Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Debian vs. UEFI Secure Boot
Debian vs. UEFI Secure Boot
While the upcoming Debian Wheezy AMD64-release allows for UEFI booting, there's a related issue that Debian policy would seem to conflict with: Secure Boot of the Debian kernel with a certificate directly or indirectly signed by another entity (read: Microsoft).
To be sure, the issue only arises when people wish to dual-boot Debian alongside another OS, which in practice means pre-installed Windows 8+ with a Microsoft platform key. In that case only Debian kernels directly or indirectly signed by Microsoft would boot. Secure Boot can be turned off, though, or a user could install his own platform key with which to sign his own kernel, except that Windows 8+ will then no longer boot.
So, what to do when you want dual-booting Windows 8+ and Linux? Well, other distributions (Ubuntu, Red Hat, SuSE) have already chosen for a pre-bootloader work-around, see Matthew Garrett's shim bootloader. There is also the pre-bootloader by the Linux Foundation. In both cases, the pre-bootloader is signed with a Microsoft certificate (one-time fee $99 paid by Garrett or LF); the pre-bootloader then in stages hands over to another bootloader and finally to GRUB.
The good news is that Debian, true to principle, wouldn't have to do anything, leaving it to the user to install one of these signed
pre-bootloaders if they want to dual-boot with Windows 8+... just another step similar to getting Windows 8+ to cede sufficient disk space, or getting hold of some proprietary driver. That's simple enough.
The bad news is that a Debian-issued live/install CD/DVD/USB/Flash image would no longer boot without the user also first installing that pre-bootloader (if it wasn't installed on the image media).
Whichever way you look at it, the advent of Secure Boot means extra effort by Linux users: either turn off Secure Boot or install one's own platform key; or, when dual-booting with Windows 8+, use a Microsoft-signed pre-bootloader, either Garrett's "shim" or the "efitools" package from the Linux Foundation. Neither is available yet in the Debian repositories, and I wonder if they ever will be.
To be sure, the issue only arises when people wish to dual-boot Debian alongside another OS, which in practice means pre-installed Windows 8+ with a Microsoft platform key. In that case only Debian kernels directly or indirectly signed by Microsoft would boot. Secure Boot can be turned off, though, or a user could install his own platform key with which to sign his own kernel, except that Windows 8+ will then no longer boot.
So, what to do when you want dual-booting Windows 8+ and Linux? Well, other distributions (Ubuntu, Red Hat, SuSE) have already chosen for a pre-bootloader work-around, see Matthew Garrett's shim bootloader. There is also the pre-bootloader by the Linux Foundation. In both cases, the pre-bootloader is signed with a Microsoft certificate (one-time fee $99 paid by Garrett or LF); the pre-bootloader then in stages hands over to another bootloader and finally to GRUB.
The good news is that Debian, true to principle, wouldn't have to do anything, leaving it to the user to install one of these signed
pre-bootloaders if they want to dual-boot with Windows 8+... just another step similar to getting Windows 8+ to cede sufficient disk space, or getting hold of some proprietary driver. That's simple enough.
The bad news is that a Debian-issued live/install CD/DVD/USB/Flash image would no longer boot without the user also first installing that pre-bootloader (if it wasn't installed on the image media).
Whichever way you look at it, the advent of Secure Boot means extra effort by Linux users: either turn off Secure Boot or install one's own platform key; or, when dual-booting with Windows 8+, use a Microsoft-signed pre-bootloader, either Garrett's "shim" or the "efitools" package from the Linux Foundation. Neither is available yet in the Debian repositories, and I wonder if they ever will be.
Real Debian users don't do chat...
Re: Debian vs. UEFI Secure Boot
Hi,
I just got a new motherboard and AMD-64 CPU.
The UBUNTU 12.04-LTS and 12-10 Install disks that I burned will not boot . UEFI problems.
(spent several days and forum posts - and gave up.)
Debian 6.06 disks boot and install just fine.
(Could not get a Debian-Ubuntu dual boot to work either.)
I'l hold my breath about the upcoming wheezy release.
Jay
I just got a new motherboard and AMD-64 CPU.
The UBUNTU 12.04-LTS and 12-10 Install disks that I burned will not boot . UEFI problems.
(spent several days and forum posts - and gave up.)
Debian 6.06 disks boot and install just fine.
(Could not get a Debian-Ubuntu dual boot to work either.)
I'l hold my breath about the upcoming wheezy release.
