How I installed Fedora 18 with UEFI Secure Boot
Summary: Here's my experience of installing Fedora 18 with UEFI Secure Boot - and why the much-maligned anaconda installer is not as bad as a lot of people think.
Image 1 of 17
The Fedora Live Gnome 3 Desktop
Following up on my previous post showing openSuSE 12.3 installation with Secure Boot, this time I will walk through the same installation with Fedora 18.
What I hope to show here is that in my experience Fedora 18 installs and runs just fine with UEFI Secure Boot, and second that the much-maligned anaconda installer is not as bad as a lot of people have made it out to be.
I will skip the first couple of steps that were described and illustrated in the previous post, which use either the Windows Disk Management or one of the Linux disk/partition managers to free up sufficient space on the disk for the installation.
When booting the Fedora Live media, I am prompted to login as "Live User" (no password).
I am then given a choice between going directly to the installation (anaconda), or going to the Live desktop, which you can use as a normal Linux system.
One useful thing to do at the live desktop is to confirm that all the hardware is recognized and working correctly before actually installing Fedora. Also, if you have a non-U.S. keyboard layout it can be convenient to set that here, so that your keyboard will be read properly during installation.
The screen shot above shows the Fedora 18 Gnome Live desktop; to start the installation, I clicked the icon at the bottom of the favorites list.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
How I installed Fedora 18 with UEFI Secure Boot
Does this mean that Fedora is also using the "shim"?
Does the installer also allow you to "nuke" any existing installations and install Fedora 18 as the sole Secure-Boot-enabled OS that has been signed with your own keys?
Shim Yes, Nuke Maybe
The installer will allow you to wipe the disk clean and install only Fedora, with Secure Boot enabled, so the basic answer to your question is yes - in fact, the very first time I installed F18 on one of my UEFI/Secure Boot systems, it did exactly that. If I understand what you are trying to get at here, is it possible to install and use Secure Boot without any of the Microsoft underpinning, I believe the answer is yes. I have had Fedora running on my HP Pavilion dm1-4310 as the one and only operating system, with Secure Boot enabled.
Thanks for reading and commenting.
jw
"is it possible to install and use Secure Boot without any of the
There's another interpretation of "Microsoft underpinning" beyond whether or not Windows 8 is installed. In this case, a Microsoft-signed key could be considered as "Microsoft underpinning".
According to Fedora, it is or, perhaps, more appropriately, will be, possible for users to generate their own keys via "custom mode". More here:
https://fedoraproject.org/wiki/Features/SecureBoot
""custom mode"
"In this scenario, an administrator who requires a local root of trust may generate their own keys using openssl, on an administrative machine, with instructions that will be provided. The administrator then builds a custom version of shim and signs it with the pesign tool, and optionally builds and signs their own versions of grub and the kernel. The administrator then sets the system into what UEFI defines as "setup mode" and installs the OS, and then uses the sbsetup tool provided by pesign to enrol their keys in the firmware."
It is
Yes, it is. And the same one Ubuntu uses, and many other distros. The shim lives at:
https://github.com/mjg59/shim
it was written by Matthew Garrett mostly during his time at Red Hat, but he doesn't work here any more. SUSE made some significant contributions to it. Fedora, Ubuntu and OpenSUSE all use this same 'shim'. Quick proof - http://lists.opensuse.org/opensuse-commit/2013-02/msg00835.html , note the Source URL there.
Thanks Adam
Secure Boot Behavior
My UEFI systems are both installed with the openSuSE Grub2 bootloader as the default, rather than the Windows bootloader - I'm going to write a post detailing how to do this soon, it's actually not that difficult, just tricky to figure out the first time. I then use the openSuSE Grub to boot whatever other systems are installed, currently Fedora 18, Ubuntu 13.04 Beta 2, Linux Mint 14 and Windows 8. I already knew that I had to disable Secure Boot to do all of that, but I hadn't bothered to figure out in detail which ones really required that. So I just went through it again, and found that with Secure Boot enabled and openSuSE Grub2 as the bootloader, openSuSE boots (duh), Windows 8 boots (duh), those two I expected, because it recognizes its own certificate for openSuSE and the factory Microsoft certificate for Windows 8. Fedora and Ubuntu will not boot from the openSuSE bootloader, even though they will boot if I hit F9 (boot select) and choose them from the firmware bootloader. Again, this is expected because they have their own shims, and their own certificates which are recognized by those shims but not by openSuSE. But the one which surprised me was that Linux Mint will boot from the openSuSE Grub2, even with Secure Boot enabled. Now, Linux Mint itself doesn't support Secure Boot, and it is not being booted from an EFI file as the others are; openSuSE Grub has recognized the Linux Mint kernels and added "normal" linux/initrd lines to the grub config file for them. SO they are working because they are being started by Grub2 without going through another firmware boot sequence - I suppose.
That makes sense, but it took me by surprise because it doesn't work this way from the Fedora 18 Grub2, which I had tried before.
jw
Thanks and a couple of questions
1. Are laptop makers providing any in-box printed information about what Secure Boot and UEFI are, and how to work with them? If not, where are the best websites to find details (aside from your blog)?
2. The way I expect to use the next laptop I purchase, it makes more sense to set up Legacy Boot first thing (so installing various distros for reviewing is easier.) Are there any good reasons to leave Secure Boot in place if you don't plan to travel much with a laptop?
