Home » Computing » Free and Open Source » Panic Button – EFI woes

Panic Button – EFI woes

keep-calm-and-try-the-defaults

Thank you to all at Linux Unplugged who chimed in to give their advice, as well as Rod Smith on SuperUser who provided an extensive, spot-on answer even given my mostly incorrect description and assumptions.

I’ll admit that I panicked when I sent the piece in, as I might have just turned a friend’s PC into a brick in the very first hour we bought it! Luckily he himself is already comfortable using Linux, just he hadn’t installed it in a very long time, so had the patience and the Windows-aversion to bear with me.

It turns out, this had nothing to do with Secure Boot, and after this saga, I have a slightly better understanding of what Secure Boot is, what scenarios it’s meant to apply in, and what went wrong…

It turns out the issue was not Secure Boot at all, but EFI…. and partitions.

Secure Boot

The first thing to note is that Secure Boot is designed to prevent the machine from loading and running a kernel (Windows, Linux or other) that does not carry a valid software signature. Such a situation could arise if a piece of malware attacked the system and replaced the original kernel with an infected one.

Tying it into Windows, or any operating system for that matter, would be counter-productive, as a carefully crafted malware would then be able to take advantage of this. What Secure Boot would not prevent is someone with physical access to the machine turning it off, and installing their own software. This is a decision from the manufacturer level, and one which may yet go away, though we’ll have to wait and see.

This feature is turned off directly in the BIOS – not in Windows. All the pieces about “Installing Linux alongside/instead of Windows 8” that tell you that you need to go through Windows to turn on a feature to reboot into the UEFI control screen to turn off Secure Boot and turn on legacy mode are… apparently “wrong”. You do not need to do it this way, it’s just the most screen-capture new-user friendly way of explaining things.

Indeed, we wouldn’t even have needed to turn off any of these features in the BIOS at all — Ubuntu and Fedora both carry the requisite signatures to boot into and install.

The fact that we had succeeded in booting and installing Ubuntu should have been an indicator to me, and the LUP mumble room picked up on this very fast.

What you do need to know is what button to press when the manufacturer logo appears on screen during bootup – on Lenovos, it is almost invariably F2. I think on Dells it’s F10 or F12.

EFI

The real issue was EFI. Rod Smith, who seems to know quite a thing or two about EFI booting since the earliest days. If you install Ubuntu with the default options, it turns out everything works just fine and peachy. So what did I do wrong?

The setup I had gone for was to separate / and /home into their own partitions. Not a problem – but in doing this I did not cater for one requirement of EFI booting – namely the creation of a separate EFI boot partition, which needs to be a FAT32 partition, probably physical, of at least around 512MB.

This is a requirement that came with the new (U)EFI setups which, as far as I know, can’t be turned off.

20160117_172156So given the time pressure I was under, I didn’t play around with this too long – I re-installed Ubuntu with the default settings and let the installer do the partitioning automatically, which resulted in a successful boot into our chosen distro.

Having seen my friend’s new toy in action, I am now moved to buy one similar myself. Should I do so, I will be at much greater liberty to play around with different setups, and test various install scenarios on it, without someone else breathing down my neck.

I will, of course, post complete write-ups of this when I do.

The lessons I took away

  1. When panicking, stop panicking.
  2. Try the defaults

Every costly mistake is a learning opportunity. Just don’t make them too costly.

Posted in Free and Open Source, Linux

Leave a Reply

Your email address will not be published. Required fields are marked *