安全启动在Windows 8和10上的工作方式以及对Linux的含义

Modern PCs ship with a feature called “Secure Boot” enabled. This is a platform feature in UEFI, which replaces the traditional PC BIOS. If a PC manufacturer wants to place a “Windows 10” or “Windows 8” logo sticker to their PC, Microsoft requires they enable Secure Boot and follow some guidelines.

现代PC随附启用了称为“安全启动”的功能。 这是UEFI中的一项平台功能，它取代了传统的PC BIOS 。 如果PC制造商希望在其PC上贴上“ Windows 10”或“ Windows 8”徽标，则Microsoft要求他们启用安全启动并遵守一些准则。

Unfortunately, it also prevents you from installing some Linux distributions, which can be quite a hassle.

不幸的是，这也使您无法安装某些Linux发行版，这很麻烦。

安全启动如何保护PC的启动过程 (How Secure Boot Secures Your PC’s Boot Process)

Secure Boot isn’t just designed to make running Linux more difficult. There are real security advantages to having Secure Boot enabled, and even Linux users can benefit from them.

安全启动不仅旨在使运行Linux更加困难。 启用安全启动具有真正的安全优势，甚至Linux用户也可以从中受益。

A traditional BIOS will boot any software. When you boot your PC, it checks the hardware devices according to the boot order you’ve configured, and attempts to boot from them. Typical PCs will normally find and boot the Windows boot loader, which goes on to boot the full Windows operating system. If you use Linux, the BIOS will find and boot the GRUB boot loader, which most Linux distributions use.

传统的BIOS将引导任何软件。 引导PC时，它将根据您配置的引导顺序检查硬件设备，并尝试从这些设备引导。 典型的PC通常会找到并启动Windows启动加载程序，然后继续启动完整的Windows操作系统。 如果使用Linux，BIOS将查找并引导GRUB引导加载程序，大多数Linux发行版都使用该引导加载程序。

However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the difference between malware and a trusted boot loader–it just boots whatever it finds.

但是，恶意软件(例如rootkit)可能会替换您的引导加载程序。 Rootkit可以加载您的正常操作系统，而没有任何迹象表明有任何错误，在您的系统上完全不可见且无法检测。 BIOS不知道恶意软件和受信任的引导加载程序之间的区别，BIOS只会引导找到的任何内容。

Secure Boot is designed to stop this. Windows 8 and 10 PCs ship with Microsoft’s certificate stored in UEFI. UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft. If a rootkit or another piece of malware does replace your boot loader or tamper with it, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.

安全启动旨在阻止这种情况。 Windows 8和10 PC附带了存储在UEFI中的Microsoft证书。 UEFI将在启动引导加载程序之前对其进行检查，并确保它已由Microsoft签名。 如果rootkit或另一种恶意软件确实替换了您的启动加载程序或对其进行了篡改，则UEFI将不允许它启动。 这样可以防止恶意软件劫持您的引导过程并将其自身隐藏在操作系统中。

Microsoft如何允许Linux发行版通过安全启动来启动 (How Microsoft Allows Linux Distributions to Boot with Secure Boot)

This feature is, in theory, just designed to protect against malware. So Microsoft offers a way to help Linux distributions boot anyway. That’s why some modern Linux distributions–like Ubuntu and Fedora–will “just work” on modern PCs, even with Secure Boot enabled. Linux distributions can pay a one-time fee of $99 to access the Microsoft Sysdev portal, where they can apply to have their boot loaders signed.

从理论上讲，此功能仅用于防御恶意软件。 因此，Microsoft提供了一种无论如何都可以帮助Linux发行版引导的方法。 这就是为什么即使启用了安全启动，某些现代Linux发行版(如Ubuntu和Fedora)也将在现代PC上“正常工作”的原因。 Linux发行版可以支付$ 99的一次性费用来访问Microsoft Sysdev门户，可以在该门户中申请对引导加载程序进行签名。

Linux distributions generally have a “shim” signed. The shim is a small boot loader that simply boots the Linux distributions main GRUB boot loader. The Microsoft-signed shim checks to ensure it’s booting a boot loader signed by the Linux distribution, and then the Linux distribution boots normally.

