Linux Mint 17: Hands-on with UEFI Secure Boot

Linux Mint 17: Hands-on with UEFI Secure Boot

Summary: The final release of Mint 17 is available, here's how it works for me on UEFI firmware systems.

SHARE:

The final release of Linux Mint 17 (Qiana) was made available over the weekend. The release announcements (Cinnamon/MATE) give a brief overview of the release. Two particularly important bits of information included in the announcement:

  • It is possible to update from a previous Linux Mint release to this new version. Clem has written a fairly lengthy How to Upgrade document, so before whinging about how 'I have to reinstall every new release', read this document.
  • If you have already installed the Mint 17 Release Candidate, all you need to do is install all Level 1 updates.

The release notes (Cinnamon/MATE) contain more technical details about the release. Here you will find one of the rare things that I take issue with in a Linux Mint release. It says:

    "If your system is using secureBoot, turn it off."

This is absolutely not necessary. Period. I have installed Mint 17 on four different systems with UEFI firmware and UEFI Secure Boot enabled, and I had absolutely no problems on any of them. 

I downloaded the ISO images, copied them directly to a USB stick (using dd), and that stick booted with Secure Boot enabled on all four of my systems. I then performed a completely normal installation, no special manipulation or consideration for UEFI or Secure Boot support, and when I was finished the installed system also booted normally, with UEFI Secure Boot still enabled.

There is also some very useful information in the release notes about booting on non-PAE systems — this is a question which has come up in comments here before.

Beyond these few notes, I don't have much more to say. I wrote in more detail about the release candidate when it came out two weeks ago. I don't see any significant changes in this final release. It is, as always, important to get the latest patches and updates after installation in complete. Also keep in mind that the default configuration of Mint Update will only install Level 1-3 updates, in the interest of stability. You can change this in the Preferences dialog:

Update Levels
Linux Mint Update Level Preferences

Alternatively, this release will also show you Level 4 and 5 udpates in the normal update window, so you can manually select them for installation. This can seem a bit tricky or misleading at first, because the updates are ordered by level in the window, so when there are a significant number of Level 1to 3 updates available, you might not see the Level 4 and 5 updates (unless you scroll all the way down through the list). This is what it looks like once the Level 1 to 3 updates have been installed:

Mint Updates
Linux Mint Level 5 Updates

Oh, one last comment about UEFI boot to close this post. As was the case with the previous Mint 16 release, the UEFI boot directory will be named 'ubuntu', so if you want to install Mint 17 and Ubuntu both on the same UEFI boot system, you will have to be careful about that.

The most obvious solution, renaming the boot directory after the first of them is installed, doesn't work (it won't boot that one any more). The solution I have found which does work is to create a second EFI Boot partition, but neither Ubuntu nor Mint will let you specify the UEFI boot partition to use on installation, so you have to copy the boot directory to the second EFI partition after installing. This is not a big deal, if you are "advanced" enough to be installing both distributions on one system, then you should also be able to handle this.

Further reading

Topics: Enterprise Software, Linux, Open Source, Operating Systems

J.A. Watson

About J.A. Watson

I started working with what we called "analog computers" in aircraft maintenance with the United States Air Force in 1970. After finishing military service and returning to university, I was introduced to microprocessors and machine language programming on Intel 4040 processors. After that I also worked on, operated and programmed Digital Equipment Corporation PDP-8, PDP-11 (/45 and /70) and VAX minicomputers. I was involved with the first wave of Unix-based microcomputers, in the early '80s. I have been working in software development, operation, installation and support since then.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Just upgraded Mint myself this weekend

    Jamie - Just as you did, I upgraded to Mint 17. For people considering doing this, I strongly suggest that you install and switch to a newer kernel ASAP. Mint 17 apparently ships with the 3.13.0-24 kernel, which for certain Realtek wireless cards simply will not maintain a connection. (This had also given me problems when I attempted to run Ubuntu 14.04 in April)

    The new kernel, 3.13.0-27, seems to be much improved in that regard. A simple way to switch is to open the Update Manager, click "View", and one of the items in the drop-down is "Kernel". An "Install" button there will allow you to install and switch to a newer version if it's available.

    I had no problems installing Mint 17 with UEFI and Secure Boot enabled, and I also installed LMDE in a dual-boot configuration - done prior to updating the kernel, in order to have some way of staying online.
    Thomas Gellhaus
  • Just upgraded Mint myself this weekend

    Jamie - Just as you did, I upgraded to Mint 17. For people considering doing this, I strongly suggest that you install and switch to a newer kernel ASAP. Mint 17 apparently ships with the 3.13.0-24 kernel, which for certain Realtek wireless cards simply will not maintain a connection. (This had also given me problems when I attempted to run Ubuntu 14.04 in April)

    The new kernel, 3.13.0-27, seems to be much improved in that regard. A simple way to switch is to open the Update Manager, click "View", and one of the items in the drop-down is "Kernel". An "Install" button there will allow you to install and switch to a newer version if it's available.
    Thomas Gellhaus
  • To-do list for Mint 17 after installation

    I've written a to-do list for Mint 17 Cinnamon and Mate, so that you can round off your installation neatly.
    Cinnamon: https://sites.google.com/site/easylinuxtipsproject/mint-cinnamon-first
    Mate: https://sites.google.com/site/easylinuxtipsproject/mint-mate-first

    Part of this list is enabling security updates for level 4 and 5. Stability is fine, but safety first....

