I am a normal man-in-the-street computer user and so do not really understand what this is about, but I want to. Can someone please explain to me if:
- The Windows 8/UEFI secure boot thing will make it impossible to run normal/legacy applications in Windows 8 (as they will be unsigned)?
- It will turn Windows into an Apple-like system where only Microsoft approved applications can be run?
As I say, I'm a normal user, and that is the overall impression I have from reading all the blogs, etc about it.
If, on the other hand, all it does is make sure the system is booting a signed OS, how does this prevent malware (which is what at least two Microsoft blogs that I read seemed to be saying), given that most malware is not part of the boot process? The only way I can see this making sense is if it is ensuring that all OS components are signed. Is that it?
Like I say, I'm a mortal, so please don't get technical on me, but rather explain how it will affect me, the user.
Best Answer
It will make it possible for Microsoft, in cooperation with specific motherboard vendors, to lock specific motherboard models to only boot to operating systems signed with a Microsoft-supplied key. You will still be able to run any application you want once the operating system is installed. The only thing that is locked is the boot loader.
At present, no motherboard vendors have any plans for such locking, several have expressed a strong disinclination to ever allow it, and Microsoft has claimed they are not asking for any such locking. You're safe for at least the next decade or so.
Even if the equation changes and such locking does begin to occur, the relatively open and accessible nature of PC hardware and the operating environment in general would make cracking the required digital signature lock a relatively simple operation for hackers.
What will more likely happen is that large IT departments are asking for a way to prevent users of institution-owned equipment from installing non-sanctioned operating systems. We might see vendors offer customized locking, where they pre-set the board with a key supplied by the IT department, and Microsoft adding a feature to sysprep that allows IT to use the matching key in their installer image.
The largest side effect here is that many of these businesses also lease their equipment, and there is a significant and growing market for 3-year-old off-lease merchandise. Locked motherboards could impact the value of this equipment.