LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   UEFI Frustration (https://www.linuxquestions.org/questions/linux-general-1/uefi-frustration-4175440892/)

snmcdonald 12-10-2012 07:41 PM
UEFI Frustration
 
I am sure you are all aware of the secure UEFI limitations, but I wanted to vent a bit.

I was playing with my new laptop and I thought it would be fun to experiment with a UEFI installation.

Code:
mnt archlinux-2012.12.01-dual.iso /media/iso
mnt /dev/sdf /media/usb
cp -r /media/iso/* /media/usb
When I set up my Arch Linux USB for UEFI and rebooted, I received:

Quote:
"1. USB HDD: SanDisk has been blocked by the current security policy" [OK]
When I reset the motherboard for a legacy bios using the normal procedure it works fine.

Code:
dd if=archlinux-2012.12.01-dual.iso of=/dev/sdf bs=512k
I guess I am SOL with UEFI. It's not a big deal because I didn't want my Windows 8 partition. I am a little frustrated with the secure UEFI locking down my PC that paid for. PCs seem to be going like Apple.

Oh well, I paid the Windows tax. At least they still allow for legacy boot options.

The legacy bios seems to boot faster than UEFI, I just thought it would be nice to experiment with my laptops new firmware.

snmcdonald 12-10-2012 07:54 PM
Quote:
The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader—signed or unsigned—so that that can boot an operating system.

On the face of it, this bootloader could be used to circumvent the security of Secure Boot. The entire point of Secure Boot is that it doesn't allow unsigned (and potentially malicious) code to be run before the operating system is started. To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge.

Linux Foundation to offer signed solution for UEFI Secure Boot conundrum
I guess I'll wait to this trickles down to the major distros...

Or use Fedora...
Quote:
What Fedora ended up doing was using Microsoft's secure boot key signing services through their sysdev portal for one-off $99 fee.
Linus Torvalds on Windows 8, UEFI, and Fedora

Hopefully, PCs continue to get legacy bios options in the mean time.

TobiSGD 12-10-2012 08:38 PM
And again it goes. You are not restricted by the UEFI firmware, but by the Secure Boot function. This is why it works in leagcy BIOS mode (which doesn't support Secure Boot). Just disable Secure Boot in the firmware setup. If you have a laptop with Windows 8 logo somewhere on it there must be such an option, if there isn't such a logo it depends on your lack if that option exists.

Ztcoracat 12-11-2012 12:09 PM
Quote:
Originally Posted by TobiSGD (Post 4846656)
And again it goes. You are not restricted by the UEFI firmware, but by the Secure Boot function. This is why it works in leagcy BIOS mode (which doesn't support Secure Boot). Just disable Secure Boot in the firmware setup. If you have a laptop with Windows 8 logo somewhere on it there must be such an option, if there isn't such a logo it depends on your lack if that option exists.
I see that you have been explaining this over and over. It must be a redundant practice by now for you-
I tip my hat to you TobiSGD; your good at what you do!

Have a good week!

snmcdonald 12-11-2012 06:18 PM
Unfortunately, Acer does not allow the secure boot to be disabled. The option is greyed out and unselectable.

TobiSGD 12-11-2012 07:51 PM
What is the exact model name of that machine?

snmcdonald 12-12-2012 06:41 PM
Thank you for your help.

I contacted Acer about the issue. They recommended that I upgrade my BIOS. Unfortunately, the BIOS flash only supports Windows 8.

I made a FreeDOS image with a new and older version of the BIOS.

I am currently at version BIOS 2.02 My computer upgrades can be found here:http://support.acer.com/us/en/produc...1&modelId=4244

The newer version 2.06 (Windows 8) says it will not run in DOS mode.

The older version 1.07 says that it is less than the current version and is protected.

I have played with the flags and attempted to disable the version comparison and disable model comparison but I am still having no luck.

Ztcoracat 12-13-2012 11:09 AM
Quote:
Originally Posted by snmcdonald (Post 4847336)
Unfortunately, Acer does not allow the secure boot to be disabled. The option is greyed out and unselectable.
Does Acer have some kind of a lock or encryption on the bootloader/MBR?
Just trying to understand-
What make and model is it?

snmcdonald 12-13-2012 03:28 PM
Product Family: Notebook
Product Line: Aspire
Product Model: Aspire V3-551

The customer rep assured me once my BIOS is updated that the option to disable secure boot will become available. The version that shipped had secure boot locked on.