    For the rest: a fine release, which will last five years. The very best in Linux right now, if you ask me. :)

    Regards, Pjotr.
    pjotr123
  • UEFI boot, Mint, Ubuntu

    I don't know yet how to do it, but I would bet that a hack to one of the UEFI files would enable one to dual-boot Mint and Ubuntu. This not something one would want to do in a true production environment, which might explain why the Mint folk never fixed this up... Ben Myers
    ben_myers@...
  • Not a Hack

    It doesn't actually take much of a change, it just needs to install the EFI boot files to a directory named anything other than ubuntu. The funny thing is, the Linux Mint Debian Edition distribution already does this, it installs to a directory called linuxmint. I'm don't know why the Mint developers choose not to do this for the Ubuntu-based distribution. In fact they did, in the very first UEFI compatible release (I think it was Mint 15), but then it went back to the ubuntu name in the next release.

    With other distributions (openSuSE and Fedora), you can partially work around this by simply renaming the directory yourself after installation, but with Ubuntu and Mint if you do this it won't boot.

    The simplest way I have found to get around this is what I mentioned in the post, create a new EFI partition and copy the directory for one of the two distributions to it. Even this would be a lot simpler if they would let you specify the EFI boot directory on installation, but that isn't possible with either Ubuntu or Mint yet, although they seem to be moving in that direction. It is already possible with openSuSE and Fedora.

    Thanks for reading and commenting.

    jw
    j.a.watson@...
  • On my laptop, I don't need this separate EFI entry for a multiple boot

    You're right that it's strange that Mint doesn't create its own entry in EFI with its own name. But in practice I don't need it, I've found: my Acer TravelMate P253 is multiple boot, with two kinds of Mint 17, two kinds of *buntu 14.04 and Windows 8.1 (the latter was pre-installed).

    Still only two entries in the EFI: ubuntu and Windows Boot Manager. But simply installing each *buntu and Mint in the normal way, sufficed. No need for me to tinker with the EFI...

    Regards, Pjotr.

    P.S. and quite off topic: do you happen to know whether the Swiss also have Eiswein, like in Austria and Germany? If so, can you recommend one?
    pjotr123
    • Traditional Boot?

      Hmmm. Unless my understanding of UEFI boot is completely wrong (very unlikely), the only way I can think of that such a configuration could work would be if you have Legacy Boot enabled. Is it possible that is the case? Otherwise I am going to have to go back and study UEFI boot configuration a lot more, because I must be missing something.

      As for Eiswein, I am not familiar with it, so I can't recommend one, sorry.

      Thanks for reading and commenting.

      jw
      j.a.watson@...
      • Should Be LEGACY Boot

        Sorry, my brain slipped out of gear while writing that.

        jw
        j.a.watson@...
      • No, it's in full UEFI mode

        My laptop ir running in full UEFI mode, see this screenshot:
        https://sites.google.com/site/easylinuxtipsproject/screenshots

        My understanding is: the ubuntu entry in the EFI, is simply "taken over" by the last installed Ubuntu or Mint. The Grub menu of that last Ubuntu/Mint then takes care of the rest: it shows all available and bootable OS's.

        Nevertheless: although it has no practical disadvantage (at least in my case), it would indeed be clearer if Mint would create an EFI entry of its own, with its own name....

        About the Eiswein: never mind, it would probably be too expensive anyway.... The Swiss are unrivalled masters at the art of "legally" plundering foreigners. :-)
        pjotr123
  • Help- I hope you, or someone, are reading these comments

    1) How did you get the system to boot to the usb stick?? Did you just plug it in and it happened automatically when you booted?? Did you have to go into the boot loader and tell it to boot to the stick?

    I got a Win7 system specifically so I would not have to deal with UEFI- and the Mf**kers put UEFI on it (HP pavillion 500-281). From what I can see it puts the Windows boot loader in charge. So I am guessing it has to stay in charge- but who knows?

    I can find almost no info at all on how to get around UEFI on a Win7 machine

    I was able to screw around with the boot loader and could get a Mint 17 DVD to boot- but I really don't know if I should let it run. I hear lots of problems related to the fact that a UEFI system will not let grub run properly.

