More fun with Windows 8 UEFI, Secure Boot, Fedora and Ubuntu

More fun with Windows 8 UEFI, Secure Boot, Fedora and Ubuntu

Summary: I've been trying to set up multi-booting with Windows 8 and Linux - with limited success. Here's what I've learned so far.

SHARE:

Since my last blog post about the HP Pavilion dm1-4310ez, I have continue to investigate and experiment with Unified Extensible Firmware Interface (UEFI) boot, Secure Boot, and multi-booting with Windows 8 and Linux. 

The results have been mixed: I have learned a bit and been frustrated a lot. 

What I intend to present here is a summary of what I have learned so far. I know that there has been a lot of information and discussion of EFI and Secure Boot in the Linux community, but it seems to me that most of it has been speculation and opinion based on reading the public statements and information available, and very little of it has been from people who actually have such a system and have tried to set it up with Linux and/or Windows. 

So here comes some first-hand information.

1. Legacy boot

My first conclusion after extensive tinkering and testing is exactly the same as what has been mentioned in several comments to my previous post. 

The key to using Linux successfully and comfortably with UEFI/Secure Boot systems is the presence of configuration options in the BIOS. 

I cannot make any general comments here about how common that is, because this HP dm1 is the only such system that I own so far. But on this system, the presence of "Secure Boot enable/disable" and "Legacy Boot enable/disable" gives me all the control I need. I will discuss this more below, but for now the important point is that by enabling Legacy Boot (which automatically disabled Secure Boot), I can load whatever distributions I want on this system, in exactly the same way that I do on any other of my systems.

After wiping Windows 8 and installing nothing but Linux during the previous blog post, I decided to go back and see what it would be like to try to get Windows 8 and Linux to co-exist. To that end, I contacted HP support and ordered the Windows 8 recovery media for this system. 

The support person I dealt with was friendly and helpful, and I was told that the media had been ordered for me the next day. It took longer than I would have expected, but about two weeks later it actually arrived - and I was surprised to see that it was a bootable USB stick, rather than the usual collection of DVDs. Congratulations to HP for this, to begin with.

Booting the recovery media and doing a "Factory Recovery" installation of Windows 8 was reasonably easy, but of course the actual installation took much, much too long. 

Something like two or three hours just to restore the base operating system and then install the device-specific hardware drivers, and then another hour or two to play the still "Windows Update" game, with multiple sequences of "search for updates, install updates, reboot". 

The good news, anyway, is that after a half day or so the dm1 was once again running Windows 8 exactly as it had been when it came out of the box.

2. EFI Secure Boot enabled, Legacy Boot disabled

Next I tried installing Linux, with the BIOS in the factory configuration - EFI Secure Boot enabled and Legacy Boot disabled.

In this configuration I have only been able to install Ubuntu (12.10 and 13.04 pre-release), and Fedora (18 pre-release).  After mentioning in my previous post that Fedora 18 would not install in this configuration, I was contacted by Adam Williamson. 

He told me that the Fedora 18 Beta did not have the final UEFI/Secure configuration yet, which is not a surprise, and a short time later he pointed me to a newer F18 test release which did have the complete Secure Boot configuration, so that I could test it.  I was quite pleased to see that it installs and boots with no problem.

However, these installations do not result in what I would consider a normal multi-boot configuration. 

In both cases, after doing a normal Linux installation, when I rebooted the system it booted directly to Windows 8 - it did not boot Grub 2 (Linux) as I would have expected it to do on a "normal" system, and it did not present any kind of Windows multi-boot selection. 

I did find that if I pressed the "Boot Selection" hot key (F9 on HP systems), I would then get a selection list which listed "OS Boot Manager" (that booted Windows 8), and whatever Linux Secure Boot installations were present - either Fedora or Ubuntu or both. 

I could then select one of the Linux distributions from there, and it would boot normally - but of course this requires paying attention at power-on and pressing F9 before it starts to boot Windows.

I then tried to add the Linux distributions to the Windows boot loader. 

I first tried with bcdedit, using basically the same approach as I have done to add Linux to the Windows 7 boot loader, and when that failed I tried using easyBCD.  Here I made several attempts, first using the easyBCD default configuration for Linux, and then by replacing their mbr boot files with the efi boot files set up during the Fedora and Ubuntu installation. 

All failed miserably. Although it did cause the Windows 8 boot loader to go to a multi-boot selection menu (which is graphical in presentation, rather than the nasty old text-mode multi-boot of Windows 7), it never even came close to booting the Linux systems. All I ever got was a relatively unhelpful message about "required files were missing".

I did learn a few other interesting things about the EFI boot configuration. The Windows 8 installation creates a special FAT-32 partition for EFI Boot, separate from the Windows C: partition. 

When Ubuntu is installed, it will recognise this existing partition, and it will add its own boot configuration to it. However, the Fedora 18 pre-release did not use this existing partition by default, it created a new partition for its EFI boot configuration.

