[SOLVED] BIOS - disabling Secure Boot when UEFI Boot Mode is active

abga · 02-25-2018, 02:44 PM

I was using the Slax Linux live image for ages. The Slax developer considered recently to switch from Slackware to Debian as the base for his Live image and I was looking at AlienBob's Slackware Live images for an alternative. (constantly following his inputs on the subject here on the LQ Forum too)

Recently I had a short intervention in this thread:
https://www.linuxquestions.org/quest...3/#post5823689
and considered this UEFI-SecureBoot an actual and interesting topic to talk about. By trying not to interfere (off-topic) with the thread above, I just opened a new one.

A little background, I've always tried to avoid using the UEFI extension and configured the BIOS Boot Mode to Legacy. In the last period I started to fiddle with UEFI and SecureBoot and got into some scenarios in which I was unable to disable this SecureBoot once UEFI Boot Mode was active. There were some recent Intel KabyLake systems (laptops/desktops) on which the SecureBoot was active and greyed out (unable to disable it). Some of these systems were preloaded with Windows 10 and presumably had already a platform key provisioned.
https://en.wikipedia.org/wiki/Unifie...ce#Secure_boot

I did some research about this SecureBoot and got some explanations, ways to disable it, that I'll try to categorize in 3 sections:

1. There must be a Supervisor Password defined in order to be able to disable SecureBoot - tested this on an Acer i7 KabyLake system, unfortunately the only system, out of the ones I had issues disabling SecureBoot, that I still have access on:
https://community.acer.com/en/discus...cure-boot-mood

2. On a system on which Windows 8/10 was already installed you'll need to remove the key from within the tools/menus that Windows 8/10 is providing in order to be able to disable the SecureBoot. (a Supervisor Password - as in point 1 might override this - have nowhere to test it):
https://h30434.www3.hp.com/t5/Notebo...t/true#M432145
https://www.top-password.com/knowled...y-support.html

3. All the other scenarios in which the vendor (usually on cheaper "Win"-systems that were preloaded with win 8/10) has disabled this SecureBoot switching in the BIOS, the BIOS might need an update, etc.:
https://ubuntuforums.org/showthread.php?t=2129119
https://www.asus.com/support/FAQ/1016356/

This post/thread is pure informative and therefore I'll put it on resolved. However, feel free to correct me, complete it, add your experiences, etc.
Thanks in advance for your attention & feedback

P.S. I don't know exactly what it takes for AlienBob to register (sign) his work and use SecureBoot. This post might have no value at all once that is done.

jefro · 02-27-2018, 06:57 PM

More general information.

Almost every bios is different so your mileage may vary. Ways to or if at all possible may depend on the writer of the bios code.

Bios may have a few key positions available. You may not have to delete windows keys.

I get the feeling I have read about a way to use a different distro that has keys to get your distro running.

As with legacy bios, we may never see common code being used.

https://www.linux.com/sites/lcom/fil..._platforms.pdf

https://www.pcworld.com/article/2951...t-enabled.html

https://wiki.archlinux.org/index.php...ed_boot_loader

abga · 02-28-2018, 05:46 PM

Thank you jefro for the completion!

I was in total denial about this UEFI extension for the past years and missed some of the developments. I'm still configuring the BIOS Boot Mode on Legacy (hopefully I'll be still able to do it on future systems) and using the lilo boot loader under Slackware.

You're right, the ability to disable this SecureBoot feature is at the discretion/mercy of the BIOS vendor and is not a prerequisite for Windows 10 anymore. Therefore, on these new "Win10 designed" systems the vendor might "forget" to give the user the ability to disable SecureBoot.
I also had no clue about the ability to store more platform keys and asked myself how can you have a dual OS system booting on UEFI using SecureBoot, this ability seems also to be something only the vendor can decide upon.

This article is condensed and covers some aspects of the SecureBoot feature:
https://www.howtogeek.com/116569/htg...ans-for-linux/
"For Windows 10 PCs, this is no longer mandatory. PC manufacturers can choose to enable Secure Boot and not give users a way to turn it off. However, we’re not actually aware of any PC manufacturers that do this."

Out of the article above I also learned what it takes for a Linux distribution to get its shim signed by Microsoft (the only commercial company that embraced the signing, RedHat apparently had no time/competencies/interest to get involved):
"Linux distributions can pay a one-time fee of $99 to access the Microsoft Sysdev portal, where they can apply to have their boot loaders signed."
And some goats are needed too:
https://wiki.debian.org/SecureBoot#Sacrifice_goats

RE P.S.
@ AlienBob - sorry for the P.S. in my original post, I understand now that it was a (very) wrong question