I did the same wiped Windows and installed Kubuntu on my laptop. I disabled secure boot, in which I could see no useful value.

My suggestions.

• Keep your firmware in UEFI mode. Take the time to learn it. UEFI is the future; the more people who know this, the better off everyone will be. UEFI has many advantages over BIOS.
• Use GPT rather than MBR. The distinction between primary and extended partitions goes away, and partition/drive size limits are practically non-problems now.
• Disable Secure Boot. It creates a complex layer of hardware-software integration that is cumbersome to maintain and does very little to protect J. Random PCUser from the kinds of attacks s/he is likely to see.
• Install the EFI shell into /boot/efi/EFI/boot. Google for the latest EFI shell version 2. The shell exposes the full miniature operating system that is UEFI. Very cool.

This is a VERY interesting thread Feathers! I hope that others will contribute!

woodsmoke

Thanks guys, some useful suggestions and info.

Pretty much all I can find on the EFI shell is this:
What's the benefit of using UEFI shell rather than the standard Linux utilities to get system information and partition disks?

Is the UEFI shell something that you add after installation, or so you specify some specific options during installation?

Feathers

Unlike BIOS, UEFI is a complete pre-boot environment. The UEFI shell presents a command line that allows you to directly explore and manipulate the firmware. It is completely independent of any installed operating system. If you like to tinker with your PC, the UEFI shell is a good thing to have.

I'd also strongly encourage you to ditch GRUB and use rEFInd as your boot manager. Rod Smith, the rEFInd maintainer, has written extensively about UEFI and also provided a copy of a recently-compiled UEFI 2.0 shell that works on machines with UEFI versions earlier than 2.3.1. I needed this because my laptop is UEFI 2.0.1. The existing binary shells are all too old. You'll want to use this one, too.

I've yet to see a benefit to using rEFInd over GRUB2-EFI. Both are boot managers, GRUB2 is also a boot loader. Both can boot multiple OS's. Both can use really pretty graphical boot menus. GRUB2 also has a GUI config installed in my System Settings.

I had installed and used rEFInd for about a month before I decided that GRUB2 did everything I could do with rEFInd.

The advantage is that it just works straight away. GRUB 2 is complex, finicky, and prone to packaging errors. Many of the dual-boot problems that plague several Linux distributions are related in some way to weird GRUB configurations. Rod discusses these problems on his site.

The Linux kernel is now a self-contained boot loader, as is the Windows kernel. Thus, no separate boot loaders are required. One only needs a boot manager to select from the multiple boot-loadable kernels present on the machine. GRUB tries to do too much: it implements its own boot loader, controlled by its own boot manager. It has a partition addressing scheme that is not like Linux or Windows. It has its own graphics driver modes that sometimes fail on certain UEFI-based hardware. It doesn't boot other operating systems but instead chain loads the boot loader of your chosen operating system. It relies on a pile of scripts that require per-distribution customization to work. GRUB is a great big hack that was necessary in the days of BIOS and non-boot-loadable kernels. Those days are over.

rEFInd automatically locates all bootable kernels for Linux, Mac, and Windows on all available partitions and presents them in a menu. You pick the one you want, and UEFI boots the chosen operating system directly. You can control the menu appearance and OS detection logic via /boot/efi/EFI/refind/refind.conf, but there's likely no reason to change things unless you want to, say, switch from graphical to text mode boot (I do this). You can pass kernel parameters in /boot/refind_linux.conf. And that's all you need to do. Quite elegant, really.

Too bad that rEFInd is written/works only on machines the have UEFI hardware. Could it be 'ported' to non-UEFI PCs?

Alas, no. The entire point of rEFInd is to offer a simplified boot manager that relies on UEFI's ability to directly start an operating system's boot loader. BIOS-based machines have no similar capability, that's why these machines need an intermediate boot loader step provided by the likes of GRUB, LILO, etc.

rEFInd sounds intriguing, Steve, but the UEFI part still concerns me. Matthew Garrat wrote, a couple years ago, that
It turns out that even with Secure Boot turned on bootkits are possible because of how different vendors implement UEFI specifications differently. It seems vendors are doing sloppy work, which is why a German agency sees security problems because:
A couple months before it purchased Skype Microsoft patented its "Legal Intercept" software, which it later deployed on the Linux server farms it created to replace the Skype p2p "supernodes" that were previously used to serve traffic. "Legal Intercept" allows someone at or connected to the servers in the farm to monitor Skype communications. Apparently the encryption is placed on the traffic after the interception.
The person speaking for the German Agency referred to the TPM on Win8 as an "NSA Wet Dream". Indeed.

AG Holder directed Skype to comply with NSA requests. Pres. Obama defended NSA spying on Americans.

So, basically, because EUFI implementation is so vendor dependent, and the vendors appear to be extremely careless, using UEFI appears to be a hit or miss affair. Sort of like Linux back in 1992!

And if that isn't enough, consider that two years ago a Chinese tech company bragged:

I hope you realize that BIOS is no longer used on machines these days. Everything comes with UEFI. You can push most of this into the background by running in BIOS compatibility mode, which results in a non-UEFI-aware operating system installation. But you can't completely eliminate UEFI unless you're willing to reprogram the firmware on your motherboard.

UEFI has come a long way since Garrett's video. No soft|firmware is ever bug-free, of course. Legacy BIOS had its share of bugs. UEFI will also have bugs. This is no reason to stick one's head in the sand

UEFI has many advantages over BIOS, as I've chronicled variously here at KFN. Remember, too, that I also advocate disabling Secure Boot. I recognize I'm in the minority by taking this position, and it's one of the few points of disagreement I have with Garrett. I just don't think Secure Boot is a necessary technology to protect home and small business users from the kinds of attacks they're most likely to encounter.

I've done some reading on rEFInd and it looks elegant, I'd definitely like to try it.

The installation instructions are written for systems with an OS already installed. Should I use a live USB to install rEFInd, then install Kubuntu, or do a normal install (which will probably install GRUB) and then install rEFInd and remove GRUB?

Do a normal install. Then install rEFInd. After that, remove all traces of GRUB. Finally, you'll need to tell APT to ignore all boot managers. The Ubuntu kernels are packaged such that GRUB and/or LILO are recommended dependencies. If GRUB is not on your system, future updates will bring it back. To prevent this, create the file /etc/apt/preferences.d/no-boot-loaders:

Thanks! I'll let you know how that goes when I get the laptop