More experiments with Linux-only UEFI Secure Boot installation

More experiments with Linux-only UEFI Secure Boot installation

Summary: UEFI BIOS and Secure Boot work perfectly well with only Linux installed according to the experiments I have conducted on my own PC.


My recent series of posts concerning UEFI and Secure Boot technology has drawn several comments and questions about the possibility of installing only Linux on such a system. 

I have just had to completely reload my HP Pavilion dm1-4310 system (don't ask), so before reloading Windows 8, I decided to take the opportunity to do a bit of testing.  The results have been quite interesting and encouraging.

How I installed Fedora 18 with UEFI Secure Boot

How I installed Fedora 18 with UEFI Secure Boot

How I installed Fedora 18 with UEFI Secure Boot

Before performing these installations, in order to ensure that there would be no "relics" left on the disk, I deleted all of the existing partitions. I also ensured that UEFI Boot and Secure Boot were enabled, and Legacy Support was disabled. 

I made the installations from the standard openSuSE 12.3 and Fedora 18 ISO images, both of which are compatible with UEFI Secure Boot. I decided to do the testing in four steps - first, I installed only Fedora to the empty disk; then I wiped the disk again, and installed only openSuSE to the empy disk; then I reduced the size of the openSuSE partition to free up some space, and installed Fedora alongside openSuSE; finally, I wiped the disk again and reinstalled Windows 8 using the HP Recovery USB stick.

Step One: Fedora 18 installation

I specifically tried to let anaconda make a "default" installation, the only significant change that I made was to select "Standard Partitions" rather than LVM disk management. 

Fedora was installed with five paritions; one was a FAT partition for EFI Boot, and the others were ext4 partitions for swap, root, home and boot. When I rebooted after the installation was complete, it booted Fedora with absolutely no problem, with UEFI Secure Boot still enabled. When I checked the UEFI boot configuration with efibootmgr, I found that it had cleared out all the old entries and made a single entry to boot Fedora via the shim EFI binary.

Step Two: openSuSE 12.3 installation

Once I was convinced that the Fedora 18 installation was working properly, I once again deleted all of the existing disk partitions, and installed openSuSE to the empty disk.  The only change that I made this time was to correct the bootloader installation, from "grub2" to "grub2-efi" (the necessity for this is described in my prevoius post about Installing openSuSE 12.3 with UEFI).  This time the installer created four partitions (openSuSE does not create a separate /boot partition by default).

Once again the EFI boot configuration had been cleared but this time it had created two new entries, one for Secure Boot which pointed to the shim EFI binary, and the other pointed to a grub EFI binary, which could be used when Secure Boot is disabled.  When I rebooted after installation, with Secure Boot still enabled, openSuSE came up with no problem.

Step Three: Adding Fedora to the existing openSuSE installation

I reduced the size of the openSuSE home partition to make room for Fedora, then went through the normal Fedora installation.  I once again let anaconda make a default installation, chaning only to Standard Partitions. Interestingly, anaconda created new partitions for both EFI boot and swap, even though there were existing partitions for both of those. If I had been doing a "normal" installation, I would have directed it to use the existing partitions for both of those. 

When I checked the EFI Boot configuration, I saw that the installer had created an entry for Fedora, but the number was higher than the existing openSuSE entries. Sure enough, when I rebooted it came up with openSuSE so it was obviously booting the lowest numbered entry.  I then deleted the openSuSE boot entries, using efibootmgr, and when I rebooted it came up with Fedora.

At this point I decided to do some experimenting with UEFI boot configuration - prevoiusly, with the standard HP Windows 8 configuration, any changes I made to the UEFI boot configuration were very unpredicable - some worked, some didn't, and some appeared to work for a while but then would suddenly be removed and it would return to the default configuration. 

As a first small step, with the configuration containing only the Fedora boot information, I added a line for openSuSE with identification number 0000, so it became the first in the list. 

Then I rebooted, and openSuSE came up.  So far so good. 

Then I removed both of the boot entries, and created them again, this time with Fedora first at number 0001, and openSuSE at number 0002.  This also worked as I expected, when I rebooted it once again came up with Fedora.  Finally, I rebooted and pressed F9 (Boot Select), and I could then select to boot either openSuSE or Fedora.

This is all very good news, it means that the erratic behavior I had previously seen, with EFI Boot configuration changes getting lost is indeed a result of some sort of special handling set up either by HP or Microsoft. 

If I spent a lot more time experimenting and observing this I might be able to figure out specifically which one did it (or both), but I don't really care enough to fight with it any more. Suffice it to say, for those who want to know if Linux-only installation with UEFI boot is possible, the answer is yes.

Step Four: Restore the original Windows 8 from the HP recovery media 

I removed the existing disk partitions again, so it was starting with an empty disk, and then booted the USB stick that HP support had sent me. The difference in time required here was really astounding.  Installing either Fedora or openSuSE from scratch required less than 30 minutes, but the Windows 8 "recovery" has been running for over two hours now, and it is still not done.  It just finally asked me for the user name and password, so at least it is getting close.  Wow.

