LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 12-10-2012, 07:41 PM   #1
snmcdonald
Member
 
Registered: Jul 2011
Location: Canada
Distribution: Debian, Arch
Posts: 55

Rep: Reputation: 0
UEFI Frustration


I am sure you are all aware of the secure UEFI limitations, but I wanted to vent a bit.

I was playing with my new laptop and I thought it would be fun to experiment with a UEFI installation.

Code:
mnt archlinux-2012.12.01-dual.iso /media/iso
mnt /dev/sdf /media/usb
cp -r /media/iso/* /media/usb
When I set up my Arch Linux USB for UEFI and rebooted, I received:

Quote:
"1. USB HDD: SanDisk has been blocked by the current security policy" [OK]
When I reset the motherboard for a legacy bios using the normal procedure it works fine.

Code:
dd if=archlinux-2012.12.01-dual.iso of=/dev/sdf bs=512k
I guess I am SOL with UEFI. It's not a big deal because I didn't want my Windows 8 partition. I am a little frustrated with the secure UEFI locking down my PC that paid for. PCs seem to be going like Apple.

Oh well, I paid the Windows tax. At least they still allow for legacy boot options.

The legacy bios seems to boot faster than UEFI, I just thought it would be nice to experiment with my laptops new firmware.

Last edited by snmcdonald; 12-10-2012 at 07:58 PM. Reason: code correction
 
Old 12-10-2012, 07:54 PM   #2
snmcdonald
Member
 
Registered: Jul 2011
Location: Canada
Distribution: Debian, Arch
Posts: 55

Original Poster
Rep: Reputation: 0
Quote:
The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader—signed or unsigned—so that that can boot an operating system.

On the face of it, this bootloader could be used to circumvent the security of Secure Boot. The entire point of Secure Boot is that it doesn't allow unsigned (and potentially malicious) code to be run before the operating system is started. To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge.

Linux Foundation to offer signed solution for UEFI Secure Boot conundrum

I guess I'll wait to this trickles down to the major distros...

Or use Fedora...
Quote:
What Fedora ended up doing was using Microsoft's secure boot key signing services through their sysdev portal for one-off $99 fee.
Linus Torvalds on Windows 8, UEFI, and Fedora

Hopefully, PCs continue to get legacy bios options in the mean time.

Last edited by snmcdonald; 12-10-2012 at 07:55 PM.
 
Old 12-10-2012, 08:38 PM   #3
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,581
Blog Entries: 2

Rep: Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037
And again it goes. You are not restricted by the UEFI firmware, but by the Secure Boot function. This is why it works in leagcy BIOS mode (which doesn't support Secure Boot). Just disable Secure Boot in the firmware setup. If you have a laptop with Windows 8 logo somewhere on it there must be such an option, if there isn't such a logo it depends on your lack if that option exists.
 
1 members found this post helpful.
Old 12-11-2012, 12:09 PM   #4
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware & CentOS
Posts: 2,990
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by TobiSGD View Post
And again it goes. You are not restricted by the UEFI firmware, but by the Secure Boot function. This is why it works in leagcy BIOS mode (which doesn't support Secure Boot). Just disable Secure Boot in the firmware setup. If you have a laptop with Windows 8 logo somewhere on it there must be such an option, if there isn't such a logo it depends on your lack if that option exists.
I see that you have been explaining this over and over. It must be a redundant practice by now for you-
I tip my hat to you TobiSGD; your good at what you do!

Have a good week!
 
1 members found this post helpful.
Old 12-11-2012, 06:18 PM   #5
snmcdonald
Member
 
Registered: Jul 2011
Location: Canada
Distribution: Debian, Arch
Posts: 55

Original Poster
Rep: Reputation: 0
Unfortunately, Acer does not allow the secure boot to be disabled. The option is greyed out and unselectable.
 
Old 12-11-2012, 07:51 PM   #6
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,581
Blog Entries: 2

Rep: Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037Reputation: 4037
What is the exact model name of that machine?
 
1 members found this post helpful.
Old 12-12-2012, 06:41 PM   #7
snmcdonald
Member
 
Registered: Jul 2011
Location: Canada
Distribution: Debian, Arch
Posts: 55

Original Poster
Rep: Reputation: 0
Thank you for your help.

I contacted Acer about the issue. They recommended that I upgrade my BIOS. Unfortunately, the BIOS flash only supports Windows 8.

I made a FreeDOS image with a new and older version of the BIOS.