Ztcoracat 12-13-2012 03:44 PM
Quote:
Originally Posted by snmcdonald (Post 4848817)
Product Family: Notebook
Product Line: Aspire
Product Model: Aspire V3-551

The customer rep assured me once my BIOS is updated that the option to disable secure boot will become available. The version that shipped had secure boot locked on.
Ahh...I see; have you been successful at updating the BIOS?
Did the representative or tech walk you through it?

snmcdonald 12-13-2012 03:51 PM
TobiSDG is correct. I need to disable secure boot. The customer representative identified that the current BIOS has secure boot locked and I need to update my BIOS. Since the problem has changed I have created a new thread at http://www.linuxquestions.org/questi...31#post4848831

snmcdonald 12-13-2012 03:54 PM
Quote:
Originally Posted by Ztcoracat (Post 4848828)
Ahh...I see; have you been successful at updating the BIOS?
Did the representative or tech walk you through it?
I don't think he could walk me through it as I do not have Windows 8 on my machine. I suppose I could see if they could send me an OEM version of Windows 8 to me.

I have not been successful.

snmcdonald 12-15-2012 12:16 PM
Update: I manage to flash the BIOS without Windows 8 see my post here.

So the Acer tech lied (surprise surprise). I am currently running the latest BIOS and secure boot is mandatory (no option to disable) if running UEFI.

commandguru 12-15-2012 04:24 PM
hi

If we want to install linux we must disable secure boot first, right? And once this is done, the bios will let us install any distro and we don't have to worry about signed keys. Is my assumption correct?

snmcdonald 12-15-2012 05:07 PM
Quote:
Originally Posted by commandguru (Post 4850061)
hi

If we want to install linux we must disable secure boot first, right? And once this is done, the bios will let us install any distro and we don't have to worry about signed keys. Is my assumption correct?
Yes you are correct, unfortunately Acer has locked "secure boot" to enabled on my laptop (Acer V3-551).

commandguru 12-15-2012 05:32 PM
Quote:
Originally Posted by snmcdonald (Post 4850069)
Yes you are correct, unfortunately Acer has locked "secure boot" to enabled on my laptop (Acer V3-551).
It's too bad we can't tell what companies have secure boot locked to enabled without buying it. It is a conspiracy against linux and other alternative operating systems. I will keep in mind of staying away from Acer. BTW, if anyone has secure boot locked to enable, please provide make and model so we don't get screwed.

thanks

TobiSGD 12-15-2012 06:29 PM
Quote:
Originally Posted by commandguru (Post 4850079)
It's too bad we can't tell what companies have secure boot locked to enabled without buying it.
You can. Any x86 machine that has a Windows 8 Logo certification must have the option to disable Secure Boot and to manage your own keys.

snmcdonald 12-15-2012 09:18 PM
Quote:
Originally Posted by TobiSGD (Post 4850108)
You can. Any x86 machine that has a Windows 8 Logo certification must have the option to disable Secure Boot and to manage your own keys.
Does this apply to amd64 machines? My Acer definitely has the Windows 8 Logo certification.

It could be a coincidence on Acers part... My Acer tech support query has been elevated to level 2, but I must wait until Monday till level 2 techs are available. Level 1 wanted my BIOS upgraded before proceeding.

TobiSGD 12-15-2012 09:36 PM
Quote:
Originally Posted by snmcdonald (Post 4850159)
Does this apply to amd64 machines? My Acer definitely has the Windows 8 Logo certification.
Yes, it applies to x86 and x86-64 (aka amd64, EM64T or x64) machines. If you have the logo and there isn't an option to disable Secure Boot. If there is not such an option than this is a fraud from Acer and you should even be able to sue them.

Ztcoracat 12-15-2012 09:51 PM
I second that; sue; indubitably-
:hattip:

snmcdonald 12-15-2012 09:55 PM
Quote:
Originally Posted by TobiSGD (Post 4850170)
Yes, it applies to x86 and x86-64 (aka amd64, EM64T or x64) machines. If you have the logo and there isn't an option to disable Secure Boot. If there is not such an option than this is a fraud from Acer and you should even be able to sue them.
ACER BIOS INFORMATION
http://i1353.photobucket.com/albums/...5F1EF89C3C.jpg

LEGACY BOOT (FOR COMPARISON)
http://i1353.photobucket.com/albums/...5DD18CA276.jpg

UEFI SECURE BOOT ENABLED (LOCKED IN AND GRAYED OUT)
http://i1353.photobucket.com/albums/...5DC77B0457.jpg

UEFI SECURE BOOT ENABLED (LOCKED IN AND GRAYED OUT) CLOSE UP
http://i1353.photobucket.com/albums/...5DC48E0340.jpg

As you can see its grayed out. Unlike the other options, I am unable to toggle it.

