More fun with Windows 8 UEFI, Secure Boot, Fedora and Ubuntu

I've been trying to set up multi-booting with Windows 8 and Linux - with limited success. Here's what I've learned so far.
Written by J.A. Watson, Contributor

Since my last blog post about the HP Pavilion dm1-4310ez, I have continue to investigate and experiment with Unified Extensible Firmware Interface (UEFI) boot, Secure Boot, and multi-booting with Windows 8 and Linux. 

The results have been mixed: I have learned a bit and been frustrated a lot. 

What I intend to present here is a summary of what I have learned so far. I know that there has been a lot of information and discussion of EFI and Secure Boot in the Linux community, but it seems to me that most of it has been speculation and opinion based on reading the public statements and information available, and very little of it has been from people who actually have such a system and have tried to set it up with Linux and/or Windows. 

So here comes some first-hand information.

1. Legacy boot

My first conclusion after extensive tinkering and testing is exactly the same as what has been mentioned in several comments to my previous post. 

The key to using Linux successfully and comfortably with UEFI/Secure Boot systems is the presence of configuration options in the BIOS. 

I cannot make any general comments here about how common that is, because this HP dm1 is the only such system that I own so far. But on this system, the presence of "Secure Boot enable/disable" and "Legacy Boot enable/disable" gives me all the control I need. I will discuss this more below, but for now the important point is that by enabling Legacy Boot (which automatically disabled Secure Boot), I can load whatever distributions I want on this system, in exactly the same way that I do on any other of my systems.

After wiping Windows 8 and installing nothing but Linux during the previous blog post, I decided to go back and see what it would be like to try to get Windows 8 and Linux to co-exist. To that end, I contacted HP support and ordered the Windows 8 recovery media for this system. 

The support person I dealt with was friendly and helpful, and I was told that the media had been ordered for me the next day. It took longer than I would have expected, but about two weeks later it actually arrived - and I was surprised to see that it was a bootable USB stick, rather than the usual collection of DVDs. Congratulations to HP for this, to begin with.

Booting the recovery media and doing a "Factory Recovery" installation of Windows 8 was reasonably easy, but of course the actual installation took much, much too long. 

Something like two or three hours just to restore the base operating system and then install the device-specific hardware drivers, and then another hour or two to play the still "Windows Update" game, with multiple sequences of "search for updates, install updates, reboot". 

The good news, anyway, is that after a half day or so the dm1 was once again running Windows 8 exactly as it had been when it came out of the box.

2. EFI Secure Boot enabled, Legacy Boot disabled

Next I tried installing Linux, with the BIOS in the factory configuration - EFI Secure Boot enabled and Legacy Boot disabled.

In this configuration I have only been able to install Ubuntu (12.10 and 13.04 pre-release), and Fedora (18 pre-release).  After mentioning in my previous post that Fedora 18 would not install in this configuration, I was contacted by Adam Williamson. 

He told me that the Fedora 18 Beta did not have the final UEFI/Secure configuration yet, which is not a surprise, and a short time later he pointed me to a newer F18 test release which did have the complete Secure Boot configuration, so that I could test it.  I was quite pleased to see that it installs and boots with no problem.

However, these installations do not result in what I would consider a normal multi-boot configuration. 

In both cases, after doing a normal Linux installation, when I rebooted the system it booted directly to Windows 8 - it did not boot Grub 2 (Linux) as I would have expected it to do on a "normal" system, and it did not present any kind of Windows multi-boot selection. 

I did find that if I pressed the "Boot Selection" hot key (F9 on HP systems), I would then get a selection list which listed "OS Boot Manager" (that booted Windows 8), and whatever Linux Secure Boot installations were present - either Fedora or Ubuntu or both. 

I could then select one of the Linux distributions from there, and it would boot normally - but of course this requires paying attention at power-on and pressing F9 before it starts to boot Windows.

I then tried to add the Linux distributions to the Windows boot loader. 

I first tried with bcdedit, using basically the same approach as I have done to add Linux to the Windows 7 boot loader, and when that failed I tried using easyBCD.  Here I made several attempts, first using the easyBCD default configuration for Linux, and then by replacing their mbr boot files with the efi boot files set up during the Fedora and Ubuntu installation. 

All failed miserably. Although it did cause the Windows 8 boot loader to go to a multi-boot selection menu (which is graphical in presentation, rather than the nasty old text-mode multi-boot of Windows 7), it never even came close to booting the Linux systems. All I ever got was a relatively unhelpful message about "required files were missing".

I did learn a few other interesting things about the EFI boot configuration. The Windows 8 installation creates a special FAT-32 partition for EFI Boot, separate from the Windows C: partition. 

When Ubuntu is installed, it will recognise this existing partition, and it will add its own boot configuration to it. However, the Fedora 18 pre-release did not use this existing partition by default, it created a new partition for its EFI boot configuration.

This is not a big deal, and obviously the boot loader is able to recognise this since Fedora is showing up in the F9 boot select menu, but I am a bit fanatical about not using extra partitions, so I found that if you set up the partitions manually during Fedora installation, you can actually point it specifically to this partition for its /boot/efi setup, and it will then not create its own partition.

Another thing that I found was that when I selected one of the Linux installations to boot, it then came up with Grub 2 (which is of course what I would expect). The Grub 2 configuration was capable of finding and listing the other operating systems installed on the disk, so if I ran update-grub (Ubuntu) or grub2-mkconfig (Fedora), they would both list each other and Windows in the boot list. 

However, it would only actually work with Ubuntu.  That means I could select Ubuntu from the F9 boot selection list, but then when the Grub list came up I could select Fedora, and it would boot.  But if I tried to do the same from the Fedora list, and boot Ubuntu, it would fail. This might well be a pre-release bug, so we will have to wait until the final release (hopefully next week) to see if this has been fixed.

3. Secure Boot disabled but Legacy Boot not enabled

The next step was to disable Secure Boot (but still not enable Legacy Boot).  In this case the results were essentially the same as before, but there is more promise for future compatibility and ease of setup here. 

There is a clear and important distinction between EFI booting and Secure booting - that means, a computer and an operating system can support EFI booting without having the required signed certificate to enable secure booting; that means that any Linux distribution could include EFI boot support without having to add Secure Boot support.  This is a good thing, and as long as the system BIOS includes a switch to disable Secure Boot, it could make life easier in the future.

Finally, as mentioned above, if I turn on Legacy Boot support, the boot loader includes a "shim" which supports boot-sector files in the way that all previous Windows distributions have done. 

Doing this means that you could then load any Linux distribution that was possible on any previous system, without worrying about the issued discussed above.  My only comment on this is that it would be nice to be able to find out if such a BIOS configuration option is available before purchasing a system, but my experience so far indicates that this is not likely to be possible. 

I have a difficult time even finding out from the pre-sales technical information if a system has EFI boot or not, much less whether it is configurable or not.

Next steps

I plan to continue testing and experimenting with this system. The next interesting event is going to be the final release of Fedora 18. 

As soon as that happens I will give it a try, and I plan to report on its installation, configuration, compatibility with secure boot, and cooperation with Windows and other Linux installations. Let's hope that happens next week!

Editorial standards