Dealing with UEFI and Secure Boot on Linux

Author

Bill Giannikos

Version

Version 1.0 (2nd April 2013)

Introduction

The new UEFI specification has changed the method a computer uses to boot its operating system. This has added challenges to running Linux on a PC which uses UEFI. Most/All desktops/laptops which have been preinstalled with Windows 8 now come with UEFI so we will need to deal with this. This guide will try and assist you in getting Linux up and running.

Note

For here on out when we refer to Ubuntu 12.10 that also includes all its derivates (Kubuntu, Xubuntu, Linux Mint, etc.) The exception to this is when we talk about the Ubuntu remix edition.

When we talk about Windows 8 here we will assume it has been installed in UEFI mode, this is normally the case with a pre-installed version of Windows 8.

Warning on Samsung Laptops

A number of users have reported that making changes to a Samsung laptop's UEFI boot options has caused a complete brick of the laptop. Extreme care needs to be taken on these laptop, I would recommend not installing Linux until a proper solution is found.

Dual Booting with Windows 8 vs Standalone Installation

If you are not planning to run Windows 8 alongside your Linux installation then you will have an easier time installing Linux. Dual-Booting Windows 8 does add extra challenges. In this guide we will cover methods of installing Linux dual-booting with Windows 8 and also cover a standalone Linux installation. Windows 7 does not have the same installation challenges that Windows 8 provides and dual-boot is usually handled by the Linux installer.

Secure Boot

Secure boot is a new feature of UEFI, its purpose is to allow only signed bootloaders to boot the system. If you are not going to be running Windows 8 it is recommended, if you can, to turn off this feature in your computers UEFI settings. However we will try and deal with Secure Boot if you require it to be turned on.

At time of writing, I only know of two Linux distributions which support Secure Boot, Ubuntu 12.10 and Fedora 18. I will experiment with other distributions in the future.

Turning off Secure Boot

If you wish to use a Linux distributions which doesn't support Secure Boot then you will need to turn it off in your UEFI settings. There is no standard way of doing this so it's not possible to explain the process here, but typically there is an option for disabling it within your computers UEFI settings. Check your computers manual for details.

Intalling in UEFI vs BIOS mode

Some computers allow you to install the operating system in either UEFI or BIOS/Legacy mode. In this guide we will try and cover both methods, but keep in mind that if your computer was pre-installed with Windows 8 and plan to dual boot then you will need to install in UEFI mode.

Turning off UEFI boot

If you do not wish to use Windows 8 then you may be able to turn off UEFI booting and switch to BIOS/Legacy booting. There is no standard way of doing this so it's not possible to explain the process here, but typically there is an option to enable/disable certain types of booting from within your computers UEFI settings. Look for an option relating to booting methods. Unfortunately not all computers allow you to switch modes, some newer computers may only support UEFI booting.

Booting your Linux installation media in UEFI mode

How you boot your Linux installation media will dicate how the operating system in installed, so if you intend to use UEFI make sure you boot the installation media in UEFI mode. Depending on your UEFI implementation there are a few ways of booting from your Linux installation media. I would recommend when you are going to boot from your installation media that you should press the key which gives you the boot options menu. Unfortunately there is no standard key for this so see your computers manual for details. As a quick example, on a HP laptop it is normally F9.

If you plan to dual boot with Windows it is important to install Linux in the same mode as the Windows installation. A pre-installed Windows 8 installation will have been installed using UEFI so you need to ensure you boot your Linux installation media in that mode as well.

When you see the boot menu you should see a list of devices you can boot from. If your computer is able to boot via both UEFI and BIOS/Legacy mode you will likely see multiple options for the same device, but usually the UEFI option starts with UEFI:. For example, for your optical drive you may have two options, Toshiba Optical Drive and UEFI: Toshiba Optical Drive. Select the UEFI option to boot in UEFI mode and the non-UEFI option to boot in BIOS/Legacy mode. If your computer doesn't support booting from UEFI mode then you may not see UEFI: options, however if the drive you want to boot from is listed then it will boot with UEFI mode.

Now it's possible that while you can see UEFI: options for your hard drive there may not be one for your optical drive. In this case your computer may not be able to boot via DVD in UEFI mode or may not be able to boot via DVD at all. In this case a Live USB stick may work, see the next section.

Dealing with being unable to boot via DVD

While some computers allow you to boot in UEFI mode via a DVD I've found that some computer don't. In this case I have found that creating a Live USB to boot from give you the ability to use UEFI. The LinuxLive USB Creator works very well for this purpose so if you can't boot via DVD try this option. Just create a Live USB stick and try to boot your computer from it. Because the computer sees the USB stick as another hard drive you may have better luck in booting from that, I have found a few HP laptops that required this trick.