    Any help from anyone would be greatly appreciated.
    dfolk2
    • UEFI on UP is Difficult and Uncooperative

      I'm sorry if that sounds discouraging, but it is really the bottom line of my experiences with several different UEFI systems from different manufacturers. You should be able to accomplish what you want to do, but it might be rather difficult or tedious.

      First, on an HP/Compaq system you need to press F9 during boot/POST to interrupt the auto-boot sequence and get a boot selection menu. If you have a UEFI-boot compatible USB stick or CD/DVD inserted when you do this, it will then be included in the boot list that is shown after you press F9. If your device isn't shown, then it isn't UEFI-boot compatible.

      Second, getting an HP UEFI-firmware system to default boot anything other than the Windows bootloader is really difficult. I have written about this in some detail before, so if you really want more information on it, scan back through my blog posts. But the easiest, although least satisfying, solution is to just use the F9 Boot Selection procedure every time you boot the system.

      I have also written in quite a bit of detail about the general procedures for working with and modifying UEFI boot systems. One post in particular was an overview of seven or eight different ways to get a UEFI system to boot Linux. That might be of help to you.

      Good luck,

      jw

      P.S. Yes, I read the comments and try to help when I can.
      j.a.watson@...
      • Thanks..but

        Thanks very much for replying to my comment.

        When I press F9, it will allow me to boot directly to a usb stick, or to a Mint 17 dvd- but there is no option I can find that allows me to boot to the Mint 17 install that I put in.

        Am I misunderstanding you? Is there a way to get to the install that I put in? Live disks/sticks have huge limitations. Is there a way to get to the install I put in?

        I am currently googling your name and HP uefi to find a solution. So far nothing gets me to my install.

        If I have to go through some long winded process to solve this, then I will, because I simply need Mint on this machine.

        Thanks for your response, and I would be grateful for any other ideas you have
        dfolk2
    • UEFI on HP

      Well, first, as I said (but mistyped previously), UEFI multiboot configuration on HP systems is a royal pain in the ass. It doesn't take a terribly complicated procedure to work around it, in my experience, but it can be dangerous so you have to be very careful. The crux of the matter is that the HP UEFI BIOS firmware apparently checks to see if the boot configuration list has the Windows bootloader (bootmgfw.efi) first in the list, and if it doesn't it rewrites the list to put it first - thus undoing whatever you have done (or the Linux installation has done).

      I described this, and one possible way to work around it, in this post:

      http://www.zdnet.com/my-experiments-with-multi-boot-selection-with-uefi-boot-manager-7000013627/

      BE CAREFUL. If you get this wrong, you can make your system unbootable. The specific partition numbers could be different on your system, so make sure that you understand what I am describing in that post, and that it corresponds to what you see on your system.

      One critical thing to check - after you boot the Mint Live image, mount the EFI boot partition and check that there really is a /EFI/ubuntu/ directory, and that it really does contain the necessary files (grubx64.efi and shim.efi). If it doesn't, then something has gone wrong with the Mint installation. If it does, then you should be able to use the procedure explained in my post.

      Another post with a general explanation of setting up UEFI multi-boot:

      http://www.zdnet.com/more-fun-with-windows-8-uefi-secure-boot-fedora-and-ubuntu-7000009292/

      Good luck.

      jw
      j.a.watson@...
      • Thanks!

        Thanks very very much for paying attention to the comments and helping. I will delve into your fix and see if I can make it happen
        dfolk2
  • Installing Mint17 without secureBoot and using with secureBoot?

    Trying to boot Linux Mint 17 cinnamon-64-v2 - first only from a live dvd - on my new Windows 8.1 Acer Aspire E5-771 - I failed with secure Boot enabled. I only can boot from the dvd (or from an usb-stick prepared with rufus) after turning off secureBoot. As I didn't want to install Linux Mint 17 without secureBoot, I tried to boot with kubuntu-14.04.1-desktop-amd64.iso. And this worked as expected, knowing that kubuntu has a signed EFI-boot loader. So I don't know, why it doesn't work with Linux Mint 17 and secureBoot, especially as Linux Mint 17 is based on ubuntu.
    The Linux Mint 17 release notes say 'EFI support - If your system is using secureBoot, turn it off.
    Note: Linux Mint 17 places its boot files in /boot/efi/EFI/ubuntu to work around this bug.'
    So my questions are:
    1st: Do the Linux Mint 17 release notes mean, that it's only necessary to turn off secureBoot before booting the Linux Mint 17 dvd and during the installation procedure? And after the installation procedure it's possible to turn on secureBoot and everything is working fine?
    2nd: If this will not work, what can I do to work with Linux Mint 17 AND secureBoot on my Windows 8.1 Acer Aspire E5-771 ?
    Thanks a lot in advance for any help!
    Chris-Ignatius