Linux发行版通常带有“ shim”签名。 填充程序是一个小型引导加载程序，可以简单地引导Linux发行版的主GRUB引导加载程序。 微softsign名的填充程序会检查以确保它正在引导由Linux发行版签名的引导加载程序，然后Linux发行版会正常启动。

Ubuntu, Fedora, Red Hat Enterprise Linux, and openSUSE currently support Secure Boot, and will work without any tweaks on modern hardware. There may be others, but these are the ones we’re aware of. Some Linux distributions are philosophically opposed to applying to be signed by Microsoft.

Ubuntu，Fedora，Red Hat Enterprise Linux和openSUSE当前支持安全启动，并且无需对现代硬件进行任何调整即可运行。 可能还有其他，但是我们知道这些。 从理论上讲，某些Linux发行版与申请由Microsoft签名相反。

如何禁用或控制安全启动 (How You Can Disable or Control Secure Boot)

If that was all Secure Boot did, you wouldn’t be able to run any non-Microsoft-approved operating system on your PC. But you can likely control Secure Boot from your PC’s UEFI firmware, which is like the BIOS in older PCs.

如果这是Secure Boot所做的全部工作，则您将无法在PC上运行任何未经Microsoft批准的操作系统。 但是您可能可以通过PC的UEFI固件控制安全启动，就像旧PC中的BIOS一样。

There are two ways to control Secure Boot. The easiest method is to head to the UEFI firmware and disable it entirely. The UEFI firmware won’t check to ensure you’re running a signed boot loader, and anything will boot. You can boot any Linux distribution or even install Windows 7, which doesn’t support Secure Boot. Windows 8 and 10 will work fine, you’ll just lose the security advantages of having Secure Boot protect your boot process.

有两种方法可以控制安全启动。 最简单的方法是转到UEFI固件并完全禁用它。 UEFI固件不会检查以确保您正在运行签名的引导加载程序，并且所有内容都会引导。 您可以启动任何Linux发行版，甚至可以安装不支持安全启动的Windows 7。 Windows 8和Windows 10可以正常运行，您将失去安全启动来保护启动过程的安全优势。

You can can also further customize Secure Boot. You can control which signing certificates Secure Boot offers. You’re free to both install new certificates and remove existing certificates. An organization that ran Linux on its PCs, for example, could choose to remove Microsoft’s certificates and install the organization’s own certificate in its place. Those PCs would then only boot boot loaders approved and signed by that specific organization.

您还可以进一步自定义安全启动。 您可以控制安全启动提供哪些签名证书。 您可以自由安装新证书和删除现有证书。 例如，在PC上运行Linux的组织可以选择删除Microsoft的证书，并在其位置安装组织自己的证书。 这些PC将仅引导由该特定组织批准并签名的引导加载程序。

An individual could do this, too–you could sign your own Linux boot loader and ensure your PC could only boot boot loaders you personally compiled and signed. That’s the kind of control and power Secure Boot offers.

个人也可以这样做-您可以签署自己Linux引导加载程序，并确保您的PC只能引导您亲自编译和签名的引导加载程序。 这就是安全启动提供的控制和功能。

Microsoft对PC制造商的要求 (What Microsoft Requires of PC Manufacturers)

Microsoft doesn’t just require PC vendors enable Secure Boot if they want that nice “Windows 10” or “Windows 8” certification sticker on their PCs. Microsoft requires PC manufacturers implement it in a specific way.

如果他们希望PC上带有精美的“ Windows 10”或“ Windows 8”认证标签，则Microsoft不仅要求PC供应商启用安全启动。 Microsoft要求PC制造商以特定方式实施它。

For Windows 8 PCs, manufacturers had to give you a way to turn Secure Boot off. Microsoft required PC manufacturers to put a Secure Boot kill switch in users’ hands.

