April 2, 2015

How to Install Linux on a Windows Machine With UEFI Secure Boot

secure boot utility

When Windows 8 rolled up to the curb, Microsoft did its best to enforce a protocol known as Unified Extensible Firmware Interface (UEFI) Secure Boot. This was to be a modern replacement for the aging BIOS system and would help ensure boot-time malware couldn’t be injected into a system. For the most part, Linux has overcome those UEFI hurdles. However, with Windows 10, those hurdles could be returning.

This BIOS replacement, UEFI, caused some serious problems with “alternative” platforms. For some time, it was thought UEFI would render Linux uninstallable on any system certified for Windows 8 and up. Eventually Microsoft saw fit to require vendors to include a switch that allowed users to disable UEFI, so that their favorite Linux distribution could be installed. And then some Linux distributions set out to fully support Secure Boot (Red Hat, Ubuntu, SUSE, to name a few). This was accomplished by these particular companies purchasing digital key that would then allow their bootloaders to pass the UEFI firmware check. With that, those distributions have no problems dealing with Secure Boot.

So what are you to do when you have a new system and you want to install Linux? The answer isn’t always simple. This isn’t going to serve as a definitive how-to on booting Linux with UEFI Secure Boot. Because every distribution and every piece of hardware is different, your mileage will vary. This will, however, give you enough information that should start you off on the right foot with Linux and Secure boot.

Your best bet

There is one sure-fire way around this issue and that is to simply disable certain components within your BIOS. From within the BIOS, you will want to disable the following:

  • Quickboot/Fastboot

  • Intel Smart Response Technology (ISRT)

  • FastStartUp (if you have Windows 8).

With that done, you should be able to boot your distribution without problems. If, however, you get a Secure boot or signature error, it’s time to disable Secure Boot. If your machine has Windows 7, you can simply enter the BIOS in the standard fashion (by hitting the proper keyboard key associated with your motherboard BIOS settings) and disable Secure Boot. If, however, your machine runs Windows 8, getting to the Secure Boot toggle isn’t quite that simple. To do this you must:

  1. Boot Windows 8

  2. Press the Windows+I keys

  3. Click Change PC Settings

  4. Click General and then Advanced Startup

  5. Click Restart now

  6. Click UEFI Firmware settings.

In Windows 8.1, do the following:

  1. From the left sidebar, go to Update and recovery

  2. Click Advanced startup

  3. Click Restart now.

The machine should then reboot and enter the BIOS where you can disable Secure Boot.

NOTE: Some BIOSes are equipped to run in what is called EFI or “legacy” mode. If your BIOS does allow this mode, set it and you should have zero issues with Linux. Certain motherboard manufacturers label this as Compatibility Support Module.

With Secure Boot off, run your live disk and see if the boot issue has vanished. If so, install Linux and do your happy dance.

The next simple solution

If disabling Secure Boot isn’t an option for you, the next easiest route to success is to choose a Linux distribution that fully supports Secure Boot. If you’re using Ubuntu >=  12.04.2 (or any of its official “flavors”) or Linux Mint >=16, you can rest assured these distributions support Secure Boot because both distributions (and their “flavors”) share a legitimate Intel UEFI/SecureBoot code. As well, both enterprise-ready distributions Red Hat and SUSE have paid the piper to gain access to an official key. With these particular distributions, Secure Boot should not be an issue. I’ve booted plenty of Secure Boot-enabled machines with Ubuntu and had nary an issue.

If you have a particular Linux distribution that you are fond of, and you are having trouble getting around Secure Boot, contact the developers of said distribution and see what they recommend.

Dual booting

But what about dual booting Windows and Linux? Considering Windows makes use of Secure Boot, won’t that hamper your ability to boot both platforms? Not if you’re using Windows 8 or 8.1. With these particular iterations of Windows, you can actually disable Secure Boot and still boot the OS. There is one major glitch in this approach.

Say you have Windows 8, you disable Secure Boot, and then you install your favorite flavor of Linux for dual booting purposes. One day you boot up Windows to discover the 8.1 update is available. You install it and reboot to discover Linux is no longer an option. What do you do? The easiest solution for this problem is to upgrade Windows to 8.1 before you install Linux. Once that update is complete, then install Linux as a dual booting solution and you should be good to go. If, however, you’ve already installed Linux and your Windows partition upgrades to 8.1, you’ll need to boot from your Linux live disk and run its boot repair tool. The repair should fix the issue and dual booting will return.

The Windows 10 problem

This is where it all gets a bit frustrating. Microsoft has announced that, with Windows 10, they will no longer require manufacturers to include the ability to toggle off Secure Boot. This means PC vendors will have the power to further raise the hurdles for alternative operating systems to be installed. The official decision has not been handed down yet. Even if it does take effect, this will not cause problems with older systems. And even if it does become a reality, distributions such as Ubuntu, Fedora, Red Hat, and SUSE won’t have any issues as they are already using official digital keys to meet the UEFI requirements. For smaller distributions (created by developers who cannot afford to purchase the keys), this could be a big issue.

Fortunately, it’s not totally insurmountable. How? Because there are vendors out there selling modern hardware that is specifically geared toward Linux. System76 has grown into one of the biggest vendors of Linux desktops and laptops. ZaReason is another, similar solution. Both companies not only offer outstanding hardware, they give back to the open source community and serve as a means for Linux users to always have hardware that will work with Linux. Besides, supporting companies that are geared specifically for Linux and open source software is a win-win on every level.

Also, if you happen to be a developer, working on a Linux distribution, check out this Linux Foundation publication on Making UEFI Secure Boot Work With Open Platforms.

UEFI proved to not be nearly the impossibility we thought it would present. But with Windows 10, impossibility could become a reality. How will you deal with purchasing new hardware should manufacturers start removing the ability to disable Secure Boot?

Click Here!