I am currently at version BIOS 2.02 My computer upgrades can be found here:http://support.acer.com/us/en/produc...1&modelId=4244

The newer version 2.06 (Windows 8) says it will not run in DOS mode.

The older version 1.07 says that it is less than the current version and is protected.

I have played with the flags and attempted to disable the version comparison and disable model comparison but I am still having no luck.

Last edited by snmcdonald; 12-12-2012 at 07:04 PM. Reason: link
 
Old 12-13-2012, 11:09 AM   #8
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware & CentOS
Posts: 2,990
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by snmcdonald View Post
Unfortunately, Acer does not allow the secure boot to be disabled. The option is greyed out and unselectable.
Does Acer have some kind of a lock or encryption on the bootloader/MBR?
Just trying to understand-
What make and model is it?
 
1 members found this post helpful.
Old 12-13-2012, 03:28 PM   #9
snmcdonald
Member
 
Registered: Jul 2011
Location: Canada
Distribution: Debian, Arch
Posts: 55

Original Poster
Rep: Reputation: 0
Product Family: Notebook
Product Line: Aspire
Product Model: Aspire V3-551

The customer rep assured me once my BIOS is updated that the option to disable secure boot will become available. The version that shipped had secure boot locked on.
 
Old 12-13-2012, 03:44 PM   #10
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware & CentOS
Posts: 2,990
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by snmcdonald View Post
Product Family: Notebook
Product Line: Aspire
Product Model: Aspire V3-551

The customer rep assured me once my BIOS is updated that the option to disable secure boot will become available. The version that shipped had secure boot locked on.
Ahh...I see; have you been successful at updating the BIOS?
Did the representative or tech walk you through it?
 
1 members found this post helpful.
Old 12-13-2012, 03:51 PM   #11
snmcdonald
Member
 
Registered: Jul 2011
Location: Canada
Distribution: Debian, Arch
Posts: 55

Original Poster
Rep: Reputation: 0
TobiSDG is correct. I need to disable secure boot. The customer representative identified that the current BIOS has secure boot locked and I need to update my BIOS. Since the problem has changed I have created a new thread at http://www.linuxquestions.org/questi...31#post4848831
 
Old 12-13-2012, 03:54 PM   #12
snmcdonald
Member
 
Registered: Jul 2011
Location: Canada
Distribution: Debian, Arch
Posts: 55

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Ztcoracat View Post
Ahh...I see; have you been successful at updating the BIOS?
Did the representative or tech walk you through it?
I don't think he could walk me through it as I do not have Windows 8 on my machine. I suppose I could see if they could send me an OEM version of Windows 8 to me.

I have not been successful.
 
Old 12-15-2012, 12:16 PM   #13
snmcdonald
Member
 
Registered: Jul 2011
Location: Canada
Distribution: Debian, Arch
Posts: 55

Original Poster
Rep: Reputation: 0
Update: I manage to flash the BIOS without Windows 8 see my post here.

So the Acer tech lied (surprise surprise). I am currently running the latest BIOS and secure boot is mandatory (no option to disable) if running UEFI.
 
Old 12-15-2012, 04:24 PM   #14
commandguru
LQ Newbie
 
Registered: Dec 2012
Posts: 4

Rep: Reputation: Disabled
hi

If we want to install linux we must disable secure boot first, right? And once this is done, the bios will let us install any distro and we don't have to worry about signed keys. Is my assumption correct?
 
1 members found this post helpful.
Old 12-15-2012, 05:07 PM   #15
snmcdonald
Member
 
Registered: Jul 2011
Location: Canada
Distribution: Debian, Arch
Posts: 55

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by commandguru View Post
hi

If we want to install linux we must disable secure boot first, right? And once this is done, the bios will let us install any distro and we don't have to worry about signed keys. Is my assumption correct?
Yes you are correct, unfortunately Acer has locked "secure boot" to enabled on my laptop (Acer V3-551).
 
  


Reply

Tags
bios, uefi, uefi booting, windows 8


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help Creating UEFI A MENU For My Bootable (BIOS/UEFI) CDROM ssenuta Linux - Hardware 0 08-27-2012 09:11 PM
UEFI smoooth103 Slackware 4 04-25-2012 10:03 AM
UEFI alan_ri General 1 11-16-2011 06:03 PM
UEFI alan_ri General 0 11-16-2011 04:19 PM
UEFI and BIOS: What is it really? cruiser General 10 09-27-2011 11:18 AM


All times are GMT -5. The time now is 06:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration