How to enable Secure Boot without issue?

boot uefi security bios secure-boot
14,103

Solution 1

Boot loaders are written for the computer's firmware. This is analogous to software, which is written for a particular OS. Thus, you don't "convert... the bootloader to UEFI"; that would be like "converting the mail client to Windows" or "converting the photo editor to Linux." Instead, you install a new program for the desired environment. In some cases, the new program may have the same name as the old one (as in Thunderbird or GIMP, which are available for both Windows and Linux; or GRUB 2, which is available for both BIOS and EFI). In other cases, there are OS- or firmware-specific programs, such as efibootmgr (a Linux-specific tool) or rEFInd (an EFI-specific boot manager).

If your computer is currently booting in BIOS/CSM/legacy mode, then to boot in EFI mode, you must do several things:

  • Convert the disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT). This step may not be strictly required, but some EFIs can be fussy, and using MBR may require installing your boot loader to the fallback filename (EFI/BOOT/bootx64.efi), which most tools won't do by default. Thus, an MBR-to-GPT conversion is desirable. This can be done fairly painlessly with my gdisk program (which is installed in Ubuntu by default), as described here.
  • Create an EFI System Partition (ESP). This is a partition where EFI boot loaders reside. It has no exact equivalent in BIOS. You'll probably have to use GParted to resize at least one partition to make room for the ESP. I recommend making it 550MiB in size. Although an ESP is usually the first or second partition on a disk, the realities of partition resizing mean that it may work better to make it the last partition on the disk if you're converting from BIOS/MBR to EFI/GPT.
  • Install an EFI boot loader. GRUB 2 is the traditional boot loader, and it can be installed fairly automatically by booting an Ubuntu live CD in EFI mode and running Boot Repair. Boot Repair should also set things up to work with Secure Boot. Most other boot loaders will require jumping through some extra hoops to work with Secure Boot, although sometimes this isn't too bad -- if it detects Shim (the most common Linux tool for supporting Secure Boot), my own rEFInd will set itself up to use Secure Boot.
  • Reboot and hope it all works. Any number of things can go wrong with all this. If you have problems, your best bet is to search here and elsewhere for a solution, and if you don't find one, post a new question here or on some other forum.

Note that in a Linux installation, the only truly critical software difference between a BIOS-mode and an EFI-mode installation is the boot loader. Thus, switching from BIOS-mode to EFI-mode booting doesn't require additional software changes. (In practice, installing an EFI-mode GRUB is likely to pull in some other related packages, like efibootmgr. These are indeed helpful, but not critical for booting.) There are no changes to the kernel, C libraries, shells, GUI, or other core tools required under EFI compared to BIOS. As I've written above, partitioning will need to be adjusted, but that doesn't require any software changes. Secure Boot requires Shim, PreLoader, or special custom setups; and depending on the boot loader, a signed kernel may be required.

As you might gather from this, Ubuntu should work fine with Secure Boot. (There are occasional exceptions because of finicky EFIs, though. Also, using Secure Boot makes it easier to misconfigure something so that it breaks.) When doing a fresh install with Secure Boot active, it should all be pretty transparent. When you do a conversion from an existing BIOS-mode installation, you're more likely to run into problems, since conversion tools don't really exist (unless you count Boot Repair, which does only part of the job). Thus, you'll end up doing more manually, which means there's more room to miss a step or make a mistake.

For more information on Linux and Secure Boot, read my main Web page on the subject, which covers basic principles and typical configurations. If you want to go really hard-core with a custom Secure Boot configuration, read my page on taking complete control of Secure Boot. This describes how to configure the system to boot with Secure Boot active but without Shim or PreLoader, and in a way that enables you to lock Microsoft tools out, if you so desire.

Solution 2

Secure Boot is a useful feature to lock down a computer to only run certified software. This helps to prevent booting hardware with malicious or uncertified code.

From Microsoft Technet:

Secure Boot helps to make sure that your PC boots using only firmware that is trusted by the manufacturer.

This means the Ubuntu firmware needs to be certified to be able to boot on a Secure Boot enabled UEFI system. If we do not want this we need to disable this "feature":

You may need to disable Secure Boot to run some PC graphics cards, hardware, or operating systems such as Linux or previous version of Windows.

