux platforms.”

      I would really, REALLY **LOVE** to learn how to do this. Can you please point me in the right direction?

      Thank you,

      1. jejb Post author

        I already wrote a programme called KeyTool (part of the efitools repo) available here:;a=summary

        Which will do this (there’s also prebuilt rpms here)

        The RPM postinstall script will generate you a set of installable keys (PK, KEK and db). However, the difficult thing is actually putting the platform into setup mode so you can replace the keys. Every UEFI PC is supposed to have an option somewhere in the UEFI menus to do this, but apparently its proving challenging on a variety of systems. Most systems don’t have an option to go to setup mode, they have a series of complex menus where you can enable key administration. Removing the platform key (PK) automatically tips the system into Setup Mode.

        We’re capturing the how to do this information on the LF website here as it comes in, but there’s only one system there currently.

  3. Pingback: UEFI Apologists Versus Germany’s Government Judgment on UEFI Insecurity | Techrights

  4. Pingback: Linux Foundation будет поддерживать UEFI Secure Boot только для систем x86 | — Всероссийский портал о UNIX-системах

  5. Sammy

    I was looking into buying the new Acer C7 Chrome OS laptop for $200. It has a Intel Celeron Sandybridge processor. Then I found out that Google has some sort of restricted boot, and the only way to install Linux on it, is to load custom firmwares and run special install scripts written by the community. Plus, the only install script is for Ubuntu. 🙁

    I find this new future of “locked down” hardware, very frustrating. The server people more than likely don’t have to deal with this nonsense, but it’s getting pushed on consumers hardcore.

    I’m just not going to buy any hardware that comes with restricted boot. No doubt my selection of hardware will be severely limited. Even worse, when I go to buy something online, I bet restricted boot won’t be listed in the product’s description. Horse pucky!

    I’m scared to buy anything, because I don’t know if it will run the operating system or software I want it to. I have to spend hours researching a device before I buy it, to make sure I don’t have to jump through 12 dozen hoops just to get it to do what I want.

    Sorry to rant on your blog. I appreciate everything the Linux Foundation is doing to help address the restricted boot nightmare. 🙂

  6. Peter Hannigan

    Microsoft is bribing Hardware manufacturers, so other Operating Systems (other than Windows 8) cannot be booted on computers.

    Dear James Bottomley and everybody else concerned,

    I have important information for your regarding why it is not possible to boot linux on windows 8 machines and hardware.
    Apearently Microsoft did that on purpose in collaboration with the hardware manufacturers and is paying the hardware manufacturers off (bribing them), so they would make sure that other operating-systems (besides Windows 8) cannot be installed on their hardware.
    Please check out this article here for details on this:

    I guess the only way to make progress in this area is to sue microsoft, and possibly the hardware manufacturers. Microsoft has no interest to help Linux or any other operating systems to run on Windows Computers. They especially bribed the hardware manufacturers, so nobod else can run an other OS so easily on Windows Computers. Why should Microsoft now make it easier for Linux?
    Everybody, please look into this.
    Check out this link:

  7. Christopher Price

    Bad behavior doesn’t justify bad behavior re: Apple.

    If Microsoft has a program to sign bootloaders, then Linux Foundation should submit an ARM-compiled, ARM-signed bootloader.

    Then, if Microsoft rejects it for simply being ARM, regulators can evaluate the action, and take recourse. Right now, regulators can’t intervene, because LF won’t submit.

    Microsoft has demonstrated that they are willing to take unprecedented actions to sell ARM tablets. Setting a bad precedent, allowing Microsoft to create divergent PC standards with different architectures, will taint the marketplace. Consumers will lose the ability to differentiate between ARM and x86, especially as ARM becomes more and more powerful, and more and more economical.

    I implore Linux Foundation to at least sign and submit their UEFI bootloader for ARM, and let Microsoft reject it. If and when they do, then people like me can pick up the charge to ask regulators to tell Microsoft that their anti-competitive ARM lockdown is unreasonable, especially in light of Windows’ continued dominance in the PC landscape, and Microsoft’s stated intentions to deploy Windows RT on mainstream ARM PC desktops this lifecycle.

    1. jejb Post author

      We can’t submit our bootloader for ARM: The Microsoft signing infrastructure only signs PE/Coff binaries with their OEM UEFI key. This key isn’t even present in the ARM platforms, so assuming we could get past the architecture check, we still wouldn’t end up with a loader that works on the ARM platform.

      The way to combat the ARM lockdown is simply not to buy locked down devices (and that includes many non-windows 8 ARM devices). The Linux Foundation also takes presentations around the mobile vendors explaining why lockdowns are ultimately bad for them. The reason with the most resonance at the moment is the fact they’re all having trouble recruiting android developers and that most people come to android development by playing with the mod roms.

      1. Tom S

        From a regulatory standpoint, you would make progress submitting a recompiled ARM version of the bootloader, and have Microsoft reject it at the architecture check. Even if the key is missing, MIcrosoft would then be at risk for regulators demanding Microsoft push the OEM UEFI key to devices.

        Microsoft controls issuing firmware updates for devices on Windows RT. If there was a submitted UEFI ARM bootloader, Microsoft then would be in the position to either issue RT devices the OEM UEFI key, or face potential antitrust actions/complaints wherever RT devices are sold. Microsoft’s statements to governments about the bootloader program make very unclear if ARM/RT is exempt, and I could see pressure there to enforce the protocol.

        I recognize LF is playing a balancing act here, I’m facing the reality that most consumers don’t know their ARM from their x86. Within a year or two, Microsoft has stated they will allow for RT desktops and notebooks. What then? Consumers won’t know they are locked in until after their return period, since again, most don’t know ARM from x86.

  8. anon

    On a UEFI PC with secureboot people have the option to disable the secureboot bot not for ARM why not give the ARM device more priority

  9. tobyReme

    The patent licensing agreements that Microsoft has with Samsung and many more for Android are secret agreements. It is known that they cover more than royalties. Is this not one way that Microsoft, despite a tiny share of tablet sales, could enforce a secure boot regime similar to that in the PC world?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.