How I installed Fedora 18 with UEFI Secure Boot

How I installed Fedora 18 with UEFI Secure Boot

Summary: Here's my experience of installing Fedora 18 with UEFI Secure Boot - and why the much-maligned anaconda installer is not as bad as a lot of people think.

SHARE:

 |  Image 5 of 17

  • The Installation "Dispatcher"

    This is anaconda's central dispatcher. 

    After getting through the two preliminary screens, the rest of the installation is a "star" or "hub and spoke" process, from this screen you go off to various other steps as necessary, always returning here until everything has been defined, anaconda is satisfied, and you are ready to click 'Begin Installation'. 

    The screen shown above is from the Live ISO image; if you are installing from the DVD image, there will be more options in this screen, for example to select other software and desktops to install.

    Note that the current values for each of the options is displayed (TZ America/New York and KB English), there is a warning both beside the Storage option and at the bottom of the window, indicating that the input is mandatory and has not yet been made, and the 'Begin Installation' button is not yet active.

  • Here I have gone to Date & Time, where I can select the correct location or timezone, and manually set the system time and date, or turn on NTP for network time control.  You can select the location either by clicking on the map, or from the drop-down lists for region and city.  When this screen is finished, I clicked 'Done' to return to the hub.

  • keyboard layout selection

    This is the keyboard selection.  The default layout is English/U.S. (of course).  Click the "+" to add another layout, and select an existing layout and click "-" to remove it.  You can leave multiple layouts selected, and change their order (precedence) with the arrow buttons. When the definition is correct, click 'Done' to return to the hub.

    A comment about keyboards - I typically use a Swiss German, German, or US keyboard. 

    Most people will know about the difference between "QWERTY" and "QWERTZ" keyboards.  But I have occasionally used French keyboards which have an "AZERTY" layout. I suspect that this is something the French are doing specifically to torment Americans, because it is guaranteed to have you pounding your head on the desk (or directly on the keyboard) within the first five minutes.  Whatever the case, you can select the specific keyboard or multiple keyboards in this screen.

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Thumbnail 9
  • Thumbnail 10
  • Thumbnail 11
  • Thumbnail 12
  • Thumbnail 13
  • Thumbnail 14
  • Thumbnail 15
  • Thumbnail 16
  • Thumbnail 17

Topics: Linux, Open Source, Operating Systems

J.A. Watson

About J.A. Watson

I started working with what we called "analog computers" in aircraft maintenance with the United States Air Force in 1970. After finishing military service and returning to university, I was introduced to microprocessors and machine language programming on Intel 4040 processors. After that I also worked on, operated and programmed Digital Equipment Corporation PDP-8, PDP-11 (/45 and /70) and VAX minicomputers. I was involved with the first wave of Unix-based microcomputers, in the early '80s. I have been working in software development, operation, installation and support since then.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

Talkback

25 comments
Log in or register to join the discussion
  • How I installed Fedora 18 with UEFI Secure Boot

    Great article Jamie.
    daikon
  • Does this mean that Fedora is also using the "shim"?

    It makes sense, of course, for those who would want to dual-boot with Win8.

    Does the installer also allow you to "nuke" any existing installations and install Fedora 18 as the sole Secure-Boot-enabled OS that has been signed with your own keys?
    Zogg
    • Shim Yes, Nuke Maybe

      Yes, Fedora also uses a "shim". I doubt that it is the same one which openSuSE uses, but the way it is used is essentially the same.

      The installer will allow you to wipe the disk clean and install only Fedora, with Secure Boot enabled, so the basic answer to your question is yes - in fact, the very first time I installed F18 on one of my UEFI/Secure Boot systems, it did exactly that. If I understand what you are trying to get at here, is it possible to install and use Secure Boot without any of the Microsoft underpinning, I believe the answer is yes. I have had Fedora running on my HP Pavilion dm1-4310 as the one and only operating system, with Secure Boot enabled.