Jay
Re: Debian vs. UEFI Secure Boot
Not sure what I make of all this. If we go over to Dedoimedo we find him saying all the huffing and puffing abut UEFI is unnecessary. Go to http://www.dedoimedo.com/computers/uefi-drama.html
The Arch wiki has a number of good artices about various aspects of UEFI and might be worth investigation. I'llknow more fairly soon. I have to rebuld a WIndows machine and I will be putting either Debian or Mepis Linux on it in a dual-boot configuration. We'll see what we see.
The Arch wiki has a number of good artices about various aspects of UEFI and might be worth investigation. I'llknow more fairly soon. I have to rebuld a WIndows machine and I will be putting either Debian or Mepis Linux on it in a dual-boot configuration. We'll see what we see.
Re: Debian vs. UEFI Secure Boot
I use a laptop. I ordered a laptop with Debian already installed.
James
James
Re: Debian vs. UEFI Secure Boot
Hi,
Two weeks later and I did get my mistakes and most of my questions resolved.
I had tried a dual boot of Debian and Ubuntu with and without UEFI
There are a few matters that one needs to juggle when installing.
With two disks, I ended up using boot-Info and drawing a map. Boot-info and Boot-repair are handy tools to have.
They can be downloaded from:
http://sourceforge.net/p/boot-repair/home/Home/
I also wish to thank Darik's nuke and blast - found on the Ultimate BootCD - found within http://www.ultimatebootcd.com/
I was used that tool to be sure old boot records were deleted.
One question left: How to keep gparted from writing boot info on a disk(HDD) with a single partition?
Another disk (SDD)has a boot/efi partition, a partition for /boot, and another partition for swap.
It looks like boot info is written when creating a single partition on a disk.
Thanks,
Jay
Two weeks later and I did get my mistakes and most of my questions resolved.
I had tried a dual boot of Debian and Ubuntu with and without UEFI
There are a few matters that one needs to juggle when installing.
- GPARTED now can create a Boot/EFI partition. More planning of partitions and installing is involved.
- Multiple HDD or SDD - with corresponding entries in the BIOS device priority chain.
- Figuring out what grub does when you want a dual boot targeted to different disks - with different boot partitions
With two disks, I ended up using boot-Info and drawing a map. Boot-info and Boot-repair are handy tools to have.
They can be downloaded from:
http://sourceforge.net/p/boot-repair/home/Home/
I also wish to thank Darik's nuke and blast - found on the Ultimate BootCD - found within http://www.ultimatebootcd.com/
I was used that tool to be sure old boot records were deleted.
One question left: How to keep gparted from writing boot info on a disk(HDD) with a single partition?
Another disk (SDD)has a boot/efi partition, a partition for /boot, and another partition for swap.
It looks like boot info is written when creating a single partition on a disk.
Thanks,
Jay
Re: Debian vs. UEFI Secure Boot
Exactly what you would expect from Winzoz (zoz meaning dirty in my language).hkoster1 wrote: Whichever way you look at it, the advent of Secure Boot means extra effort by Linux users: either turn off Secure Boot or install one's own platform key; or, when dual-booting with Windows 8+, use a Microsoft-signed pre-bootloader, either Garrett's "shim" or the "efitools" package from the Linux Foundation. Neither is available yet in the Debian repositories, and I wonder if they ever will be.
They always go the extra mile to hinder/prevent the use of alternative operating systems such as Linux!
Thanks for the tips.
Re: Debian vs. UEFI Secure Boot
In "most" cases, turning off secure boot and fastboot (if it is there) should be enough for adding a linux distro using grub2 (v 1.99 or 2.0) on a uefi/gpt computer. Of course, "certification" by windows is nulled (as though that's important).
However some computers have "mix" of uefi and bios which makes this more difficult and some distros set up by default grub-legacy (still!) and complicates the job.
Hope that it is no longer necessary to use shim/gummiboot or to set up efibootmgr, not to mention using microsoft pre-signed-away-our-rights-bootloader.
However some computers have "mix" of uefi and bios which makes this more difficult and some distros set up by default grub-legacy (still!) and complicates the job.
Hope that it is no longer necessary to use shim/gummiboot or to set up efibootmgr, not to mention using microsoft pre-signed-away-our-rights-bootloader.
Re: Debian vs. UEFI Secure Boot
Add EFI support for 64-bit PCs (amd64), allowing installation in EFI mode instead of using the legacy BIOS. This does not include any support for UEFI Secure Boot — that will come later"
Our 400-051 prep course includes the latest SK0-003 braindumps that one must have to go through to pass Pass4sure exam dumps exam.For more details visit Bradley University now University of California, San Francisco best wishes.
- anastasis
- Posts: 222
- Joined: 2012-11-15 02:28
- Location: Near White Sands Missile Range
- Been thanked: 1 time
Re: Debian vs. UEFI Secure Boot
Somebody told me that Linus wasn't friends with Secure Boot.