So Microsoft recommends disabling Secure Boot for Linux or other non-certified hard- or software. A manufacturer may implement disabling Secure Boot but this in no way mandatory for a Windows system.

For most PCs, you can disable Secure Boot through the PC’s firmware (BIOS) menus. For logo-certified Windows RT 8.1 and Windows RT PCs, Secure Boot is required to be configured so that it cannot be disabled.

On these systems we may not be able to disable Secure Boot.

At present we can create our own certificate to be able to boot but this may change any time in the future when the Windows 10 Device Guard Certification process becomes more restrictive.

So the implementation of disabling Secure Boot on your machine may be incomplete, or restrictive in a way that it does not accept a non-Microsoft certificate.

Share:
14,103

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin over 1 year

    I read here that it is essential to have Secure Boot enabled:

    enter image description here

    However I find that when I enable Secure Boot, it changes it so that systems can boot with UEFI boot, but not Legacy, it also disables CMS. However, when I then try to boot my system, I get 3 different start things that I can boot from:

    - ATAPI CD1: PLDS DVD-RW DS8A8SH
- ATA HDD0: TOSHIBA MK5065GSX
> PCI LAN
    - LAN(3C970E7102F6) -IPv4
    - LAN(3C970E7102F6) -IPv6

    But no matter which of them I choose, I just get back to that screen and cannot boot, then the only way is to go to the other tab and select Setup, go back into BIOS, and disable Secure Boot, and then say that both Legacy and UEFI are supported in the Setup options (as just disabling Secure Boot does not work).

    So I am assuming that my current and only OS, Ubuntu GNOME 15.04 (64-bit), does not support UEFI boot, and only Legacy. So is there anything that I can do about this so that I can enable Secure Boot? And why does it only support Legacy anyway? And just as a quick note, this didn't work when I had Windows 7 (a long long time ago in a galaxy far far away...) either.

    • Wilf
      Wilf over 8 years
      You may be able to convert the bootloader to use UEFI (see here) but it may be easier to do on a fresh install. You will probably need a x86_64 install though.
    • Admin
      Admin over 8 years
      @Wilf: Sorry, I am not familiar with all this, how do I do a x86_64 install? Could you perhaps post all this as an answer (including the fresh install bit and the converting of the bootloader if I prefer to do that). :)
    • oldfred
      oldfred over 8 years
      LInus does not think secure boot is required: zdnet.com/… But in future in may be. All current versions of Ubuntu will install with secure boot. Better to use newest as many updates. Also make sure your UEFI/CSM is most current from vendor as they also are making many fixes. You often have to explicitly change settings to allow boot from USB or DVD as secure boot normally does not allow other devices. help.ubuntu.com/community/UEFI
    • Wilf
      Wilf over 8 years
      Sorry x86_64 as in 64bit (the ubuntu amd64 image) - 32bit apparently won't work.
    • Admin
      Admin over 8 years
      @Wilf: That is what I am running, the 64-bit version.
  • Admin
    Admin over 8 years
    This seems very focused around also running a Windows OS... Could you also provide instructions for converting the bootloader to UEFI, and explain if this could cause any problems from what you have just explained. For instance, will enabling Secure Boot potentially mean that Ubuntu will not be allowed to boot?
  • Takkat
    Takkat over 8 years
    @ParanoidPanda: paranoid people say that MS pushed secure boot to disallow installing another OS on a given hardware. This obviously appears not to be the case at present but in theory (or future) they could lock us out by this.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

With secure boot disabled, is there long term vulnerability to malicious code (on 14.10 and 15.04/Win multiboot setups)?
How to fix Secure Boot error "Image failed to verify with *ACCESS DENIED*" on startup?
Computer doesn't POST after enabling Secure Boot
Ubuntu 16.04: Checking Media [FAIL]
Trouble booting and installing Linux - Broken BIOS suspected?
asus bios utility: the system cannot find any bootable devices
How to access BIOS settings with EFI?
Bootable device not found Ubuntu 16.04 - no option in BIOS to select an UEFI file
How do I fix broken boot after shim update?
"The VGA card is not supported by UEFI driver"