Debian vs. UEFI Secure Boot

News and discussion about development of the Debian OS itself

Debian vs. UEFI Secure Boot

Postby hkoster1 » 2013-01-05 14:57

While the upcoming Debian Wheezy AMD64-release allows for UEFI booting, there's a related issue that Debian policy would seem to conflict with: Secure Boot of the Debian kernel with a certificate directly or indirectly signed by another entity (read: Microsoft).

To be sure, the issue only arises when people wish to dual-boot Debian alongside another OS, which in practice means pre-installed Windows 8+ with a Microsoft platform key. In that case only Debian kernels directly or indirectly signed by Microsoft would boot. Secure Boot can be turned off, though, or a user could install his own platform key with which to sign his own kernel, except that Windows 8+ will then no longer boot.

So, what to do when you want dual-booting Windows 8+ and Linux? Well, other distributions (Ubuntu, Red Hat, SuSE) have already chosen for a pre-bootloader work-around, see Matthew Garrett's shim bootloader. There is also the pre-bootloader by the Linux Foundation. In both cases, the pre-bootloader is signed with a Microsoft certificate (one-time fee $99 paid by Garrett or LF); the pre-bootloader then in stages hands over to another bootloader and finally to GRUB.

The good news is that Debian, true to principle, wouldn't have to do anything, leaving it to the user to install one of these signed
pre-bootloaders if they want to dual-boot with Windows 8+... just another step similar to getting Windows 8+ to cede sufficient disk space, or getting hold of some proprietary driver. That's simple enough.

The bad news is that a Debian-issued live/install CD/DVD/USB/Flash image would no longer boot without the user also first installing that pre-bootloader (if it wasn't installed on the image media).

Whichever way you look at it, the advent of Secure Boot means extra effort by Linux users: either turn off Secure Boot or install one's own platform key; or, when dual-booting with Windows 8+, use a Microsoft-signed pre-bootloader, either Garrett's "shim" or the "efitools" package from the Linux Foundation. Neither is available yet in the Debian repositories, and I wonder if they ever will be.
Real Debian users don't do chat...
hkoster1
 
Posts: 1265
Joined: 2006-12-18 10:10

Re: Debian vs. UEFI Secure Boot

Postby jay_e » 2013-03-02 00:42

Hi,
I just got a new motherboard and AMD-64 CPU.

The UBUNTU 12.04-LTS and 12-10 Install disks that I burned will not boot . UEFI problems.
(spent several days and forum posts - and gave up.)

Debian 6.06 disks boot and install just fine.
(Could not get a Debian-Ubuntu dual boot to work either.)

I'l hold my breath about the upcoming wheezy release.
Jay
jay_e
 
Posts: 36
Joined: 2009-06-04 20:03
Location: Orlando, Florida

Re: Debian vs. UEFI Secure Boot

Postby julian516 » 2013-03-02 14:12

Not sure what I make of all this. If we go over to Dedoimedo we find him saying all the huffing and puffing abut UEFI is unnecessary. Go to http://www.dedoimedo.com/computers/uefi-drama.html

The Arch wiki has a number of good artices about various aspects of UEFI and might be worth investigation. I'llknow more fairly soon. I have to rebuld a WIndows machine and I will be putting either Debian or Mepis Linux on it in a dual-boot configuration. We'll see what we see.
julian516
 
Posts: 311
Joined: 2010-03-18 20:10
Location: Loveland, CO

Re: Debian vs. UEFI Secure Boot

Postby jsl06 » 2013-03-09 11:15

I use a laptop. I ordered a laptop with Debian already installed.
James
jsl06
 
Posts: 3
Joined: 2012-11-08 14:07

Re: Debian vs. UEFI Secure Boot

Postby jay_e » 2013-03-13 09:02

Hi,
Two weeks later and I did get my mistakes and most of my questions resolved.
I had tried a dual boot of Debian and Ubuntu with and without UEFI
There are a few matters that one needs to juggle when installing.
  • GPARTED now can create a Boot/[U]EFI partition. More planning of partitions and installing is involved.
  • Multiple HDD or SDD - with corresponding entries in the BIOS device priority chain.
  • Figuring out what grub does when you want a dual boot targeted to different disks - with different boot partitions
Things were a lot simpler when I built partition for a PC with only one disk. :)
With two disks, I ended up using boot-Info and drawing a map. Boot-info and Boot-repair are handy tools to have.
They can be downloaded from:
http://sourceforge.net/p/boot-repair/home/Home/

I also wish to thank Darik's nuke and blast - found on the Ultimate BootCD - found within http://www.ultimatebootcd.com/
I was used that tool to be sure old boot records were deleted.

