It has been some time since I have written about installing Linux on systems with UEFI firmware, and I have recently gotten several questions about how to do this. So I think this is a good time for a brief refresher on this topic.
In my opinion, the state of UEFI firmware configuration today is still pretty chaotic - as far as I can tell every OEM has their own peculiar way of handling UEFI configuration, and the differences between them are anything but trivial.
Even worse, in some cases in my own direct experience, different systems from the same OEM have completely different UEFI configuration procedures. So if you have come here looking for simple answers and cookbook procedures, you're going to be disappointed.
The first level of UEFI configuration is the basic choice of whether you want UEFI Secure Boot enabled or not.
Secure Boot is supposed to be one of the major reasons for the existence of UEFI firmware - but in my opinion it is a ridiculously complex solution for a problem that the vast majority of PC users would never be faced with. The idea is to certify the boot image(s) on your computer, so that evil-doers can not corrupt or replace them, and thereby penetrate your system.
What this means is that if you have UEFI Secure Boot enabled, you can only boot a certified signed image - and at least in the original UEFI specification, the only signing authority was Microsoft. I will leave the debate about the wisdom of that decision to others. All I will say here is that this decision had the effect of making installing Linux on UEFI firmware systems much more difficult.
Some OEMs (and their firmware suppliers) have put considerable effort into providing an alternate means for installing keys, certificates and signed images so that their users have at least some slim hope of regaining control of their computers. But in my opinion so far these have been difficult to understand and difficult to use, at best.
On the other hand, some Linux distributions have tried to adapt to UEFI firmware with Secure Boot by including a signed image in their installation. Off the top of my head, I think openSUSE and Ubuntu do this, and I suppose there are some others. They can do it either by getting their own boot images signed by Microsoft, or by producing a complete alternate signing authority, and getting the UEFI firmware to accept that authority and its signed images.
Although this might provide an adequate solution for the few distributions which are willing and have the resources to do it, it doesn't help the vast majority of distributions who don't have the time, resources or interest to get it done.
Therefore my personal choice is to simply disable UEFI Secure Boot. Note carefully, I am saying I disable Secure Boot only - not disable UEFI boot entirely, or return to Legacy (MBR) boot. I actually like working with the implementation of UEFI boot in general, I find it to be more flexible and considerably more robust than the old MBR boot process.
So the first question that I want to address here is how to disable Secure Boot in the UEFI firmware configuration. Unfortunately, as I alluded to above, the answer to this question is neither simple nor consistent.
The first step is fairly easy, and is almost always the same on all systems. To get into UEFI firmware configuration, you press F2 (or sometimes ESC) during the boot sequence. This is the same as it has generally been for Legacy BIOS configuration.
Once you get into UEFI/BIOS configuration, you will see a menu with a number of options such as "Main Advanced Boot Security Save & Exit". Following are two examples of such menus, from systems that I have here on hand:
Other OEMs will certainly have somewhat different configuration menus, so keep an open mind when looking at these.
Within these menus, you want to find something about "Secure Boot", "Secure Boot Processing" or something similar to that. It is typically in either the Boot menu or the Security menu. When you find it, you want to select it and set it to Disabled or Off.
If you have an Acer computer, when you try to do this you will probably get your first surprise. You can't change the Secure Boot setting, at least at first -- it simply won't be possible to select it for editing. It turns out that you must have a "Supervisor Password" set in the UEFI configuration in order to change the Secure Boot mode. But it doesn't actually tell you this anywhere. Sigh. In this case, once you set a password you will then be able to change Secure Boot from Enabled to Disabled.
Once you have disabled Secure Boot, you are halfway home in getting Linux installed and working. You should now be able to boot the installation media for any Linux distribution which supports UEFI firmware (which is just about all of them now).
Although I mentioned this briefly above, I didn't explain it in much detail.
Most Linux distributions today support UEFI installation, but not Secure Boot. What that means in practical terms is that if you have a UEFI firmware system with Secure Boot enabled, and you try to boot the installation CD/DVD/USB media of a Linux distributions that does not support Secure Boot, what will happen is that your installation media will simply not be listed in the boot menu. Once you disable Secure Boot in the UEFI configuration, your installation media will then be listed.
Once your installation media is recognized and listed in the boot menu, you should be able to go through the installation process for whatever distribution you are using without much trouble. The next trick comes when you try to reboot to the installed system.
