Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian vs. UEFI Secure Boot

User discussion about Debian Development, Debian Project News and Announcements. Not for support questions.
Post Reply
Message
Author
hkoster1
Posts: 1264
Joined: 2006-12-18 10:10

Debian vs. UEFI Secure Boot

#1 Post by hkoster1 »

While the upcoming Debian Wheezy AMD64-release allows for UEFI booting, there's a related issue that Debian policy would seem to conflict with: Secure Boot of the Debian kernel with a certificate directly or indirectly signed by another entity (read: Microsoft).

To be sure, the issue only arises when people wish to dual-boot Debian alongside another OS, which in practice means pre-installed Windows 8+ with a Microsoft platform key. In that case only Debian kernels directly or indirectly signed by Microsoft would boot. Secure Boot can be turned off, though, or a user could install his own platform key with which to sign his own kernel, except that Windows 8+ will then no longer boot.

So, what to do when you want dual-booting Windows 8+ and Linux? Well, other distributions (Ubuntu, Red Hat, SuSE) have already chosen for a pre-bootloader work-around, see Matthew Garrett's shim bootloader. There is also the pre-bootloader by the Linux Foundation. In both cases, the pre-bootloader is signed with a Microsoft certificate (one-time fee $99 paid by Garrett or LF); the pre-bootloader then in stages hands over to another bootloader and finally to GRUB.

The good news is that Debian, true to principle, wouldn't have to do anything, leaving it to the user to install one of these signed
pre-bootloaders if they want to dual-boot with Windows 8+... just another step similar to getting Windows 8+ to cede sufficient disk space, or getting hold of some proprietary driver. That's simple enough.

The bad news is that a Debian-issued live/install CD/DVD/USB/Flash image would no longer boot without the user also first installing that pre-bootloader (if it wasn't installed on the image media).

Whichever way you look at it, the advent of Secure Boot means extra effort by Linux users: either turn off Secure Boot or install one's own platform key; or, when dual-booting with Windows 8+, use a Microsoft-signed pre-bootloader, either Garrett's "shim" or the "efitools" package from the Linux Foundation. Neither is available yet in the Debian repositories, and I wonder if they ever will be.
Real Debian users don't do chat...

jay_e
Posts: 39
Joined: 2009-06-04 20:03
Location: Orlando, Florida

Re: Debian vs. UEFI Secure Boot

#2 Post by jay_e »

Hi,
I just got a new motherboard and AMD-64 CPU.

The UBUNTU 12.04-LTS and 12-10 Install disks that I burned will not boot . UEFI problems.
(spent several days and forum posts - and gave up.)

Debian 6.06 disks boot and install just fine.
(Could not get a Debian-Ubuntu dual boot to work either.)

I'l hold my breath about the upcoming wheezy release.
Jay

julian516
Posts: 311
Joined: 2010-03-18 20:10
Location: Loveland, CO

Re: Debian vs. UEFI Secure Boot

#3 Post by julian516 »

Not sure what I make of all this. If we go over to Dedoimedo we find him saying all the huffing and puffing abut UEFI is unnecessary. Go to http://www.dedoimedo.com/computers/uefi-drama.html

The Arch wiki has a number of good artices about various aspects of UEFI and might be worth investigation. I'llknow more fairly soon. I have to rebuld a WIndows machine and I will be putting either Debian or Mepis Linux on it in a dual-boot configuration. We'll see what we see.

jsl06
Posts: 3
Joined: 2012-11-08 14:07

Re: Debian vs. UEFI Secure Boot

#4 Post by jsl06 »

I use a laptop. I ordered a laptop with Debian already installed.
James

jay_e
Posts: 39
Joined: 2009-06-04 20:03
Location: Orlando, Florida

Re: Debian vs. UEFI Secure Boot

#5 Post by jay_e »