One question left: How to keep gparted from writing boot info on a disk(HDD) with a single partition?
Another disk (SDD)has a boot/efi partition, a partition for /boot, and another partition for swap.
It looks like boot info is written when creating a single partition on a disk.
Thanks,
Jay
jay_e
 
Posts: 36
Joined: 2009-06-04 20:03
Location: Orlando, Florida

Re: Debian vs. UEFI Secure Boot

Postby 7rows » 2013-06-05 07:52

hkoster1 wrote:Whichever way you look at it, the advent of Secure Boot means extra effort by Linux users: either turn off Secure Boot or install one's own platform key; or, when dual-booting with Windows 8+, use a Microsoft-signed pre-bootloader, either Garrett's "shim" or the "efitools" package from the Linux Foundation. Neither is available yet in the Debian repositories, and I wonder if they ever will be.


Exactly what you would expect from Winzoz (zoz meaning dirty in my language).

They always go the extra mile to hinder/prevent the use of alternative operating systems such as Linux!

Thanks for the tips.
7rows
 
Posts: 1
Joined: 2013-06-05 07:43

Re: Debian vs. UEFI Secure Boot

Postby gohlip » 2013-06-05 14:47

In "most" cases, turning off secure boot and fastboot (if it is there) should be enough for adding a linux distro using grub2 (v 1.99 or 2.0) on a uefi/gpt computer. Of course, "certification" by windows is nulled (as though that's important).

However some computers have "mix" of uefi and bios which makes this more difficult and some distros set up by default grub-legacy (still!) and complicates the job.
Hope that it is no longer necessary to use shim/gummiboot or to set up efibootmgr, not to mention using microsoft pre-signed-away-our-rights-bootloader.
gohlip
 
Posts: 20
Joined: 2013-05-11 08:43

Re: Debian vs. UEFI Secure Boot

Postby Liza2 » 2013-06-07 11:21

Add EFI support for 64-bit PCs (amd64), allowing installation in EFI mode instead of using the legacy BIOS. This does not include any support for UEFI Secure Boot — that will come later"
Our 400-051 prep course includes the latest SK0-003 braindumps that one must have to go through to pass Pass4sure exam dumps exam.For more details visit Bradley University now University of California, San Francisco best wishes.
Liza2
 
Posts: 1
Joined: 2013-06-07 11:12

Re: Debian vs. UEFI Secure Boot

Postby anastasis » 2013-06-08 00:43

Somebody told me that Linus wasn't friends with Secure Boot.

Personally, I don't see any theoretical difference in Secure Boot and a boot sector virus. That's what Microsoft should call it. Secure Boot is interested in securing the boot sector. A boot sector virus is also interested in 'securing' your boot sector--securing it to the point of being unbootable.
"He might be a German, but he ain't no Einstein."
User avatar
anastasis
 
Posts: 222
Joined: 2012-11-15 02:28
Location: Near White Sands Missile Range

Re: Debian vs. UEFI Secure Boot

Postby Anteaus » 2013-12-17 11:59

This gets me to wondering if Microsoft et al have properly thought through the implications of UEFI as regards backups and disaster recovery. I wouldn't mind betting that they have not, based on previous track record. Mind you, UUIDs in fstab and bootloaders already create that situation, and are IMHO a catastrophically bad idea. Sooner or later there is going to be a major corporate data loss through these ill-considered changes to tried and tested ways of working, and then the proverbial is going to well and truly hit the fan.

    A computer should never be designed such that replacing any part with an identical replacement leaves you with a broken system.
    A computer should never be designed such that backing-up your data and restoring that data to a replacement disk, leaves you with a broken system.
    A peripheral should never be designed such that fitting an identical replacement with identical settings, leaves you with a broken system.

UUIDs break all of these principles. The UUIDs in known locations like fstab are one thing, it's the proliferation to UUIDs residing in unknown locations that will be the real backup-killer, because it will be virtually impossible to locate or repair these.
User avatar
Anteaus
 
Posts: 281
Joined: 2007-09-06 15:34

Re: Debian vs. UEFI Secure Boot

Postby jobine702 » 2013-12-21 02:24

What i did with my Windows 8 PC:

1. Disable Secure boot
2. Delete Windows 8
3. Install Windows 7 and Debian Jessie.
Lenovo Y410p: i7-4700MQ/GT 755M/8GB DDR3L/24GB SSD/1TB5400RPM/N2230/HD+ Glossy - Debian Testing/Windows 7
User avatar
jobine702
 
Posts: 51
Joined: 2013-07-11 16:39
Location: Prince Edward Island, CA

Re: Debian vs. UEFI Secure Boot

Postby jobine702 » 2013-12-21 02:25

jsl06 wrote:I use a laptop. I ordered a laptop with Debian already installed.
James

