Microsoft unveiled new information about Windows 10 at its WinHEC conference in China today, and the news is deeply concerning to anyone who values the ability to run non-Microsoft operating systems on their own hardware. Like Windows 8, Windows 10 will ship with support for the UEFI Secure Boot standard — but this time, the off switch (previously mandatory) is now optional.

Let’s back up and review what Secure Boot is. As the name implies, Secure Boot is a security measure that’s meant to protect PCs from certain types of malware that are typically loaded before the OS boot process has begun. With Secure Boot active, the UEFI checks the cryptographic signature of any program that it’s told to load, including the OS bootloader.

The image above shows the conventional boot process compared with the Secure Boot process. There’s nothing intrinsically wrong with Secure Boot, and multiple Linux distros support the capability. The problem is, Microsoft mandates that Secure Boot ships enabled. This caused panic in the open source community back in 2011, since the firmware is configured with a list of signed, acceptable keys when the user receives the system. If an alternative OS bootloader isn’t signed with an appropriate key on a Secure Boot-enabled system, the UEFI will refuse to boot the drive.

Microsoft defused the situation back then by mandating that all x86 systems ship with the ability to disable Secure Boot, and by partnering with VeriSign to create a method of signing third-party binaries in exchange for a $99 fee. With Windows 10, the situation is changing.

How Windows 10 changes things

OEMs are still required to ship Secure Boot, but the previously mandatory disable switch is now optional, as Ars Technica reports. With Windows 8, MS had split the feature by CPU architecture — x86 chips had to offer a disable switch, but ARM chips didn’t. Now, the split is between desktop and mobile, where desktop users can choose to offer the option, but mobile devices must leave Secure Boot locked on.

What this means for the future of Linux and alternative OSes is unclear at best. Those who build their own desktops will retain the ability to disable Secure Boot, since Asus or MSI doesn’t know what kind of operating system you’re going to load on the board. But laptops are a different story. Some laptop vendors will undoubtedly continue to ship a “Disable” option on Secure Boot, but vendors like HP and Dell may simply decide that closing the attack vector is more important than user freedom, particularly when the margin on PCs is so low to begin with. When every support call is measured against the handful of dollars an OEM makes on each machine, eliminating the need for such interaction is extremely attractive.

It’s not clear, as of this writing, whether Linux and BSD distro developers will be able to sign their software and install to a Windows 10 system with Secure Boot enabled or not. Regardless, it’s difficult not to see this as another step along the long, slow journey of locking down PC hardware and making it more difficult for end users to control their own software. Psychological research has long confirmed the power of default settings — ship something enabled (or disabled), and the vast majority of users will never change the option. Given that Windows machines were already required to enable Secure Boot by default, where’s the security benefit in making the kill switch optional?

As far as we can tell, there isn’t one.