OpenSuSE 12.3: In-depth and hands-on

OpenSuSE 12.3: In-depth and hands-on

OpenSuSE 12.3: In-depth and hands-on

Finally, I got a bit more evidence that someone is "fiddling with the knobs in the back" when Windows is installed. After the Windows installation finally finished, I reduced the size of the C: partition and installed openSuSE into the free space. 

When that had finished, but before rebooting, I checked the EFI boot configuration again and as expected, I saw that it had added its usual two entries, one for Secure Boot and one for normal boot. 

Unexpectedly, though, the Windows installation had created the entry for its Boot Loader with number 0002 (no idea why it did this, there was nothing else in the list at that time), and now openSuSE had created the non-secure entry with number 0001 and the Secure Boot entry with number 0003. 

Hmmm.  If this works as I would expect it to, the system should now boot openSuSE. 

But of course it didn't, when I rebooted it came up with Windows 8.  I have no idea why - it certainly isn't because of the sequence of the numbers, and it isn't because of the BootOrder configuration, so there must be some kind of hidden priority for the Windows Boot Loader.  Sigh.

Topics: Linux, Open Source, Operating Systems

J.A. Watson

About J.A. Watson

I started working with what we called "analog computers" in aircraft maintenance with the United States Air Force in 1970. After finishing military service and returning to university, I was introduced to microprocessors and machine language programming on Intel 4040 processors. After that I also worked on, operated and programmed Digital Equipment Corporation PDP-8, PDP-11 (/45 and /70) and VAX minicomputers. I was involved with the first wave of Unix-based microcomputers, in the early '80s. I have been working in software development, operation, installation and support since then.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Of course

    Are you really surprised Microsoft has a way of "rigging the game" with the boot sequence?

    The disparity of installation times is nothing new. I have never understood why I can install Linux Mint in a quarter the time it takes to install Windows.
  • Good Article, but to what end?

    I don't think you can find any Linux users that have suffered in any way because of the lack of UEFI.

    I't a good exercise, but you would not notice any real world difference, just disabling it for Linux. That would allow ease of third party maintenance if necessary, which would be a real benefit if you weren't available.

    I would easily do a Linux Mint installation without UEFI, but don't feel comfortable leaving it off on Windows when a dual boot is desired. I think Microsoft is 50/50 on using UEFI, 50% to try and increase their dismal botnet security and 50% to thwart Linux. But, recent articles have cast doubt on how effective it has been to improve Windows security, questioning if it really makes a difference.

    Why would I want to get involved with UEFI if I don't need it.? I haven't used Microsoft in 12 years.
    • Dual-boot

      " I would easily do a Linux Mint installation without UEFI, but don't feel comfortable leaving it off on Windows when a dual boot is desired. "

      If I get a computer with Windows, I put Linux on it, in a dual-boot set-up (if only to make life easier when I need to "register" my Linux-powered ebook-reader, or perhaps run Turbo-Tax). If I'm introducing someone else to Linux, the dual-boot option makes a good "security blanket". But neither fiddling with the BIOS to toggle between OSs, nor skipping "Secure Boot" is acceptable.
  • Best Linux/Secure-Boot article yet on ZDNet

    "This is all very good news, it means that the erratic behavior I had previously seen, with EFI Boot configuration changes getting lost is indeed a result of some sort of special handling set up either by HP or Microsoft.

    If I spent a lot more time experimenting and observing this I might be able to figure out specifically which one did it (or both), but I don't really care enough to fight with it any more. Suffice it to say, for those who want to know if Linux-only installation with UEFI boot is possible, the answer is yes."

    I am glad to see a Linux supporter who actually tried loading Linux on a Secure-Boot enabled machine, and was successful with different flavors of Linux. You ran into some issues, which is to be expected when forcing an oval peg into a round hole, but you figured it out and were able to install your chosen operating systems - congratulations. It is a bit disappointing that you point fingers at HP and Microsoft and then admit in the next sentence that you really don't know what what causing the problems and don't care enough to figure it out. But at least you are not like the majority of Linux backers who post on ZDNet, whining that Microsoft is evil and should do the development for them and pick up all the costs.
    • Not necessarily "evil"

      I actually tried to choose my words fairly carefully in the last section of the post, that is why I used the phrase "fiddling with the knobs in the back". I think that I understand why HP and/or Microsoft do this, because the absolute worst thing that could happen, from their perspective, is that the system gets changed in some way that makes it unbootable, so when they detect that something is changed, they try to "undo" or "restore" that. I have no major objection to that, in principle, because I don't want to be the one who would have to answer all those support calls, either.

      What I really wish for is two things - first, clear documentation of what is being checked, how and why, which will trigger this "repair", and second, some reasonable way to make permanent changes to the UEFI Boot configuration so that I can get it to boot what I want. My understanding of the UEFI specification is that this could exist (and even should exist), but there is nothing of the sort on either of the UEFI systems I have so far.