Why? It's less expensive to install it yourself.
Lenovo Y410p: i7-4700MQ/GT 755M/8GB DDR3L/24GB SSD/1TB5400RPM/N2230/HD+ Glossy - Debian Testing/Windows 7
User avatar
jobine702
 
Posts: 51
Joined: 2013-07-11 16:39
Location: Prince Edward Island, CA

Re: Debian vs. UEFI Secure Boot

Postby esp7 » 2013-12-21 10:07

jobine702 wrote:What i did with my Windows 8 PC:

1. Disable Secure boot
2. Delete Windows 8
3. Install Windows 7 and Debian Jessie.



i did almost the same but left windows 7 out of step 3 :D
ThinkPad X220: i5-2520M CPU - 8GB RAM - 250GB SSD - Debian stable
User avatar
esp7
 
Posts: 126
Joined: 2013-06-23 20:31

Re: Debian vs. UEFI Secure Boot

Postby julius » 2015-02-05 04:36

I just bought some weeks back a Toshiba 17" notebook windows 8.1 with UEFI ,went on the net search found some instructions on how to install Linux mint Debian I did not try to install Debian wheezy on I all ready got it on my other PC I use mint deb on the notebook and some command instructions it work for some time the it did not it refuse to boot again on Linux mint deb so I left it until I come back from my photo-shot trip .

I got this program PARTED MAGIC is free Linux base and there many out there for free http://pcsupport.about.com/od/toolsofth ... ftware.htm .

What I found out you got to erase to zeros if you got a notebook or PC OEM , I load up Windows 7 and Linux next to it .....like I said it work for some time and then it won't let grub load up at all only windows did some search no luck after all.

It just that windows8.1 has a recovery partition in it and is a problem!! , you got to erase into zero the ssd drive before you load up 2 OS ...TURN OFF UEFI AT BIOS FIRST and then load up ...Now it boots up windows 7 and Linux and now I can go to do my photo work on site at festivals .
Got all the drivers from Toshiba and other websites .ONLY IF IT IS A NOTEBOOK OR A PC WITH OEM INSTALL ALL READY ERASE IT INTO ZEROS , IF IS YOUR OWN BUILD IS OK BUT HAVEN'T DONE THAT ONE YET.....LET YOU KNOW WHEN HAPPENS.Is the best way!! and no future problems and it works and is the best so far for me no files left behind!!!! by windows 8.1!!!!
julius
 
Posts: 2
Joined: 2012-04-03 05:50

Re: Debian vs. UEFI Secure Boot

Postby Head_on_a_Stick » 2015-02-05 06:49

julius wrote:I just bought some weeks back a Toshiba 17" notebook windows 8.1 with UEFI ,went on the net search found some instructions on how to install Linux mint Debian I did not try to install Debian wheezy on I all ready got it on my other PC I use mint deb on the notebook and some command instructions it work for some time the it did not it refuse to boot again on Linux mint deb so I left it until I come back from my photo-shot trip .

I got this program PARTED MAGIC is free Linux base and there many out there for free http://pcsupport.about.com/od/toolsofth ... ftware.htm .

What I found out you got to erase to zeros if you got a notebook or PC OEM , I load up Windows 7 and Linux next to it .....like I said it work for some time and then it won't let grub load up at all only windows did some search no luck after all.

It just that windows8.1 has a recovery partition in it and is a problem!! , you got to erase into zero the ssd drive before you load up 2 OS ...TURN OFF UEFI AT BIOS FIRST and then load up ...Now it boots up windows 7 and Linux and now I can go to do my photo work on site at festivals .
Got all the drivers from Toshiba and other websites .ONLY IF IT IS A NOTEBOOK OR A PC WITH OEM INSTALL ALL READY ERASE IT INTO ZEROS , IF IS YOUR OWN BUILD IS OK BUT HAVEN'T DONE THAT ONE YET.....LET YOU KNOW WHEN HAPPENS.Is the best way!! and no future problems and it works and is the best so far for me no files left behind!!!! by windows 8.1!!!!

The Secure Boot settings are stored on the motherboard NVRAM rather than the hard drive so erasing the drive will have no effect on that whatsoever.

The OP is somewhat dated and misleading -- the ability to disable Secure Boot is part of the UEFI specification and it is perfectly possible to create your own Secure Boot keys and signed bootloaeder & kernel image so there is no need to rely on either the shim project or Microsoft's licence fee.

http://www.rodsbooks.com/efi-bootloader ... eboot.html
User avatar
Head_on_a_Stick
 
Posts: 7906
Joined: 2014-06-01 17:46
Location: /dev/chair

Next

Return to Debian Development

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable