Will your computer's "Secure Boot" turn out to be "Restricted Boot"? — Free Software Foundation — Working together for free soft

Will your computer's "Secure Boot" turn out to be "Restricted Boot"? — Free Software Foundation — Working together for free software
Skip to content
or
skip to search
You
are here:
Campaigns
Secure Boot vs Restricted Boot
Info
Will your computer's "Secure Boot" turn out to be "Restricted Boot"?
by
Joshua Gay
Contributions
Published on
Oct 12, 2011 06:20 PM
To respect user freedom and truly protect user security, computer makers must either provide users a way of disabling boot restrictions, or provide a sure-fire way that allows the computer user to install a free software operating system of her choice.
Microsoft has announced that if computer makers wish to distribute machines with the Windows 8 compatibility logo, they will have to implement a measure called "Secure Boot." However, it is currently up for grabs whether this technology will live up to its name, or will instead earn the name Restricted Boot.
Please sign our statement to show your support!
When done correctly, "Secure Boot" is designed to protect against
malware by preventing computers from loading unauthorized binary
programs when booting. In practice, this means that computers
implementing it won't boot unauthorized operating systems -- including
initially authorized systems that have been modified without being
re-approved.
This could be a feature deserving of the name, as long as the
user
is able to authorize the programs she wants to use, so she can run
free software written and modified by herself or people she trusts.
However, we are concerned that Microsoft and hardware manufacturers
will implement these boot restrictions in a way that will prevent
users from booting anything other than Windows. In this case, a better
name for the technology might be Restricted Boot, since such a
requirement would be a disastrous restriction on computer users and
not a security feature at all.
The potential Restricted Boot requirement comes as part of a
specification called the
Unified Extensible Firmware Interface
(UEFI)
, which defines an interface between
computer hardware and the software it runs. It is software that allows
your computer to boot, and it is intended to replace the traditional
BIOS. Most Lenovo, HP, and Dell computers ship with UEFI, and other
manufacturers are not far behind. All Apple computers ship with EFI and
components from UEFI. When booting, this software starts a chain which,
using a public key cryptography-based authentication protocol, can check
your operating system's kernel and other components to make sure they
have not been modified in unauthorized ways. If the components fail the
check, then the computer won't boot.
The threat is not the UEFI specification itself, but in how computer
manufacturers choose to implement the boot restrictions. Depending on a
manufacturer's implementation, they could lock users out of their own
computers, preventing them from ever booting into or installing a free
software operating system.
It is essential that manufacturers get their implementation of UEFI
right. To respect user freedom and truly protect user security, they
must either provide users a way of disabling the boot restrictions, or
provide a sure-fire way that allows the computer user to install a
free software operating system of her choice. Computer users must
not be required to seek external authorization to exercise their
freedoms
. Further, he or she must be able to replace the bootloader and firmware altogether. The
coreboot
project is an example of a free software alternative to proprietary BIOS and bootloaders.
The alternative is frightening and unacceptable: users would have to
go through complicated and risky measures to circumvent the
restrictions; the popular trend of reviving old hardware with
GNU/Linux would come to an end, causing more hardware to be tossed in
landfills; and proprietary operating system companies would gain a
giant advantage over the free software movement, because of their
connections with manufacturers.
We will be monitoring developments in this area closely, and actively
campaigning to make sure this important freedom is protected. Our
first step is to demonstrate that people value this freedom, and will
not purchase or recommend computers that attempt to restrict it.
Please sign our
statement
to show your support!
Read our white paper,
Free Software Foundation recommendations for free operating system distributions considering Secure Boot
PDF
Please note this white paper will be updated in the near future to
reflect Ubuntu's decision to use GRUB2 as its bootloader
See the
winning entry
of our webcomic contest.
You can also stay up-to-date on this issue by:
Subscribing to the monthly
Free Software Supporter
Following us on
GNU Social @fsf
Reading our
blogs
or subscribing to our
RSS feeds
Learn more about Windows 8, UEFI, and boot restrictions
Resources
English Wikipedia UEFI overview
UEFI Specifications
White Paper: Secure Boot impact on GNU/Linux
, a joint publication between Red Hat & Canonical.
News and Blogs
UEFI secure booting
, by
Matthew Garrett; in addition to providing a brief overview of
Restricted Boot, this article explains specifically why
dual-booting an operating system may be difficult, or at times
virtually impossible, for systems implementing and using Restricted
Boot.
Trusted Computing 2.0
, by Ross Anderson of the Security Research, Computer Laboratory, University of Cambridge.
Protecting the pre-OS environment with UEFI
, Tony
Mangefeste of Microsoft — a response to Garrett, et al.
UEFI secure booting (part 2)
by Matthew Garrett — a follow-up to Microsoft's blog post.
ArsTechnica article
Supporting UEFI secure boot on GNU/Linux: the details
, by Matthew Garrett
On November 2, 2011, ZDNet blogger, Ed Bott,
reports
A Dell spokesperson stated that, “Dell has plans to make SecureBoot an enable/disable option in BIOS setup.”
HP has only stated that, “HP will continue to offer its customers a choice of operating systems. We are working with industry partners to evaluate the options that will best serve our customers.”
Read this page in
Spanish
Document Actions
Share on social networks
Syndicate:
News
Events
Blogs
Jobs
GNU
1PC9aZC4hNX2rmmrt7uHTfYAS3hRbph4UN
Plan a LibreLocal 2026 meetup!
You can help build the
free software
community, and it's as
simple
as organizing a
meetup
at your favorite cafe or bar.
Free software campaigns
Freedom Ladder
Fight to Repair
Free JavaScript
High Priority Free Software Projects
Secure Boot vs Restricted Boot
Surveillance
Upgrade from Windows
Working Together for Free Software
Defective by Design
End Software Patents
OpenDocument
Free BIOS
Past campaigns
News
Job opportunity: Engineering and Certification Manager at the Free Software Foundation
Mar 10, 2026
The FSF announces global call for FSF's LibreLocal 2026 meetups
Feb 24, 2026
Eko K. A. Owen joins the FSF board as the union staff pick
Dec 29, 2025
More news…
Recent blogs
RAIL: Nonfree and unethical
You cannot use the GNU (A)GPL to take software freedom away
Relicensing versus license compatibility
March GNU Spotlight with Amin Bandali featuring eighteen new GNU releases: Autoconf, PSPP, and more!
Recent blogs -
More…
Upcoming Events
Free Software Directory meeting on IRC: Friday, April 24, starting at 12:00 EDT (16:00 UTC)
Apr 24, 2026 12:00 PM - 03:00 PM
#fsf on libera.chat
LibreLocal meetup in Beijing, China
May 01, 2026 02:00 PM - 09:00 PM
META SPACE Coffee&Bar, Dong Sheng Yuan Gong Yu, Heqing St., Haidian District, Beijing
Previous events…
Upcoming events…
The FSF is a charity with a worldwide mission to advance software freedom —
learn about our history and work.
fsf.org is powered by:
Plone
Zope
Python
CiviCRM
HTML5