对于Windows 8 PC，制造商必须为您提供一种关闭安全启动的方法。 微软要求PC制造商在用户手中放置一个安全启动终止开关。

For Windows 10 PCs, this is no longer mandatory. PC manufacturers can choose to enable Secure Boot and not give users a way to turn it off. However, we’re not actually aware of any PC manufacturers that do this.

对于Windows 10 PC，这不再是必需的。 PC制造商可以选择启用安全启动，而不能为用户提供关闭安全启动的方法。 但是，我们实际上并不知道有任何PC制造商这样做。

Similarly, while PC manufacturers have to include Microsoft’s main “Microsoft Windows Production PCA” key so Windows can boot, they don’t have to include the “Microsoft Corporation UEFI CA” key. This second key is only recommended. It’s the second, optional key that Microsoft uses to sign Linux boot loaders. Ubuntu’s documentation explains this.

同样，尽管PC制造商必须包括Microsoft的主“ Microsoft Windows Production PCA”键以便Windows可以启动，但他们不必包括“ Microsoft Corporation UEFI CA”键。 仅建议使用第二个键。 这是Microsoft用于签名Linux引导加载程序的第二个可选密钥。 Ubuntu的文档对此进行了解释。

In other words, not all PCs will necessarily boot signed Linux distributions with Secure Boot turned on. Again, in practice, we haven’t seen any PCs that did this. Perhaps no PC manufacturer wants to make the only line of laptops you can’t install Linux on.

换句话说，并非所有PC都必须在安全启动打开的情况下启动签名Linux发行版。 同样，在实践中，我们还没有看到任何做到这一点的PC。 也许没有PC制造商愿意制造您无法在其上安装Linux的唯一笔记本电脑系列。

For now, at least, mainstream Windows PCs should allow you to disable Secure Boot if you like, and they should boot Linux distributions that have been signed by Microsoft even if you don’t disable Secure Boot.

到目前为止，至少目前，主流Windows PC应该允许您根据需要禁用安全启动，并且即使您不禁用安全启动，它们也应启动由Microsoft签名Linux发行版。

Windows RT无法禁用安全启动，但Windows RT已死 (Secure Boot Couldn’t Be Disabled on Windows RT, but Windows RT is Dead)

All of the above is true for standard Windows 8 and 10 operating systems on the standard Intel x86 hardware. It’s different for ARM.

以上所有情况均适用于标准Intel x86硬件上的标准Windows 8和10操作系统。 对于ARM，情况有所不同。

On Windows RT—the version of Windows 8 for ARM hardware, which shipped on Microsoft’s Surface RT and Surface 2, among other devices—Secure Boot couldn’t be disabled. Today, Secure Boot still can’t be disabled on Windows 10 Mobile hardware–in other words, phones that run Windows 10.

在Windows RT( Microsoft的Surface RT和Surface 2等设备上附带的用于ARM硬件的Windows 8版本)上，无法禁用安全启动。 时至今日，仍然无法在Windows 10移动硬件(即运行Windows 10的手机)上禁用安全启动。

That’s because Microsoft wanted you to think of ARM-based Windows RT systems as “devices,” not PCs. As Microsoft told Mozilla, Windows RT “isn’t Windows anymore.”

这是因为Microsoft希望您将基于ARM的Windows RT系统视为“设备”，而不是PC。 正如微软告诉Mozilla所说的那样，Windows RT“不再是Windows。”

However, Windows RT is now dead. There’s no version of the Windows 10 desktop operating system for ARM-hardware, so this isn’t something you have to worry about anymore. But, if Microsoft does bring back Windows RT 10 hardware, you likely won’t be able to disable Secure Boot on it.

但是，Windows RT现在已死。 没有适用于ARM硬件的Windows 10桌面操作系统版本，因此您不必再为此担心。 但是，如果Microsoft确实带回Windows RT 10硬件，则可能无法在其上禁用安全启动。

Image Credit: Ambassador Base, John Bristowe

图片来源：基地大使约翰·布里斯托( John Bristowe)

翻译自: https://www.howtogeek.com/116569/htg-explains-how-windows-8s-secure-boot-feature-works-what-it-means-for-linux/