Hi,
Two weeks later and I did get my mistakes and most of my questions resolved.
I had tried a dual boot of Debian and Ubuntu with and without UEFI
There are a few matters that one needs to juggle when installing.
  • GPARTED now can create a Boot/EFI partition. More planning of partitions and installing is involved.
  • Multiple HDD or SDD - with corresponding entries in the BIOS device priority chain.
  • Figuring out what grub does when you want a dual boot targeted to different disks - with different boot partitions
Things were a lot simpler when I built partition for a PC with only one disk. :)
With two disks, I ended up using boot-Info and drawing a map. Boot-info and Boot-repair are handy tools to have.
They can be downloaded from:
http://sourceforge.net/p/boot-repair/home/Home/

I also wish to thank Darik's nuke and blast - found on the Ultimate BootCD - found within http://www.ultimatebootcd.com/
I was used that tool to be sure old boot records were deleted.

One question left: How to keep gparted from writing boot info on a disk(HDD) with a single partition?
Another disk (SDD)has a boot/efi partition, a partition for /boot, and another partition for swap.
It looks like boot info is written when creating a single partition on a disk.
Thanks,
Jay

7rows
Posts: 1
Joined: 2013-06-05 07:43

Re: Debian vs. UEFI Secure Boot

#6 Post by 7rows »

hkoster1 wrote: Whichever way you look at it, the advent of Secure Boot means extra effort by Linux users: either turn off Secure Boot or install one's own platform key; or, when dual-booting with Windows 8+, use a Microsoft-signed pre-bootloader, either Garrett's "shim" or the "efitools" package from the Linux Foundation. Neither is available yet in the Debian repositories, and I wonder if they ever will be.
Exactly what you would expect from Winzoz (zoz meaning dirty in my language).

They always go the extra mile to hinder/prevent the use of alternative operating systems such as Linux!

Thanks for the tips.

gohlip
Posts: 20
Joined: 2013-05-11 08:43

Re: Debian vs. UEFI Secure Boot

#7 Post by gohlip »

In "most" cases, turning off secure boot and fastboot (if it is there) should be enough for adding a linux distro using grub2 (v 1.99 or 2.0) on a uefi/gpt computer. Of course, "certification" by windows is nulled (as though that's important).

However some computers have "mix" of uefi and bios which makes this more difficult and some distros set up by default grub-legacy (still!) and complicates the job.
Hope that it is no longer necessary to use shim/gummiboot or to set up efibootmgr, not to mention using microsoft pre-signed-away-our-rights-bootloader.

Liza2
Posts: 1
Joined: 2013-06-07 11:12

Re: Debian vs. UEFI Secure Boot

#8 Post by Liza2 »

Add EFI support for 64-bit PCs (amd64), allowing installation in EFI mode instead of using the legacy BIOS. This does not include any support for UEFI Secure Boot — that will come later"
Our 400-051 prep course includes the latest SK0-003 braindumps that one must have to go through to pass Pass4sure exam dumps exam.For more details visit Bradley University now University of California, San Francisco best wishes.

User avatar
anastasis
Posts: 222
Joined: 2012-11-15 02:28
Location: Near White Sands Missile Range
Been thanked: 1 time

Re: Debian vs. UEFI Secure Boot

#9 Post by anastasis »

Somebody told me that Linus wasn't friends with Secure Boot.

Personally, I don't see any theoretical difference in Secure Boot and a boot sector virus. That's what Microsoft should call it. Secure Boot is interested in securing the boot sector. A boot sector virus is also interested in 'securing' your boot sector--securing it to the point of being unbootable.
"He might be a German, but he ain't no Einstein."

User avatar
Anteaus
Posts: 279
Joined: 2007-09-06 15:34

Re: Debian vs. UEFI Secure Boot

#10 Post by Anteaus »

This gets me to wondering if Microsoft et al have properly thought through the implications of UEFI as regards backups and disaster recovery. I wouldn't mind betting that they have not, based on previous track record. Mind you, UUIDs in fstab and bootloaders already create that situation, and are IMHO a catastrophically bad idea. Sooner or later there is going to be a major corporate data loss through these ill-considered changes to tried and tested ways of working, and then the proverbial is going to well and truly hit the fan.
  • A computer should never be designed such that replacing any part with an identical replacement leaves you with a broken system.
    A computer should never be designed such that backing-up your data and restoring that data to a replacement disk, leaves you with a broken system.
    A peripheral should never be designed such that fitting an identical replacement with identical settings, leaves you with a broken system.
UUIDs break all of these principles. The UUIDs in known locations like fstab are one thing, it's the proliferation to UUIDs residing in unknown locations that will be the real backup-killer, because it will be virtually impossible to locate or repair these.