This is not a big deal, and obviously the boot loader is able to recognise this since Fedora is showing up in the F9 boot select menu, but I am a bit fanatical about not using extra partitions, so I found that if you set up the partitions manually during Fedora installation, you can actually point it specifically to this partition for its /boot/efi setup, and it will then not create its own partition.

Another thing that I found was that when I selected one of the Linux installations to boot, it then came up with Grub 2 (which is of course what I would expect). The Grub 2 configuration was capable of finding and listing the other operating systems installed on the disk, so if I ran update-grub (Ubuntu) or grub2-mkconfig (Fedora), they would both list each other and Windows in the boot list. 

However, it would only actually work with Ubuntu.  That means I could select Ubuntu from the F9 boot selection list, but then when the Grub list came up I could select Fedora, and it would boot.  But if I tried to do the same from the Fedora list, and boot Ubuntu, it would fail. This might well be a pre-release bug, so we will have to wait until the final release (hopefully next week) to see if this has been fixed.

3. Secure Boot disabled but Legacy Boot not enabled

The next step was to disable Secure Boot (but still not enable Legacy Boot).  In this case the results were essentially the same as before, but there is more promise for future compatibility and ease of setup here. 

There is a clear and important distinction between EFI booting and Secure booting - that means, a computer and an operating system can support EFI booting without having the required signed certificate to enable secure booting; that means that any Linux distribution could include EFI boot support without having to add Secure Boot support.  This is a good thing, and as long as the system BIOS includes a switch to disable Secure Boot, it could make life easier in the future.

Finally, as mentioned above, if I turn on Legacy Boot support, the boot loader includes a "shim" which supports boot-sector files in the way that all previous Windows distributions have done. 

Doing this means that you could then load any Linux distribution that was possible on any previous system, without worrying about the issued discussed above.  My only comment on this is that it would be nice to be able to find out if such a BIOS configuration option is available before purchasing a system, but my experience so far indicates that this is not likely to be possible. 

I have a difficult time even finding out from the pre-sales technical information if a system has EFI boot or not, much less whether it is configurable or not.

Next steps

I plan to continue testing and experimenting with this system. The next interesting event is going to be the final release of Fedora 18. 

As soon as that happens I will give it a try, and I plan to report on its installation, configuration, compatibility with secure boot, and cooperation with Windows and other Linux installations. Let's hope that happens next week!

Topics: Linux, Hardware, Open Source, Windows 8

J.A. Watson

About J.A. Watson

I started working with what we called "analog computers" in aircraft maintenance with the United States Air Force in 1970. After finishing military service and returning to university, I was introduced to microprocessors and machine language programming on Intel 4040 processors. After that I also worked on, operated and programmed Digital Equipment Corporation PDP-8, PDP-11 (/45 and /70) and VAX minicomputers. I was involved with the first wave of Unix-based microcomputers, in the early '80s. I have been working in software development, operation, installation and support since then.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

75 comments
Log in or register to join the discussion
  • And that's all there is to it.

    "I will discuss this more below, but for now the important point is that by enabling Legacy Boot (which automatically disabled Secure Boot), I can load whatever distributions I want on this system, in exactly the same way that I do on any other of my systems."

    The Windows guys have been telling the Linux guys, especially SJVN, this is all they need to do to avoid the "problem". Yet they continue to accept it.
    ye
    • One experiment J.A. hasn't run yet is....

      Keep Windows 8 with SecureBoot disabled and then install a UEFI-unaware Linux distro. Blowing away Windows 8, installing Linux, and then restoring Windows 8 sound like a major hassle to me.

      So tell me again why my (or anyone else's) next Linux machine should be a Windows 8 preload.
      John L. Ries
      • It shouldn't.

        If you don't want Windows preloaded then buy a system that doesn't have it preloaded. It's as simple as that.
        ye
        • Glad to have extracted...

          ...that concession from you. You argued against that very point a couple of days ago. I still think it's lot more sensible than "just turn off UEFI".
          John L. Ries
          • I did? Where?

            Reference please.
            ye
          • Excuse me

            You argued against my reasons, which amounted to the same thing.

            Going back to SJVN's article "2013: Installing Linux on Windows 8 PC is still a pain" (http://www.zdnet.com/2013-installing-linux-on-windows-8-pc-is-still-a-pain-7000009237/), we have a post from you entitled:

            "Yes, people do it all the time. " (to the question of whether people are obligated to buy what they have no intention of using)

            You did claim that the whole question of UEFI requirements was relevant only to people that actually want to run Windows 8 (like nobody ever replaces Windows preloads with Linux, not even me). On rereading your responses, you're technically correct that you never said that Linux users should buy Windows 8 preloads, but you argued with my posts that said those who don't intend to use Windows 8 shouldn't buy such machines, nevertheless.

            Buying is voting, so it's important to vote as accurately as one reasonably can.

