Microsoft using Secureboot to lock down ARM

Thanks to a tip from a colleague - Anshu, I found out further confirmation that the Secureboot issue, that I blogged about earlier, is going to bite us badly just as we expected.

According to this post of the Software Freedom Law Center, Microsoft has recently revised it’s Windows 8 Hardware Certification requirements to lock out all alternative OSes from the ARM-based mobile devices that it ships on.

The Certification Requirements define (on page 116) a “custom” secure boot mode, in which a physically present user can add signatures for alternative operating systems to the system’s signature database, allowing the system to boot those operating systems. But for ARM devices, Custom Mode is prohibited: “On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable.” [sic] Nor will users have the choice to simply disable secure boot, as they will on non-ARM systems: “Disabling Secure [Boot] MUST NOT be possible on ARM systems.” [sic] Between these two requirements, any ARM device that ships with Windows 8 will never run another operating system, unless it is signed with a preloaded key or a security exploit is found that enables users to circumvent secure boot.

Upcoming devices running Windows 8 mobile including the increasingly popular tablets are soon going to be Windows only - that is, for example, you will not be able to run Android on them without an exploit.

But just yesterday, Qualcomm announced plans to produce Windows 8 tablets and ultrabook-style laptops built around its ARM-based Snapdragon processors. Unless Microsoft changes its policy, these may be the first PCs ever produced that can never run anything but Windows, no matter how Qualcomm feels about limiting its customers’ choices.

While someone may very well point out that because this is only restricted to mobile devices and since most folks, even most technically savvy ones rarely change the OS on their phone, the problem is the precedent this sets. Given some time of locking down the mobile platform to only run Windows, Microsoft can very well make a case to extend Secureboot to desktops that you buy as well, by giving the mobile platform experience as a “standard technical security procedure” to justify this to get around anti-trust issues.

And to reiterate this again, this will badly hurts the hardcore Windows users as well.

Microsoft’s idea is to control the OS running on the desktop, including which of their own OS will run on new hardware. So if you were not a fan of Vista and wanted to stay with Windows XP, like in the past, you will not have a choice in a similar situation in the future. For example, even if there is some widespread concern about a new Windows version in the future, Microsoft can arm-twist the hardware manufacturers to program the new desktops in the market to only work with the new OS of theirs, forcing all of their users to upgrade.

Should you easily hand over those encryption keys to the law? Pratap Bhanu Mehta on state censorship in India