[SOLVED] UEFI Frustration

snmcdonald · 12-10-2012, 07:41 PM

I am sure you are all aware of the secure UEFI limitations, but I wanted to vent a bit.

I was playing with my new laptop and I thought it would be fun to experiment with a UEFI installation.

Code:

mnt archlinux-2012.12.01-dual.iso /media/iso
mnt /dev/sdf /media/usb
cp -r /media/iso/* /media/usb

When I set up my Arch Linux USB for UEFI and rebooted, I received:

Quote:

"1. USB HDD: SanDisk has been blocked by the current security policy" [OK]

When I reset the motherboard for a legacy bios using the normal procedure it works fine.

Code:

dd if=archlinux-2012.12.01-dual.iso of=/dev/sdf bs=512k

I guess I am SOL with UEFI. It's not a big deal because I didn't want my Windows 8 partition. I am a little frustrated with the secure UEFI locking down my PC that paid for. PCs seem to be going like Apple.

Oh well, I paid the Windows tax. At least they still allow for legacy boot options.

The legacy bios seems to boot faster than UEFI, I just thought it would be nice to experiment with my laptops new firmware.

snmcdonald · 12-10-2012, 07:54 PM

Quote:

The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader—signed or unsigned—so that that can boot an operating system.

On the face of it, this bootloader could be used to circumvent the security of Secure Boot. The entire point of Secure Boot is that it doesn't allow unsigned (and potentially malicious) code to be run before the operating system is started. To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge.

Linux Foundation to offer signed solution for UEFI Secure Boot conundrum
I guess I'll wait to this trickles down to the major distros...

Or use Fedora...

Quote:

What Fedora ended up doing was using Microsoft's secure boot key signing services through their sysdev portal for one-off $99 fee.

Linus Torvalds on Windows 8, UEFI, and Fedora

Hopefully, PCs continue to get legacy bios options in the mean time.

TobiSGD · 12-10-2012, 08:38 PM

And again it goes. You are not restricted by the UEFI firmware, but by the Secure Boot function. This is why it works in leagcy BIOS mode (which doesn't support Secure Boot). Just disable Secure Boot in the firmware setup. If you have a laptop with Windows 8 logo somewhere on it there must be such an option, if there isn't such a logo it depends on your lack if that option exists.

Ztcoracat · 12-11-2012, 12:09 PM

Quote:

Originally Posted by TobiSGD

And again it goes. You are not restricted by the UEFI firmware, but by the Secure Boot function. This is why it works in leagcy BIOS mode (which doesn't support Secure Boot). Just disable Secure Boot in the firmware setup. If you have a laptop with Windows 8 logo somewhere on it there must be such an option, if there isn't such a logo it depends on your lack if that option exists.

I see that you have been explaining this over and over. It must be a redundant practice by now for you-
I tip my hat to you TobiSGD; your good at what you do!

Have a good week!

snmcdonald · 12-11-2012, 06:18 PM

Unfortunately, Acer does not allow the secure boot to be disabled. The option is greyed out and unselectable.

TobiSGD · 12-11-2012, 07:51 PM

What is the exact model name of that machine?

snmcdonald · 12-12-2012, 06:41 PM

Thank you for your help.

I contacted Acer about the issue. They recommended that I upgrade my BIOS. Unfortunately, the BIOS flash only supports Windows 8.

I made a FreeDOS image with a new and older version of the BIOS.

I am currently at version BIOS 2.02 My computer upgrades can be found here:http://support.acer.com/us/en/produc...1&modelId=4244

The newer version 2.06 (Windows 8) says it will not run in DOS mode.

The older version 1.07 says that it is less than the current version and is protected.

I have played with the flags and attempted to disable the version comparison and disable model comparison but I am still having no luck.

Ztcoracat · 12-13-2012, 11:09 AM

Quote:

Originally Posted by snmcdonald

Unfortunately, Acer does not allow the secure boot to be disabled. The option is greyed out and unselectable.

Does Acer have some kind of a lock or encryption on the bootloader/MBR?
Just trying to understand-
What make and model is it?

snmcdonald · 12-13-2012, 03:28 PM

Product Family: Notebook
Product Line: Aspire
Product Model: Aspire V3-551

The customer rep assured me once my BIOS is updated that the option to disable secure boot will become available. The version that shipped had secure boot locked on.

Ztcoracat · 12-13-2012, 03:44 PM

Quote:

Originally Posted by snmcdonald

Product Family: Notebook
Product Line: Aspire
Product Model: Aspire V3-551

The customer rep assured me once my BIOS is updated that the option to disable secure boot will become available. The version that shipped had secure boot locked on.

Ahh...I see; have you been successful at updating the BIOS?
Did the representative or tech walk you through it?

snmcdonald · 12-13-2012, 03:51 PM

TobiSDG is correct. I need to disable secure boot. The customer representative identified that the current BIOS has secure boot locked and I need to update my BIOS. Since the problem has changed I have created a new thread at http://www.linuxquestions.org/questi...31#post4848831

snmcdonald · 12-13-2012, 03:54 PM

Quote:

Originally Posted by Ztcoracat

Ahh...I see; have you been successful at updating the BIOS?
Did the representative or tech walk you through it?

I don't think he could walk me through it as I do not have Windows 8 on my machine. I suppose I could see if they could send me an OEM version of Windows 8 to me.

I have not been successful.

snmcdonald · 12-15-2012, 12:16 PM

Update: I manage to flash the BIOS without Windows 8 see my post here.

So the Acer tech lied (surprise surprise). I am currently running the latest BIOS and secure boot is mandatory (no option to disable) if running UEFI.

commandguru · 12-15-2012, 04:24 PM

hi

If we want to install linux we must disable secure boot first, right? And once this is done, the bios will let us install any distro and we don't have to worry about signed keys. Is my assumption correct?

snmcdonald · 12-15-2012, 05:07 PM

Quote:

Originally Posted by commandguru

hi

If we want to install linux we must disable secure boot first, right? And once this is done, the bios will let us install any distro and we don't have to worry about signed keys. Is my assumption correct?

Yes you are correct, unfortunately Acer has locked "secure boot" to enabled on my laptop (Acer V3-551).