            Thus, it's much better for Linux users to not buy Windows 8 preloads in the first place, than it is to follow your repeated suggestion to "just disable UEFI". It takes revenue away from MS' loyal OEM partners, but maybe that will prompt them to put their customers' wishes ahead of MS'.
            John L. Ries
          • I totally agree with you

            "it's much better for Linux users to not buy Windows 8 preloads in the first place"

            Yes. Absolutely right, especially if you are the type of Linux user who is such a computer newbie that you are unable to figure out how to disable secure boot because if you are that much of a computer newbie, you'll never figure out how to download, burn / transfer to bootable USB stick, ensure that the computer will boot from your install media, and then go through an OS installation.

            So then the question becomes: why is SJVN harping so much on the lie that installing Linux on a Windows PC is so difficult? Ignoring the fact that this is a lie, shouldn't you be begging and pleading with him to stop with this ridiculous jihad and focus more on telling people that they should be buying Linux PCs?
            toddbottom3
          • toddbottom3 ...did you dual boot Linux on your Surface?

            Surface probably couldn't handle it anyway ................
            Over and Out
          • Customers wishes? How many would that be?

            Most companies like these make the majority of their money seeling turn-key systems. A car ready to drive, ect.

            Sure they offer you a variety of opions, but one that you can't really get is a car engine free. This is done according to their customer's wishes. If they thought
            there would be money in it, they'd do it.

            Most of these companies deal with what the majority want, not the minority. It's always been a losing proposition trying to please 100% of the people 100% of the time.
            William Farrel
          • Which is why...

            ...it behooves customers who can't find what they want to ask. If the vendor refuses to accommodate you, then make sure he knows he just lost a sale. I've heard the "devote 100% of your effort to pleasing 90% of your customers" sophistry for years (I used to see it in defence of IE-only websites), but why write off a significant number of potential customers when it doesn't take any real effort to give them what they want? Unless, of course, you're afraid your biggest supplier is going to punish you for disloyalty?

            And even it's really a market based decision, how can vendors know what you want if you won't tell them?
            John L. Ries
          • Excellent idea

            May I make a suggestion that you approach ZDNet and offer to replace SJVN? In 2 posts, you have provided more value to the Linux community than SJVN has in 2 years.
            toddbottom3
          • At least if you're a die-hard windows monomaniac.

            He says stuff you don't like about windows, so he's useless at linux, right?
            Stick to your MS fantasies and leave linux to the big boys.
            radleym
          • Big Boys?

            Considering how quickly most Linux supporters around here degenerate to childish name-calling I wouldn't be particularly inclined to think they were the big boys.
            KOL2024
          • How do you know it doesn't take any real effort to give everybody

            what they want?

            I have to agree that they can't focus on everyone, but did they lose a sale, or save some revenue? When your business is focused on selling a certain product to 90% of the market, is it cost effective to worry about that 10%? Yes, they lost a sale of a product that would make them a $25 profit, but did they save $30 doing so?

            I doubt it has anything to do with MS punishing OEM's for what you call disloyalty. That's an easy excuse to use because you're not seen as profitable to be catered to. I will bet it has everything to do with cost to profit of inventory management.

            Look at servers: OS free, Red Hat, Windows Server are your choice from OEMs. That's because of higher margins, lower sales volume, and its what customers want or need.

            That says to me that for PCs, not enough of the want or profit is there to make it worth OEM's time.
            NoMore MicrosoftEver
          • Exactly

            "When your business is focused on selling a certain product to 90% of the market, is it cost effective to worry about that 10%? Yes, they lost a sale of a product that would make them a $25 profit, but did they save $30 doing so?"

            It's all about cost - if OEM's can make a worthy profit from the sale of OF free, or Linux based systems, the they'll offer that.

            Why would MS need to punish "disloyal OEM's" if they sell Linux based systems, as the FOSS market is already doing that to OEM's - not too many people are buying the Linux systems they are selling, and probably not worth investing in too heavily.

            Remember, if it doesn't work, they're out alot of money. Most companies have to be pretty certain they'll have "X" amount of customers in "X" amount of time before they risk millions on something.

            As I've always pointed out - its easy to claim what a company like Dell or HP should invest in when it's not your money at risk.
            William Farrel
          • Why would MS need to punish disloyal OEM's if they sell Linux based systems

            Because MS doesn't want them to sell Linux based systems.
            guzz46
          • it's the 80 / 20 rule of business

            80% of your business will come from 20% of your customers, and 99.9999% of your customers in the PC, home computer game, will be perfectly happy with 100% windows installed on their 'plug and play' pc's. And they will happily use those computer's until they are out dated when they will purchase another 100% windows systems, and spend their life happily and productive.
            Aussie_Troll
          • Right!

            Thats why there's only one model of car, and why limited editions are so unpopular etc., etc, etc.
            radleym
        • If you don't want Windows preloaded then buy a system that doesn't have it

          I'm afraid it's not that simple, in my country we don't have that option, it's either buy a PC with windows preloaded or buy a mac.
          guzz46
        • Practical Tip to Disabling Secure-boot and Boot from Nix Media

          http://install-climber.blogspot.com/2013/01/windows8-howtodisablesecureboot-bootfromcddvdinstallationmedia.html
          magcig