      Thanks for reading and commenting.

      jw
      j.a.watson@...
      • "is it possible to install and use Secure Boot without any of the

        Microsoft underpinning?"

        There's another interpretation of "Microsoft underpinning" beyond whether or not Windows 8 is installed. In this case, a Microsoft-signed key could be considered as "Microsoft underpinning".

        According to Fedora, it is or, perhaps, more appropriately, will be, possible for users to generate their own keys via "custom mode". More here:

        https://fedoraproject.org/wiki/Features/SecureBoot
        ""custom mode"
        "In this scenario, an administrator who requires a local root of trust may generate their own keys using openssl, on an administrative machine, with instructions that will be provided. The administrator then builds a custom version of shim and signs it with the pesign tool, and optionally builds and signs their own versions of grub and the kernel. The administrator then sets the system into what UEFI defines as "setup mode" and installs the OS, and then uses the sbsetup tool provided by pesign to enrol their keys in the firmware."
        Rabid Howler Monkey
      • It is

        "Yes, Fedora also uses a "shim". I doubt that it is the same one which openSuSE uses, but the way it is used is essentially the same."

        Yes, it is. And the same one Ubuntu uses, and many other distros. The shim lives at:

        https://github.com/mjg59/shim

        it was written by Matthew Garrett mostly during his time at Red Hat, but he doesn't work here any more. SUSE made some significant contributions to it. Fedora, Ubuntu and OpenSUSE all use this same 'shim'. Quick proof - http://lists.opensuse.org/opensuse-commit/2013-02/msg00835.html , note the Source URL there.
        AdamWill
        • Thanks Adam

          Whew, I was hoping you would come along and save my rear on this one. Thanks for the info.
          j.a.watson@...
    • Secure Boot Behavior

      Your questions about Secure Boot, certificates and signing have really had me thinking about this a lot more, and trying a few things to see exactly what works and what doesn't. I just got a bit surprised, so I'll share the details.

      My UEFI systems are both installed with the openSuSE Grub2 bootloader as the default, rather than the Windows bootloader - I'm going to write a post detailing how to do this soon, it's actually not that difficult, just tricky to figure out the first time. I then use the openSuSE Grub to boot whatever other systems are installed, currently Fedora 18, Ubuntu 13.04 Beta 2, Linux Mint 14 and Windows 8. I already knew that I had to disable Secure Boot to do all of that, but I hadn't bothered to figure out in detail which ones really required that. So I just went through it again, and found that with Secure Boot enabled and openSuSE Grub2 as the bootloader, openSuSE boots (duh), Windows 8 boots (duh), those two I expected, because it recognizes its own certificate for openSuSE and the factory Microsoft certificate for Windows 8. Fedora and Ubuntu will not boot from the openSuSE bootloader, even though they will boot if I hit F9 (boot select) and choose them from the firmware bootloader. Again, this is expected because they have their own shims, and their own certificates which are recognized by those shims but not by openSuSE. But the one which surprised me was that Linux Mint will boot from the openSuSE Grub2, even with Secure Boot enabled. Now, Linux Mint itself doesn't support Secure Boot, and it is not being booted from an EFI file as the others are; openSuSE Grub has recognized the Linux Mint kernels and added "normal" linux/initrd lines to the grub config file for them. SO they are working because they are being started by Grub2 without going through another firmware boot sequence - I suppose.

      That makes sense, but it took me by surprise because it doesn't work this way from the Fedora 18 Grub2, which I had tried before.

      jw
      j.a.watson@...
      • Thanks and a couple of questions

        Jamie, as usual, you have provided valuable information. I wish your posts could be twice as long :) Thanks again.