      The reason that I said "I don't care enough to figure it out" is that if I can find a way to make it work, for now, and I know that the whole system is still being changed, I don't want to waste a lot of time tracking down, figuring out and learning something which is not going to be relevant in the near future.

      Thanks for reading and commenting.

      • There are lots of problems with EFI and Linux - not just secure boot

        On my Windows 7 HP machine, the Windows boot loader did all kinds of inexplicable things. For example, I installed an old disk as a secondary drive - intending to copy data to the new system this way. But with that secondary drive installed, the Windows boot loader insisted on trying to boot from it - even though the boot order, etc said not to, and even when I specifically selected the Windows 7 drive from the boot menu. I ended up having to completely repartition the old drive in order for Windows to even allow it to be there.

        On the EFI side, not all Linux distros know how to handle EFI booting at all - let alone the 'secure' variety. And it's not always possible to get a linux installation CD or flash drive to boot up in EFI mode so that the installer (even if it supports EFI) knows to install an EFI bootloader. It took me a hellish 2 weeks to get a dual boot up and running on this machine. That said EFI (not the secure kind) has potential for making dual booting easier. But the variety (and inconsistent quality) of EFI firmware, coupled with the need to support legacy mode makes for a really nasty transition.
        little noodles
  • Thanks for trying.

    I'll be one of those who will want to dual boot Windows and Linux if only to do my taxes. Hopefully I won't need a new laptop for a few years and maybe this will all get figured out by then.
    Fred Talmadge
    • doing taxes on Linux

      Fred, you don't say how complicated it is for you to do your taxes, but I have been using a SECURE online site to do my taxes for several years now, and I chose them specifically because their site worked fine in Linux. So there are some solutions.

      Also, if your laptop stays in a fairly secure place, you could consider using Legacy Boot, which I plan to do myself. Using it should make it dead simple to install both Windows and Linux, and dual-boot at will.
      Thomas Gellhaus
    • No reason to dual boot to do your taxes, use a VM

      The only reason to dual boot is if you are using some Windows program that requires direct access to some hardware device. If you are like me, a Linux user who needs to run a few Windows programs, then a VM is the way to go. I have an XP VM running on one of my systems which I access via rdesktop. I use it for Quickbooks, Quicken, to do my taxes (H&R Block at Home) and occasionally to use Office 2010 when I have some document that LibreOffice can't handle. The performance of the VM is just fine for that type of usage. What's more a VM is a better way to run Windows because it's trivial to restore if Windows roaches itself. You also have access to the the Windows programs all of the time.
      • Gual-booting works for the Windows that came on the computer

        As far as I know, installing Windows in a VM would require buying a new Windows license.

        Am I mistaken?
  • Linux-only UEFI

    Looks like Linux-only UEFI has progressed well since I last looked (about 6 months ago) but I'm not going to try it real soon. I'll wait till the dust settles and most of the issues (e.g. MS apparent preference booting) are ironed out. Thankfully I have the luxury of time, so I don't need to rush.
    As aways I wonder why an open secure boot system can't be put together?
  • This article only tells 1.2 the story ...

    .... and probably not the most important 1/2 where it concerns the long term viability of Linux.

    Wiping out your new UEFI / safe boot machine and installing Linux is next to meaningless. The real issue is what UEFI / safe boot does to the dual boot Windows/Linux installation.

    Oh sure, Linux enthusasists can indeed wipe everything away and rebuild their own system, but most people coming over to Linux wil probably want to try a dual boot configuration first before they fully commit to Linux ... UEFI / safe boot has made this option just about impossible for most people, meaning that Linux is now no longer an option for Windows usres to experiment with.

    When you can write an article testing the dual boot Windows/Linux capabilities of EUFI / Safe Boot machines and come back and say "everthing looks fine and simple", then your assesstment will be important ... in this case, you're reassuring the Linux geek that they can stay on their Linux systems, but ignoring that the current state of things are such that the frowth of Linux has been cut off at the legs with this new MS backed 'virus'.
    • Look around, there is plenty more information

      I have written a LOT recently about dual-booting, multi-booting, and just about every other configuration of Linux and/or Windows with UEFI and Secure Boot. Sometimes it works, sometimes it doesn't, but as you point out it is generally not easy, especially with Secure Boot enabled. The situation continues to change, and I will continue to write about it, so keep an eye on this space for more information.

      Thanks for reading and commenting.

  • UEFI and Ubuntu 32,64 bit

    Mr. Watson,
    I wish I had seen your article 2 months ago, before I tried to install Linux on my brand new computer. I had not heard of the efi partition and thought I could just use the "legacy" boot which was in the BIOS. Although I ordered my PC without an OS, the company installed Windows 8 for testing and then deleted it again. This left the Windows partitioning intact. And this mysterious partition could not be detected by all my pre-2012 Linux CDs because something changed only in the last year. Alas, I was able to install the 32-bit Ubuntu 12.04 but not the 64-bit. Maybe in the new year I will try again using your excellent articles as a guide (sigh..backups...a week of lost work).
    Best regards,
    Rose Dlhopolsky
    Rose Dlhopolsky