Personally, I don't see any theoretical difference in Secure Boot and a boot sector virus. That's what Microsoft should call it. Secure Boot is interested in securing the boot sector. A boot sector virus is also interested in 'securing' your boot sector--securing it to the point of being unbootable.
Personally, I don't see any theoretical difference in Secure Boot and a boot sector virus. That's what Microsoft should call it. Secure Boot is interested in securing the boot sector. A boot sector virus is also interested in 'securing' your boot sector--securing it to the point of being unbootable.
"He might be a German, but he ain't no Einstein."
Re: Debian vs. UEFI Secure Boot
This gets me to wondering if Microsoft et al have properly thought through the implications of UEFI as regards backups and disaster recovery. I wouldn't mind betting that they have not, based on previous track record. Mind you, UUIDs in fstab and bootloaders already create that situation, and are IMHO a catastrophically bad idea. Sooner or later there is going to be a major corporate data loss through these ill-considered changes to tried and tested ways of working, and then the proverbial is going to well and truly hit the fan.
- A computer should never be designed such that replacing any part with an identical replacement leaves you with a broken system.
A computer should never be designed such that backing-up your data and restoring that data to a replacement disk, leaves you with a broken system.
A peripheral should never be designed such that fitting an identical replacement with identical settings, leaves you with a broken system.
Re: Debian vs. UEFI Secure Boot
What i did with my Windows 8 PC:
1. Disable Secure boot
2. Delete Windows 8
3. Install Windows 7 and Debian Jessie.
1. Disable Secure boot
2. Delete Windows 8
3. Install Windows 7 and Debian Jessie.
Lenovo Y410p: i7-4700MQ/GT 755M/8GB DDR3L/24GB SSD/1TB5400RPM/N2230/HD+ Glossy - Debian Testing/Windows 7
Re: Debian vs. UEFI Secure Boot
Why? It's less expensive to install it yourself.jsl06 wrote:I use a laptop. I ordered a laptop with Debian already installed.
James
Lenovo Y410p: i7-4700MQ/GT 755M/8GB DDR3L/24GB SSD/1TB5400RPM/N2230/HD+ Glossy - Debian Testing/Windows 7
Re: Debian vs. UEFI Secure Boot
jobine702 wrote:What i did with my Windows 8 PC:
1. Disable Secure boot
2. Delete Windows 8
3. Install Windows 7 and Debian Jessie.
i did almost the same but left windows 7 out of step 3
ThinkPad X220: i5-2520M CPU 2.5GHz - 8GB RAM 1333 MHz - SSD 860 EVO 250GB - Debian - ME_cleaned
ThinkPad X230: i5-3320M CPU 3.3GHz - 8GB RAM 1600 MHz - SSD 860 EVO 500GB - Debian - ME_cleaned
ThinkPad X230: i5-3320M CPU 3.3GHz - 8GB RAM 1600 MHz - SSD 860 EVO 500GB - Debian - ME_cleaned
Re: Debian vs. UEFI Secure Boot
I just bought some weeks back a Toshiba 17" notebook windows 8.1 with UEFI ,went on the net search found some instructions on how to install Linux mint Debian I did not try to install Debian wheezy on I all ready got it on my other PC I use mint deb on the notebook and some command instructions it work for some time the it did not it refuse to boot again on Linux mint deb so I left it until I come back from my photo-shot trip .
I got this program PARTED MAGIC is free Linux base and there many out there for free http://pcsupport.about.com/od/toolsofth ... ftware.htm .
What I found out you got to erase to zeros if you got a notebook or PC OEM , I load up Windows 7 and Linux next to it .....like I said it work for some time and then it won't let grub load up at all only windows did some search no luck after all.
It just that windows8.1 has a recovery partition in it and is a problem!! , you got to erase into zero the ssd drive before you load up 2 OS ...TURN OFF UEFI AT BIOS FIRST and then load up ...Now it boots up windows 7 and Linux and now I can go to do my photo work on site at festivals .
Got all the drivers from Toshiba and other websites .ONLY IF IT IS A NOTEBOOK OR A PC WITH OEM INSTALL ALL READY ERASE IT INTO ZEROS , IF IS YOUR OWN BUILD IS OK BUT HAVEN'T DONE THAT ONE YET.....LET YOU KNOW WHEN HAPPENS.Is the best way!! and no future problems and it works and is the best so far for me no files left behind!!!! by windows 8.1!!!!
I got this program PARTED MAGIC is free Linux base and there many out there for free http://pcsupport.about.com/od/toolsofth ... ftware.htm .