        1. Are laptop makers providing any in-box printed information about what Secure Boot and UEFI are, and how to work with them? If not, where are the best websites to find details (aside from your blog)?
        2. The way I expect to use the next laptop I purchase, it makes more sense to set up Legacy Boot first thing (so installing various distros for reviewing is easier.) Are there any good reasons to leave Secure Boot in place if you don't plan to travel much with a laptop?
        Thomas Gellhaus
        • Information - Slim / Necessary - No

          Hi Thomas, and before I get into this, I want to mention that I replied to your comment on a previous UEFI/GPT post, but couldn't get my comment through the filter which seemed to think that "partition" was profanity - I hope that is fixed now, or you won't see this one either...

          1. There was absolutely no information about UEFI, Secure Boot or GPT partitioning in the box or on the computer from either HP or Acer. Not even a mention of the necessity to set a BIOS password to be able to disable Secure Boot, so if someone hadn't mentioned that in a comment to my blog, I would have been stuck for a while. The best information I have found is on the HP support web site, but even that I can't find reliably, I just stumble into the middle of it with various web searches. I'll have another look, and I'll post here if I can find anything consistent.

          2. This is a very loaded question. There is plenty of empirical evidence that says Secure Boot is a very large solution to a very small problem. You have never had it before, and over all the years and all the computers you have had, how many MBR infections have you had? But the fact is, the problem is getting worse, and the danger is increasing, and it only takes one incident to throw out the value of all the previous experience. So here is my opinion. Secure Boot in principle is a good thing. For the overwhelming majority of users, who are never going to have more than one operating system on their computer, and who are distressingly likely to do all sorts of things that put their computer in danger of picking up all sorts of malware, including MBR infections, it is no bother. But I think the current implementation of it is absolutely awful, for two major reasons - first, its reliance on keys issued by Microsoft, and second the lack of decent tools for managing it, configuring it, adding multiple operating systems and so on.

          Weighing those pros and cons, and considering your situation, I would say that I don't see any good reasons for you to keep Secure Boot enabled. Especially for the situation you mentioned - multi-booting with Legacy Boot installations - trying to struggle with Secure Boot is just too much trouble today. I hope that will change, and there will be better and more flexible implementations available.

          I hope that is not too long-winded, but it really isn't a simple yes/no answer, it depends on the situation.

          Thanks for reading and commenting, as always.

          jw
          j.a.watson@...
  • How I installed Fedora 18 with UEFI Secure Boot

    But one of ZDNet's other linux bloggers said this wasn't possible. Possible or not its still too much hassle and all the hoops you have to jump through just to get linux installed. After its installed you spend hours compiling and trying to secure the telnet port. This is not what people want to do with their PCs. I'm going to stick with the OS that came with my computer.
    Loverock-Davidson
    • Good Advice!

      My Dell computer came with FreeDOS. Like Loverock: "I'm going to stick with the OS that came with my computer."
      sk43999
  • I normally don't take the time to upvote blog posts

    But I took the time to upvote this and the openSuSE post. This is very helpful and very needed for those of us who are new to UEFI.
    Michael Kelly
  • THANK YOU!

    Finally, a Linux fan who instead of turning this into an anti-Microsoft hate session, just goes out and *tries* it.

    Kudos, sir. I honestly wish more of the Linux camp were like you.

    PS: Wow - we have almost the same processor history. :)
    TheWerewolf
    • Thanks

      My objective is to produce more light than heat. I think the best way to convince others that Linux is a viable alternative is to actually show as clearly and simply as possible how to do it. Occasionally that includes talking about what doesn't work, or isn't easy, but I think that helps as well.

      Thanks for reading and commenting.

      jw
      j.a.watson@...
  • ZDNet, time to prune the blogger roll

    SJVN is no longer needed now that Jamie is here.

    Another great post by Jamie. This is the type of information the open source community has been asking for, and not receiving, for years. How can I tell? Just look at Zogg's post, that one says it all.
    toddbottom3
    • "SJVN is no longer needed now that Jamie is here."