Installing Ubuntu 12.10 with UEFI

There is a special remix version of Ubuntu 12.10 called Ubuntu 12.10 Secure Remix. This is a slightly modified Ubuntu DVD/ISO which includes some extra tools to help with booting issues. While not essential, I would recommend using this version when doing a UEFI install.

If you are planning to use one of the Ubuntu derivates (KUbuntu, Linux Mint, etc.) then you wont be able to use this DVD to install, but the tools are still useful so it may be helpful to you anyway.

After Ubuntu Linux 12.10 installation still can not boot

After installing Ubuntu with UEFI you may find that your computer doesn't boot, still only boots into Windows or only boots into Linux when you were wanting a dual-boot install. In this case you can make use of the Boot-Repair program.

The Boot-Repair program comes with the Remix edition of Ubuntu 12.10 so you will need to boot with your installation media again and then run the program. If you aren't using the Remix edition then boot from your installation media again, open a terminal and enter the following two lines:

sudo add-apt-repository ppa:yannubuntu/boot-repair && sudo apt-get update
sudo apt-get install -y boot-repair && (sudo boot-repair &)

You should now have the Boot-Repair program loaded. In pretty much all cases all you need to do is press the Recommended repair option and that will take care of everything for you.

Now just reboot your machine and attempt to boot normally, hopefully it has worked properly for you.

After Fedora 18 installation still can not boot

After installing Fedora with UEFI you may find that your computer doesn't boot, still only boots into Windows or only boots into Linux when you were wanting a dual-boot install. In this case you can make use of the Boot-Repair program.

Boot-Repair is not included with Fedora 18 so needs to be obtained separately. Probably the best way of achieving this is to use the Ubuntu 12.10 Secure Remix DVD. While this is an Ubuntu DVD the Boot-Repair program includes support for Fedora 18 as well. Just boot the DVD in UEFI mode (or create a LiveUSB if your computer requires it for UEFI booting) and run the Boot-Repair program. In pretty much all cases all you need to do is press the Recommended repair option and that will take care of everything for you.

Now just reboot your machine and attempt to boot normally, hopefully it has worked properly for you.

Booting was OK but is no longer working properly

It appear some recent Windows 8 updates have caused the UEFI setting to revert, preventing Linux from booting. In this case just follow the instructions above for using the Boot-Repair program and it should get you up and running again.

openSUSE-12.3 notes on UEFI

The openSUSE-12.3 release notes provide details on some quirks wrt openSUSE-12.3 UEFI installation.

For machines in UEFI mode with secure boot enabled using openSUSE-12.3, the YaST installer does not automatically detect if the machine has secure boot enabled and will therefore install an unsigned bootloader by default. But the unsigned bootloader will not be accepted by the firmware. To have a signed bootloader installed the option “Enable Secure Boot” has to be manually enabled in the YaST installer.

For machines in UEFI mode when using the installer on the live medium, YaST installer does not detect UEFI mode and therefore installs the legacy bootloader. This results in a not bootable system. The bootloader has to be switched from grub2 to grub2-efi manually in the YaST installer.

For machines in UEFI mode the double signed shim on openSUSE 12.3 medium may be rejected by future firmwares. If the openSUSE 12.3 medium does not boot on future secure boot enabled hardware, temporarily disable secure boot, install openSUSE and apply all online updates to get an updated shim. After installing all updates secure boot can be turned on again.

For openSUSE-12.3 installations in UEFI mode, in the YaST installer partitioning proposal when checking the option to use LVM (which is required for full disk encryption) YaST does not create a separate /boot partition. That means kernel and initrd end up in the (potentially encrypted) LVM container, inaccessible to the boot loader. To get full disk encryption when using UEFI, partitioning has to be done manually.

Conclusion

UEFI is still a pain to setup properly and is complicated even more with Secure Boot. However after a bit of work you should be able to get it working with your computer.


Discussion

rodene, 2014/09/02 11:18

Your blog is perfect, and I like this article. I find the information I need.
Bone marrow transplantation in gurgaon
Heart surgery in gurgaon

aadi, 2014/08/16 11:12

I was very pleased to find this site.I wanted to thank you for this great read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post.
System Integration service providers
Mobile broadcasting in india
Mobile News Gathering Solutions

rodene lee, 2014/08/11 09:37

The idea is to focus on facts and try and define a baseline problem to share.
animal feeds

Escort and Dating Services, 2014/05/13 07:38

Most people focus on the content of their language. But by focusing on structure, <a href=“http://www.mainkinziggas.biz”>Escort and Dating Services</a> you'll be a billion times more persuasive. Or maybe even a trillion.