That makes me mad to hear that I should be able to unlock secure boot. I don't want to sue them, I would just like to disable it.

Ztcoracat 12-15-2012 10:18 PM
Quote:
Originally Posted by snmcdonald (Post 4850177)
LEGACY BOOT (FOR COMPARISON)
http://i1353.photobucket.com/albums/...5DD18CA276.jpg

UEFI SECURE BOOT ENABLED (LOCKED IN AND GRAYED OUT)
http://i1353.photobucket.com/albums/...5DC77B0457.jpg

UEFI SECURE BOOT ENABLED (LOCKED IN AND GRAYED OUT) CLOSE UP
http://i1353.photobucket.com/albums/...5DC48E0340.jpg

As you can see its grayed out. Unlike the other options, I am unable to toggle it.

That makes me mad to hear that I should be able to unlock secure boot. I don't want to sue them, I would just like to disable it.
I did a Google Search "How to unlock secure boot when it is grayed out"

https://www.google.com/#hl=en&sugexp...w=1440&bih=736
Still looking to try to help-

snmcdonald 12-15-2012 10:22 PM
I'll post back next week when I get a hold of Acer Tech Level 2 support. :S

Quote:
Their complaints are that 1) Microsoft will require hardware vendors to enable Secure Boot on machines in order to obtain the Windows 8 compatibility logo and 2) Microsoft is leaving it up to the hardware vendors as to whether the user will be able to disable the feature, and whether/what other operating system certificates will be installed in the firmware.
http://www.windowsecurity.com/articl...s-mean-IT.html

If I learned anything from this. Make sure you play with the BIOS settings before you buy.

commandguru 12-16-2012 06:47 PM
Quote:
Originally Posted by snmcdonald (Post 4850181)
If I learned anything from this. Make sure you play with the BIOS settings before you buy.
Difficult to check if secure boot can be enabled or disabled when buying a desktop/laptop online.

Quote:
Microsoft is leaving it up to the hardware vendors as to whether the user will be able to disable the feature, and whether/what other operating system certificates will be installed in the firmware.
100% BS. Boy, there noses are getting longer and longer each day. I wonder what extra incentives MS gives the OEMs to lock down secure boot even if it has the logo. Hey MS, don't BS me, OK...

snmcdonald 12-17-2012 08:27 PM
Acer Tech Level 2 support informed me that a BIOS password must be set to disable secure boot.

Strange as I have never put a password on the BIOS before.

I have a bad tendency to forget passwords that I never user. I wrote the password on the back of the laptop.

Ztcoracat 12-17-2012 08:38 PM
Quote:
Originally Posted by snmcdonald (Post 4851343)
Acer Tech Level 2 support informed me that a BIOS password must be set to disable secure boot.

Strange as I have never put a password on BIOS before.

I have a bad tendency to forget passwords that I never user. I wrote the password on the back of the laptop.
It's good that you wrote that psswrd down-
Have you now the Secure Boot disabled?

snmcdonald 12-17-2012 08:46 PM
Quote:
Originally Posted by Ztcoracat (Post 4851349)
It's good that you wrote that psswrd down-
Have you now the Secure Boot disabled?
Yes I have secure boot disabled. An administrative BIOS password is necessary to disable secure boot.

TobiSGD 12-17-2012 08:54 PM
Thanks for posting back. While I can see the reason for setting up that password when disabling Secure Boot, this should without any question have at least been documented in the manual.

commandguru 12-18-2012 10:15 AM
great work snmcdonald this is good to know

snmcdonald 12-18-2012 04:19 PM
Quote:
Originally Posted by TobiSGD (Post 4851357)
Thanks for posting back. While I can see the reason for setting up that password when disabling Secure Boot, this should without any question have at least been documented in the manual.
Good luck with that. I mentioned that to the Level 2 Tech. Acer provides a kb article on disabling secure boot but does not mention this caveat. I recommended adding a foot note at the very least.

I talked to three different level 1 techs and the one that recommended me to level 2 did not write up an advance notice so I had to re-explain the whole scenario on Monday to another level 1 tech. I doubt they will record it, hopefully somebody with this Acer problem stumbles upon this thread.

Quote:
great work snmcdonald this is good to know
Thanks Command Guru

I do feel stupid though, the solution is so simple. I've never bothered with BIOS passwords though.


All times are GMT -5. The time now is 04:26 AM.