User avatar
jobine702
Posts: 51
Joined: 2013-07-11 16:39
Location: Prince Edward Island, CA

Re: Debian vs. UEFI Secure Boot

#11 Post by jobine702 »

What i did with my Windows 8 PC:

1. Disable Secure boot
2. Delete Windows 8
3. Install Windows 7 and Debian Jessie.
Lenovo Y410p: i7-4700MQ/GT 755M/8GB DDR3L/24GB SSD/1TB5400RPM/N2230/HD+ Glossy - Debian Testing/Windows 7

User avatar
jobine702
Posts: 51
Joined: 2013-07-11 16:39
Location: Prince Edward Island, CA

Re: Debian vs. UEFI Secure Boot

#12 Post by jobine702 »

jsl06 wrote:I use a laptop. I ordered a laptop with Debian already installed.
James
Why? It's less expensive to install it yourself.
Lenovo Y410p: i7-4700MQ/GT 755M/8GB DDR3L/24GB SSD/1TB5400RPM/N2230/HD+ Glossy - Debian Testing/Windows 7

User avatar
esp7
Posts: 177
Joined: 2013-06-23 20:31
Has thanked: 2 times
Been thanked: 4 times

Re: Debian vs. UEFI Secure Boot

#13 Post by esp7 »

jobine702 wrote:What i did with my Windows 8 PC:

1. Disable Secure boot
2. Delete Windows 8
3. Install Windows 7 and Debian Jessie.

i did almost the same but left windows 7 out of step 3 :D
ThinkPad X220: i5-2520M CPU 2.5GHz - 8GB RAM 1333 MHz - SSD 860 EVO 250GB - Debian - ME_cleaned
ThinkPad X230: i5-3320M CPU 3.3GHz - 8GB RAM 1600 MHz - SSD 860 EVO 500GB - Debian - ME_cleaned

julius
Posts: 2
Joined: 2012-04-03 05:50

Re: Debian vs. UEFI Secure Boot

#14 Post by julius »

I just bought some weeks back a Toshiba 17" notebook windows 8.1 with UEFI ,went on the net search found some instructions on how to install Linux mint Debian I did not try to install Debian wheezy on I all ready got it on my other PC I use mint deb on the notebook and some command instructions it work for some time the it did not it refuse to boot again on Linux mint deb so I left it until I come back from my photo-shot trip .

I got this program PARTED MAGIC is free Linux base and there many out there for free http://pcsupport.about.com/od/toolsofth ... ftware.htm .

What I found out you got to erase to zeros if you got a notebook or PC OEM , I load up Windows 7 and Linux next to it .....like I said it work for some time and then it won't let grub load up at all only windows did some search no luck after all.

It just that windows8.1 has a recovery partition in it and is a problem!! , you got to erase into zero the ssd drive before you load up 2 OS ...TURN OFF UEFI AT BIOS FIRST and then load up ...Now it boots up windows 7 and Linux and now I can go to do my photo work on site at festivals .
Got all the drivers from Toshiba and other websites .ONLY IF IT IS A NOTEBOOK OR A PC WITH OEM INSTALL ALL READY ERASE IT INTO ZEROS , IF IS YOUR OWN BUILD IS OK BUT HAVEN'T DONE THAT ONE YET.....LET YOU KNOW WHEN HAPPENS.Is the best way!! and no future problems and it works and is the best so far for me no files left behind!!!! by windows 8.1!!!!

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Debian vs. UEFI Secure Boot

#15 Post by Head_on_a_Stick »

julius wrote:I just bought some weeks back a Toshiba 17" notebook windows 8.1 with UEFI ,went on the net search found some instructions on how to install Linux mint Debian I did not try to install Debian wheezy on I all ready got it on my other PC I use mint deb on the notebook and some command instructions it work for some time the it did not it refuse to boot again on Linux mint deb so I left it until I come back from my photo-shot trip .