The problem here relates to how the boot sequence list gets modified. That list specifies what order the various boot objects should be tried, until one which meets the boot requirements is found and is successfully booted. I have seen three different situations in this area:
- The boot priority list can be modified by software, as it should be, and everything just works with no fuss. Current Linux installers assume that this is the case, and they do what is necessary to set up the installed Linux system as the primary boot object, and any other installed operating systems (such as Windows or other Linux distributions) as dual-boot / multi-boot options.
- The UEFI firmware ignores attempts at modifying the boot priority list by software. In this case, the Linux installation appears to work normally, but when you have finished and you try to reboot to the installed system, it just boot Windows again, the same as it always has. There is usually a temporary work-around for this, you can try pressing the "boot selection" key - if you can figure out which one it is. On my Acer systems it is F12; on my ASUS systems it is ESC, and I believe on the HP systems I used to have it was something like F9 or F10. Whatever. If you find the correct key, you should be presented with a list of bootable objects on your computer; if the problem is simply that Linux wasn't able to change the boot sequence, then you will see a Linux installation listed there, and you can select it in order to boot Linux.
- The boot priority list can be modified by software, so it appears that the installation works and you might even be able to boot the installed Linux system the first time you try. But at some point after that, the OEMs boot software will decide to "help you", by correcting the "mistake" that you made in changing the default boot to anything other than Windows. When this happens your computer will suddenly start booting Windows by default, for no apparent reason, and you will have to go back to point 2 above for the temporary solution to boot Linux again. I have seen HP laptops do this many, many times, and this is the main reason (almost the only reason) that I quit buying HP computers altogether.
If you have situation number 1 above, you are a happy person and the world is a wonderful place, so you can stop reading this long-winded article now. If you have situation two or three (or some other that I haven't seen yet, but which also is causing Linux installation/boot not to work), then you need a solution. Read on.
The most common solution/work-around for either case two or three is that the OEM and/or UEFI firmware supplier have provided a means in the UEFI configuration menus for you to manually specify the boot objects, priorities and/or sequence. To accomplish this, you have to get to the UEFI/BIOS configuration menu again, by pressing F2 during boot.
In the Configuration menus, look for the BOOT page, where you should find a list of boot object something like these:
The important thing to notice in these pictures is that there is a list of boot objects, which will be tried in the order that they are listed, and that there are instructions on the right side of the screen about how to modify this list.
These two systems illustrate the most common methods I have seen so far.
On the ASUS, it lists every bootable operating system that is currently defined and present, and you can simply move items up and down the list to alter the priority, or to change which one will be booted by default.
On the Acer it only lists one "object" of each type - something to boot from the hard drive, the built-in CD/DVD, the Network, the USB ports and so on. To change the priority of different operating systems on the hard drive, you have to first select Hard Drive Priority, which will then bring up a new view that shows all of the known operating systems installed on the hard drive:
In this screen you can change the order of the operating systems, which then sets to sequence in which they will be tried until one of them boots.
The last thing I want to mention, briefly, is that there is also a Linux CLI command which should be able to set the UEFI boot sequence, called efibootmgr. First, for those who are either allergic to or terrified of the command line, I want to stress that it is not necessary to use this command, this is an optional approach.
If you have a system which matches case 1 above, meaning that the UEFI boot table and sequence can be successfully and permanently set by software, then this command can be quite useful - especially if you are setting up a dual-boot or multi-boot system. Using it, you can quickly and easily change what operating system boots by default, for example.
If you have a system which is case two or three above, you still might be able to use this command to configure your UEFI boot sequence - but I would recommend trying to do it via the UEFI configuration menu as I just described.
I can tell you from experience that it is very frustrating to spend the time getting the boot list just the way you want it with this command, and then reboot the system and find that nothing you did really had any effect anyway.
There is one final case that I should mention. When you are installing a Linux distribution as the only operating system on your UEFI-firmware system, in my experience it is very likely to work properly, the first time, without requiring any additional manual configuration.
So, that's a brief overview of UEFI and Linux as I deal with it today. I apologize again for it being so vague, but that is exactly the way things are on my computers today.
If you are very lucky, when you install Linux the UEFI boot sequence will just work as it should, and you won't have to worry about any of this. If you are not lucky, then the most important thing when you try to solve the problem is to keep an open mind, look carefully at the UEFI configuration options, and read the Help/Information text found at the right side of most items carefully.
Previous and related coverage
My Lenovo T400 was already old when I bought it as a refurb four years ago. It's still ticking along nicely with a variety of Linux distributions. Here are the details.
Linux is perfect for everyday tasks like browsing, emailing, photo management, financial management, and much more. Here's an overview.