What I found out you got to erase to zeros if you got a notebook or PC OEM , I load up Windows 7 and Linux next to it .....like I said it work for some time and then it won't let grub load up at all only windows did some search no luck after all.
It just that windows8.1 has a recovery partition in it and is a problem!! , you got to erase into zero the ssd drive before you load up 2 OS ...TURN OFF UEFI AT BIOS FIRST and then load up ...Now it boots up windows 7 and Linux and now I can go to do my photo work on site at festivals .
Got all the drivers from Toshiba and other websites .ONLY IF IT IS A NOTEBOOK OR A PC WITH OEM INSTALL ALL READY ERASE IT INTO ZEROS , IF IS YOUR OWN BUILD IS OK BUT HAVEN'T DONE THAT ONE YET.....LET YOU KNOW WHEN HAPPENS.Is the best way!! and no future problems and it works and is the best so far for me no files left behind!!!! by windows 8.1!!!!
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Debian vs. UEFI Secure Boot
The Secure Boot settings are stored on the motherboard NVRAM rather than the hard drive so erasing the drive will have no effect on that whatsoever.julius wrote:I just bought some weeks back a Toshiba 17" notebook windows 8.1 with UEFI ,went on the net search found some instructions on how to install Linux mint Debian I did not try to install Debian wheezy on I all ready got it on my other PC I use mint deb on the notebook and some command instructions it work for some time the it did not it refuse to boot again on Linux mint deb so I left it until I come back from my photo-shot trip .
I got this program PARTED MAGIC is free Linux base and there many out there for free http://pcsupport.about.com/od/toolsofth ... ftware.htm .
What I found out you got to erase to zeros if you got a notebook or PC OEM , I load up Windows 7 and Linux next to it .....like I said it work for some time and then it won't let grub load up at all only windows did some search no luck after all.
It just that windows8.1 has a recovery partition in it and is a problem!! , you got to erase into zero the ssd drive before you load up 2 OS ...TURN OFF UEFI AT BIOS FIRST and then load up ...Now it boots up windows 7 and Linux and now I can go to do my photo work on site at festivals .
Got all the drivers from Toshiba and other websites .ONLY IF IT IS A NOTEBOOK OR A PC WITH OEM INSTALL ALL READY ERASE IT INTO ZEROS , IF IS YOUR OWN BUILD IS OK BUT HAVEN'T DONE THAT ONE YET.....LET YOU KNOW WHEN HAPPENS.Is the best way!! and no future problems and it works and is the best so far for me no files left behind!!!! by windows 8.1!!!!
The OP is somewhat dated and misleading -- the ability to disable Secure Boot is part of the UEFI specification and it is perfectly possible to create your own Secure Boot keys and signed bootloaeder & kernel image so there is no need to rely on either the shim project or Microsoft's licence fee.
http://www.rodsbooks.com/efi-bootloader ... eboot.html
deadbang
Re: Debian vs. UEFI Secure Boot
Isn't that exactly what I've been saying in my OP (2nd paragraph)? The OP is certainly dated, but misleading? Go rinse your mouth with soap...Head_on_a_Stick wrote: The OP is somewhat dated and misleading -- the ability to disable Secure Boot is part of the UEFI specification and it is perfectly possible to create your own Secure Boot keys and signed bootloaeder & kernel image so there is no need to rely on either the shim project or Microsoft's licence fee.
Real Debian users don't do chat...
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Debian vs. UEFI Secure Boot
My apologies.hkoster1 wrote:Isn't that exactly what I've been saying in my OP (2nd paragraph)? The OP is certainly dated, but misleading? Go rinse your mouth with soap...Head_on_a_Stick wrote: The OP is somewhat dated and misleading -- the ability to disable Secure Boot is part of the UEFI specification and it is perfectly possible to create your own Secure Boot keys and signed bootloaeder & kernel image so there is no need to rely on either the shim project or Microsoft's licence fee.
deadbang
Re: Debian vs. UEFI Secure Boot
No sweat. BTW, you did well to draw attention to http://www.rodsbooks.com, a fine resource for this type of topic, e.g. the rEFInd boot manager.
Real Debian users don't do chat...
Re: Debian vs. UEFI Secure Boot
Does Debian Jessie support secure boot in a way that users can install the OS like normal?
Debian Jessie
Asus Zenbook UX305FA-ASM1
Intel Core M 5Y10; Intel HD Graphics 5300
Asus Zenbook UX305FA-ASM1
Intel Core M 5Y10; Intel HD Graphics 5300
Re: Debian vs. UEFI Secure Boot
No. You must switch off Secure Boot in order for her to boot.G-Known wrote:Does Debian Jessie support secure boot in a way that users can install the OS like normal?