I got this program PARTED MAGIC is free Linux base and there many out there for free http://pcsupport.about.com/od/toolsofth ... ftware.htm .

What I found out you got to erase to zeros if you got a notebook or PC OEM , I load up Windows 7 and Linux next to it .....like I said it work for some time and then it won't let grub load up at all only windows did some search no luck after all.

It just that windows8.1 has a recovery partition in it and is a problem!! , you got to erase into zero the ssd drive before you load up 2 OS ...TURN OFF UEFI AT BIOS FIRST and then load up ...Now it boots up windows 7 and Linux and now I can go to do my photo work on site at festivals .
Got all the drivers from Toshiba and other websites .ONLY IF IT IS A NOTEBOOK OR A PC WITH OEM INSTALL ALL READY ERASE IT INTO ZEROS , IF IS YOUR OWN BUILD IS OK BUT HAVEN'T DONE THAT ONE YET.....LET YOU KNOW WHEN HAPPENS.Is the best way!! and no future problems and it works and is the best so far for me no files left behind!!!! by windows 8.1!!!!
The Secure Boot settings are stored on the motherboard NVRAM rather than the hard drive so erasing the drive will have no effect on that whatsoever.

The OP is somewhat dated and misleading -- the ability to disable Secure Boot is part of the UEFI specification and it is perfectly possible to create your own Secure Boot keys and signed bootloaeder & kernel image so there is no need to rely on either the shim project or Microsoft's licence fee.

http://www.rodsbooks.com/efi-bootloader ... eboot.html
deadbang

hkoster1
Posts: 1264
Joined: 2006-12-18 10:10

Re: Debian vs. UEFI Secure Boot

#16 Post by hkoster1 »

Head_on_a_Stick wrote: The OP is somewhat dated and misleading -- the ability to disable Secure Boot is part of the UEFI specification and it is perfectly possible to create your own Secure Boot keys and signed bootloaeder & kernel image so there is no need to rely on either the shim project or Microsoft's licence fee.
Isn't that exactly what I've been saying in my OP (2nd paragraph)? The OP is certainly dated, but misleading? Go rinse your mouth with soap... :)
Real Debian users don't do chat...

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Debian vs. UEFI Secure Boot

#17 Post by Head_on_a_Stick »

hkoster1 wrote:
Head_on_a_Stick wrote: The OP is somewhat dated and misleading -- the ability to disable Secure Boot is part of the UEFI specification and it is perfectly possible to create your own Secure Boot keys and signed bootloaeder & kernel image so there is no need to rely on either the shim project or Microsoft's licence fee.
Isn't that exactly what I've been saying in my OP (2nd paragraph)? The OP is certainly dated, but misleading? Go rinse your mouth with soap... :)
My apologies.
:oops:
deadbang

hkoster1
Posts: 1264
Joined: 2006-12-18 10:10

Re: Debian vs. UEFI Secure Boot

#18 Post by hkoster1 »

No sweat. BTW, you did well to draw attention to http://www.rodsbooks.com, a fine resource for this type of topic, e.g. the rEFInd boot manager.
Real Debian users don't do chat...

User avatar
G-Known
Posts: 178
Joined: 2012-10-26 04:59
Location: Brooklyn, New York

Re: Debian vs. UEFI Secure Boot

#19 Post by G-Known »

Does Debian Jessie support secure boot in a way that users can install the OS like normal?
Debian Jessie
Asus Zenbook UX305FA-ASM1
Intel Core M 5Y10; Intel HD Graphics 5300

マーズ maazu
Posts: 23
Joined: 2015-05-04 05:13
Location: kuala lumpur

Re: Debian vs. UEFI Secure Boot

#20 Post by マーズ maazu »

G-Known wrote:Does Debian Jessie support secure boot in a way that users can install the OS like normal?
No. You must switch off Secure Boot in order for her to boot.

Post Reply