Hotel And Restaurant , 2014/05/08 11:52

Cheap low cost holidays in an exotic sunny land are a dream to many. <a href=“http://www.kirkwoodinn.biz”>Hotel And Restaurant</a> Some reach this dream, others just keep on spending big money on whatever the travel agencies provide them with.

Hotel And Restaurant , 2014/05/07 12:44

Cheap low cost holidays in an exotic sunny land are a dream to many. <a href=“http://www.kirkwoodinn.biz”>Hotel And Restaurant</a> Some reach this dream, others just keep on spending big money on whatever the travel agencies provide them with.

Sam, 2014/03/02 16:41

I installed ubuntu along side windows 8 on an asus laptop. The windows 8 install would not boot. I ran the boot-repair from the live CD, which ran for 22 minutes, according to top.

It then froze, I rebooted the laptop by holding the power button, and bricked… Permanently. No display at all, no bios recovery. The laptop has to be serviced with a new bios chip..

Just beware!

EDRFTGGH, 2013/11/27 09:21

For connected affidavit mentioned on top of you accept to opt for your cool atom bar in befitting with your apprenticeship goals. A fat accident diaphoresis aggregate needs beneath carbohydrates and a accumulation abacus aggregate a lot of. No aggregate your goals, you'll absorb cool atom http://www.insanityworkoutaustralia.org/ confined with BCCA Supplement affluent in curbs afore or anon already diaphoresis already your physique wants the curbs the foremost and a coffee barrier bar already you are at work.

Kathie, 2013/10/24 19:48

Hello, I am writing in an unusual case … Some time ago, I used your services, and one of your employees face was familiar to me. At dinner with my wife, it turned out that he was a burglar, who 5 years ago broke into our home!!! This is ridiculous!!! How you can hire criminals? I found at least 3 bad entries for him at website for background check!! I am sure there are more!!! Please do something about it, things like that are ridiculous!!!

Mark Harrison Jr., 2013/04/26 15:04

Does anyone know of a version of Linux that can work well the operating system for a Lenovo 4233 n500 53u? If not for the original operating system was not Windows Vista, I would not bother but I need to use this laptop. Also, I am curious as to info about system stability & security problems of Linux. Also, I am curious about the availability of a compatible driver for the wireless portion of this laptop. Another page of this site shows that this driver is not happy with Linux.

I would greatly appreciate help here.

Mark Harrison Jr.

FeRDNYC, 2013/07/09 07:37

Mark,

This is a bit belated (and entirely off-topic for this article, as the N500 isn't even a UEFI laptop), so I'm not sure if it's still of any interest to you. The only Linux distribution I can comment on is [http://www.fedoraproject.org/ Fedora], which has excellent compatibility with the N500. The Broadcom wireless module was an issue early on, yes, though my memory is that in later kernel releases those problems were largely solved thanks to a combination of updates to the kernel b43 driver that supports it, and the availability of appropriate auto-downloadable binary firmware through the associated [http://rpmfusion.org/ rpmfusion] project.

(Fedora is a pure-free Linux distribution, they don't distribute closed-source or binary-only software, nor any software with patent restrictions or a non-free license. Even MP3 support isn't present in stock Fedora. However, the rpmfusion project exists for the purpose of maintaining software packages that aren't permissible for inclusion in Fedora directly, and its collection is easily integrated alongside Fedora's.)

I don't honestly recall if the end result for me was the Broadcom card completely working, or basically working with occasional hiccups. (I know it was quite tolerable, either way.) I haven't used that card in some time (though I still use the laptop), because I ended up replacing it with an Intel 5100 wireless-N card (fully Linux-supported) which I purchased on eBay for something like US$30.

Lenovo laptops like the N500 use a “BIOS whitelist”, and will refuse to boot if a non-approved wireless card is installed, but any Lenovo-approved card will work. (The card I purchased was listed as a ThinkPad accessory, not specifically for the N500, but the seller was confident it would be compatible and offered a full refund if there were any problems. He was quite correct, the 5100's been trouble-free since I installed it.) So, there's always the option of ditching the troublesome Broadcom card for one that's better-supported and faster (if you have access to an 802.11n network) for a pretty reasonable price.

Enter your comment. Wiki syntax is allowed:
If you can't read the letters on the image, download this .wav file to get them read to you.
 
dealing_with_uefi_on_linux.txt · Last modified: 2013/04/06 05:56 by 89.14.223.133
Contact Us Sister Sites Privacy Policy Terms of Use
Copyright © 2006-2013 Linwik.com and other authors