Windows 8 will implement UEFI in new ways
Back in September, Microsoft wrote voluminously about the UEFI in Windows 8. The first post, "Reengineering the Windows boot experience," talks about the basic ways Windows 8 will use the UEFI. (If your PC doesn't support a UEFI, Win8 should still work fine.)
The article shows how current text-based, boot-time options, such as system repair store and image recovery, can be made more usable with a new graphical interface. The story goes on to describe how system startup could go, in seconds, from power-on to Windows Desktop without so much as flickering the screen. It also shows how dual-boot will work with a graphical face-lift.
The changes appear to be largely cosmetic, but they're long overdue and a welcome improvement to the constrained, DOS-era recovery environments under which Windows operates.
The second article, "Protecting the pre-OS environment with UEFI," shows how the UEFI secure boot — using Public Key Infrastructure (PKI) digital certificates — validates programs, peripherals, and OS loaders before they can run. The system can go out to the Internet and check whether the UEFI is about to run an OS that has had its certificate yanked.
If it sounds a lot like Secure Sockets Layer protection — no stranger to controversy, as I detailed in my Sept. 15, 2011, Top Story — there certainly are similarities.
Microsoft states it will let the hardware manufacturers struggle with the difficult question of who controls the digital-signature keys. "Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secure boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems."
Still, Microsoft is ensuring that anyone buying a certified Windows 8 PC can rely on a certain level of protection from rogue OS loaders. "For Windows customers, Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8 have secure boot enabled by default, that firmware not allow programmatic control of secure boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent unauthorized attempts at updating firmware that could compromise system integrity."
