WARNING! Mainboard MSI B550-A Pro: UEFI update excludes Linux from boot by enabling "secure boot"

If you have a mainboard "MSI B550-A Pro", Linux is installed on this system, and you want to update UEFI pay attention to following:

• UEFI update enables "Secure Boot" without any message. This prevents FOSS software from boot.
• If you have a dual boot setup with Linux & Windows, UEFI update sets "Windows Boot Manager" to default boot. If you don't prevent Windows from boot it will disable your system for Linux with its ugly "Secure Boot" stuff.

To avoid excluding Linux from your system with a "MSI B550-A Pro" after an UEFI update follow these steps:

1. After completion of UEFI update system reboots. Hit <Del>-key during reboot to enter UEFI. You have repeatedly hit <Del>-key "blind" because UEFI shows its boot screen only for a very short time.
2. IMPORTANT! If you miss the point to enter UEFI and Windows starts switch off your computer immediately! Power on your computer again and try to enter UEFI.
3. Disable "Secure Boot" in UEFI ("SETTINGS > Advanced > Windows OS Configuration > Secure Boot" sub-menu) and set all other values (e.g. DRAM frequency; SVM Mode; …) to desired values because UEFI update reset all values to factory defaults. Unfortunally any "Linux boot" entry isn't offered in "SETTINGS > Boot" sub-menu. Disable "Windows Boot Manager" entry. Select proper boot device for installation medium of your Linux distro instead.
4. Insert installation medium of your Linux distro.
5. Hit <F10>-key and boot your system with installation medium of your Linux distro in UEFI mode.
6. Reinstall GRUB2 or elilo.
7. Reboot and enter UEFI like described above.
8. Select "Linux boot" entry in "SETTINGS > Boot" sub-menu. If Windows is installed too you have to switch from "Windows Boot Manager" to "Linux boot" entry in "SETTINGS > Boot > UEFI Hard Disk Drive BBS Priorities" sub-menu.

Arnulf,

Thanks for the info.

I think it would be a good idea to create a LQ blog for this post.

I've an MSI Mag B550M Bazooka, so I presume your warning applies. Thanks for the news. I won't update.

I only got somewhere by making Slackware boot entry #0000 after removing the option to boot windows, /boot/efi/EFI/Microsoft, and the /boot/efi/EFI/Boot directory. Then I could get Slackware to boot by default. I could then put them back but it still defaults to Slackware. Slackware is now option #0000.

Don't many motherboards that use UEFI default to secure boot? When changing a mobo in a system or updating it's firmware I always go in and "Load optimized defaults", then disable secure boot first thing. Are things different when you dual boot with Windows? All my systems are Linux only. Sometimes I am asked to fix a friends computer that is running Windows. I boot from a Linux Live-CD, but usually have to go into their UEFI and turn off secure boot and enable legacy support to get the system to boot from a CD. Then things boot fine from the Live-CD. After doing my Live-CD work, I go back into UEFI and enable secure boot again and disable legacy support (if I had to change that in the first place).

But all my experience is with a Linux only, or a Windows only, computer. I haven't dual booted anything for a long time - back before UEFI was available and everything was BIOS. Does dual booting complicate things around secure boot?

Based on a sample size of 4 brands and 7 motherboards made between 1 & 8 years ago, I'm pretty sure all recent motherboards reset boot mode, by whatever name, to secure Windows, for any kind of reset, including the motherboard switch or jumper, or removing the CMOS battery while PSU unpowered. Grub need not be "reinstalled". All that should be needed is to recreate an entry in NVRAM using efibootmgr. If you're not shy of opening the cover, a little effort can be saved by detaching all removable bootable media before first boot following reset, then after the first trip through the BIOS ready for first boot, attach only removable Linux boot media for at least one boot before attaching any non-removable media Linux will boot from. Before starting, be sure to know what your computer's BBS menu hotkey is.

Quote:

Originally Posted by mrmazda Grub need not be "reinstalled". All that should be needed is to recreate an entry in NVRAM using efibootmgr.

"reinstall" means in case of GRUB2 something like:
grub-install --target x86_64-efi --efi-directory=/mnt/efi --bootloader-id=Linux_GRUB2
"reinstall" doesn't mean that packages must be reinstalled.
efibootmgr is another option to recreate a "Linux boot" entry in NVRAM.

That box is my 2nd with UEFI, but I had to disable UEFI on trhe first because the software wasn't there and my BIOS were extremely hostile. Format the HD with fdisk if you want to go there. The Bios resets to a Windows default if Windows is there. That's why I had to take windows out teetotally, and then I got Slackware as default and windows as an option.

I don't boot Windows (it's win11 now), except for updates, but it's handy for those who know nothing else. If you show them a linux GUI, they stop and won't attempt stuff. It's not that they can't figure the linux GUI, they're smart enough to do that. They seem afraid to try. They're no 1 below.

Quote:

USER, n: A person trying to work a computer. They come in 3 categories Beginner: Is afraid to do anything in case they press a key which breaks the whole computer. Intermediate: Doesn't know what to do after they press a key that breaks the whole computer. Expert: Breaks other people's computers.

I take new computer builds down to their most basic hardware configuration before initial booting and OS install. My desktop died recently and I just installed a new-to-me mobo (which fixed the problem after many attempts replacing other things previously). I bought a new SSD just for grins. They're cheap, and I like the idea of starting fresh and upgrading capacity.

So I unplugged the old SSD, the old HDD, one of the two DVD drives, and every other optional component and add-in card. Installed the new SSD, inserted a DVD with LinuxMint 21, and went into UEFI to turn off secure boot and enable boot from CD/DVD. Installed Mint. Because none of my old storage was attached there was no confusion for the Mint installer. It saw a clean slate with no previous OS installs running interference. Then I reconnected my old storage and I'm in the process of moving files to the new SSD now, and re-installing the apps that I need.

This level of component disconnection is fine when you're starting anew from scratch, but shouldn't really be necessary for a simple mobo BIOS upgrade. I must be way out of date in my understanding of BIOS/UEFI. I thought all the mobo did was choose which device to boot from, but was not directly involved in the actual boot process itself other than secure boot disabling some devices from being bootable in the first place - the fix being to disable secure boot.