Information - Slim / Necessary - No
1. There was absolutely no information about UEFI, Secure Boot or GPT partitioning in the box or on the computer from either HP or Acer. Not even a mention of the necessity to set a BIOS password to be able to disable Secure Boot, so if someone hadn't mentioned that in a comment to my blog, I would have been stuck for a while. The best information I have found is on the HP support web site, but even that I can't find reliably, I just stumble into the middle of it with various web searches. I'll have another look, and I'll post here if I can find anything consistent.
2. This is a very loaded question. There is plenty of empirical evidence that says Secure Boot is a very large solution to a very small problem. You have never had it before, and over all the years and all the computers you have had, how many MBR infections have you had? But the fact is, the problem is getting worse, and the danger is increasing, and it only takes one incident to throw out the value of all the previous experience. So here is my opinion. Secure Boot in principle is a good thing. For the overwhelming majority of users, who are never going to have more than one operating system on their computer, and who are distressingly likely to do all sorts of things that put their computer in danger of picking up all sorts of malware, including MBR infections, it is no bother. But I think the current implementation of it is absolutely awful, for two major reasons - first, its reliance on keys issued by Microsoft, and second the lack of decent tools for managing it, configuring it, adding multiple operating systems and so on.
Weighing those pros and cons, and considering your situation, I would say that I don't see any good reasons for you to keep Secure Boot enabled. Especially for the situation you mentioned - multi-booting with Legacy Boot installations - trying to struggle with Secure Boot is just too much trouble today. I hope that will change, and there will be better and more flexible implementations available.
I hope that is not too long-winded, but it really isn't a simple yes/no answer, it depends on the situation.
Thanks for reading and commenting, as always.
jw
How I installed Fedora 18 with UEFI Secure Boot
Another post from the clueless loser
I'm calling you out again, post your qualifications loser, anyone who thinks you still have to spend hours compiling source code in Linux last use a computer back in 1995.
Good Advice!
I normally don't take the time to upvote blog posts
THANK YOU!
Kudos, sir. I honestly wish more of the Linux camp were like you.
PS: Wow - we have almost the same processor history. :)
Thanks
Thanks for reading and commenting.
jw
ZDNet, time to prune the blogger roll
Another great post by Jamie. This is the type of information the open source community has been asking for, and not receiving, for years. How can I tell? Just look at Zogg's post, that one says it all.
"SJVN is no longer needed now that Jamie is here."
https://wiki.freebsd.org/SecureBoot
http://www.itwire.com/business-it-news/open-source/55924-openbsds-de-raadt-slams-red-hat-canonical-over-secure-boot
I do, however, agree that J.A. Watson's articles with their mostly hands-on style are a welcome addition at ZDNet.
Thanks for the links, I took a look
"Microsoft will launch Windows 8 exactly three months from today"
Ah, this was written quite a while ago. Okay. Context.
"I sense that disaster is coming"
That is what this whole thing boils down to. 3 months before Windows 8 was released, someone sensed disaster. Yet here we are TODAY and none of that has come true.
"they are traitors to the cause"
Traitors? Cause? Are we talking operating systems or a bad spy novel? OpenBSD is a "cause" and if you aren't "with us" you are a traitor?
I think you might want to reconsider putting your support behind someone who is clearly a little unbalanced.
"I'm not sure what your point was with the first [FreeBSD] one."
OpenBSD's current leader, Theo de Raadt, is much more like GNU's Richard Stallman than Linus Torvald. And his rant, though a bit dated as you have correctly observed, pretty much captures his spirit and predicted a backlash against Microsoft's implementation of secure boot in the EU. Which, in fact, recently happened with the HispaLinux organization.
Glad that BSD is supporting secure boot
"predicted a backlash against Microsoft's implementation of secure boot in the EU. Which, in fact, recently happened with the HispaLinux organization."
I would distinguish between a Linux group filing a complaint with the EC actually locking MS out of the market. This isn't a backlash against secure boot specifically, Linux groups are ALWAYS fighting MS. This is only 1 in a LONG line of complaints by Linux groups, 99% of which go absolutley nowhere. It would have been news if a month goes by and a Linux group DOESN'T complain about (insert MS technology here).
"De Raadt foresees issues for "secure" boot in Europe. "I expect that the Intel/Microsoft plans will face big problems in Europe," he said.
"It would be interesting to see a bunch of consumer-unfriendly laptop vendors locked out of European markets, wouldn't it?"
He hasn't predicted anything right yet. Not a single laptop vendor has been locked out of the European market. MS isn't facing any big problems that are related to secure boot in Europe or anywhere else. There has been a lot of noise made by a tiny fraction of a tiny percent of unhappy people who view OSs as a "cause" and view anyone not using their OS as a "traitor" but that's all it has been: noise by a tiny vocal minority (I'm talking specifically about secure boot - not general Windows 8 uptake or Metro where the noise has certainly been a lot louder).
Wake me when anti-trust authorities start saying something different from this:
"In a letter dated January 31, EU Competition Chief Joaquin Almunia said the Commission was "aware of the Microsoft Windows 8 security requirements," but that so far it had seen no red flags."
I've said it before, I would be shocked if MS hadn't done due diligence and discussed secure boot with anti-trust authorities in the US and EU.