      Understand that J.A. Watson is mostly about Linux stuff. There's much to open source beyond GNU/Linux. Since this article deals with UEFI secure boot, here's two links that provide some perspective on secure boot from the BSD world (also open source):

      https://wiki.freebsd.org/SecureBoot

      http://www.itwire.com/business-it-news/open-source/55924-openbsds-de-raadt-slams-red-hat-canonical-over-secure-boot

      I do, however, agree that J.A. Watson's articles with their mostly hands-on style are a welcome addition at ZDNet.
      Rabid Howler Monkey
      • Thanks for the links, I took a look

        I'll comment specifically on the 2nd link since I'm not sure what your point was with the first one.

        "Microsoft will launch Windows 8 exactly three months from today"

        Ah, this was written quite a while ago. Okay. Context.

        "I sense that disaster is coming"

        That is what this whole thing boils down to. 3 months before Windows 8 was released, someone sensed disaster. Yet here we are TODAY and none of that has come true.

        "they are traitors to the cause"

        Traitors? Cause? Are we talking operating systems or a bad spy novel? OpenBSD is a "cause" and if you aren't "with us" you are a traitor?

        I think you might want to reconsider putting your support behind someone who is clearly a little unbalanced.
        toddbottom3
        • "I'm not sure what your point was with the first [FreeBSD] one."

          If you take the time to read the linked document, you'll see that it details FreeBSD's current plans for supporting secure boot. It's pretty much roll with the flow which is what Red Hat/Fedora, SuSE and Canonical have done. And, relevant to this article, discusses Fedora's approach towards secure boot. At the moment, like many GNU/Linux distros, they do not support secure boot.

          OpenBSD's current leader, Theo de Raadt, is much more like GNU's Richard Stallman than Linus Torvald. And his rant, though a bit dated as you have correctly observed, pretty much captures his spirit and predicted a backlash against Microsoft's implementation of secure boot in the EU. Which, in fact, recently happened with the HispaLinux organization.
          Rabid Howler Monkey
          • Glad that BSD is supporting secure boot

            No reason for anyone not to.

            "predicted a backlash against Microsoft's implementation of secure boot in the EU. Which, in fact, recently happened with the HispaLinux organization."

            I would distinguish between a Linux group filing a complaint with the EC actually locking MS out of the market. This isn't a backlash against secure boot specifically, Linux groups are ALWAYS fighting MS. This is only 1 in a LONG line of complaints by Linux groups, 99% of which go absolutley nowhere. It would have been news if a month goes by and a Linux group DOESN'T complain about (insert MS technology here).

            "De Raadt foresees issues for "secure" boot in Europe. "I expect that the Intel/Microsoft plans will face big problems in Europe," he said.

            "It would be interesting to see a bunch of consumer-unfriendly laptop vendors locked out of European markets, wouldn't it?"

            He hasn't predicted anything right yet. Not a single laptop vendor has been locked out of the European market. MS isn't facing any big problems that are related to secure boot in Europe or anywhere else. There has been a lot of noise made by a tiny fraction of a tiny percent of unhappy people who view OSs as a "cause" and view anyone not using their OS as a "traitor" but that's all it has been: noise by a tiny vocal minority (I'm talking specifically about secure boot - not general Windows 8 uptake or Metro where the noise has certainly been a lot louder).

            Wake me when anti-trust authorities start saying something different from this:

            "In a letter dated January 31, EU Competition Chief Joaquin Almunia said the Commission was "aware of the Microsoft Windows 8 security requirements," but that so far it had seen no red flags."

            I've said it before, I would be shocked if MS hadn't done due diligence and discussed secure boot with anti-trust authorities in the US and EU.
            toddbottom3
  • In the world of Windows

    We call the setup routine, boring.

    I install Windows 8 on my computer, I used the 7 mins it took to install to do something like get some fresh air, come back and start using my computer. Back in 2001, things like this mattered, but it shows Linux will always be a decade behind Windows.
    adacosta38