How to circumvent UEFI secure boot
http://distrowatch.com/weekly.php?issue=20121126#qa
Copied in total here as a backup to the original article:
I still hold to my opinion that the true reason for UEFI is to stall the surge in Linux popularity by significantly increasing its ease of installation. And, of course, the method given above ONLY works IF your UEFI menu allows switching to legacy BIOS.
Copied in total here as a backup to the original article:
Secure Boot has arrived
A few weeks ago one of my computers, a desktop machine, called it quits after many productive years of service. Following a respectful period of mourning, I decided to go out and get myself a new desktop computer. Nothing fancy, just a nice low-end box. I settled on HP's Pavilion P6-2310. The machine arrived in a timely manner, I hooked it up and realized that in my haste to get my shopping over with I had forgotten one important detail: Secure Boot.
Secure Boot, in case you missed all the excitement earlier, is a technology which is supposed to protect computer users from malware by insuring only trusted software can boot on the machine. How this works is, essentially, the computer comes with a security key (or keys) and any operating system or boot loader which we want to run on the machine needs to have a corresponding key. The idea is malware won't be able to sneak onto the computer and get loaded into memory before the operating system. A side effect, which many do not believe to be a coincidence, is operating systems other than Windows 8 are prevented from booting too. For some reason these details had slipped my mind when I was shopping on-line. When I hooked up the new computer and booted for the first time I was suddenly reminded in an unpleasant way.
The first symptom was that I could not boot from any device except the hard disk. I was thrown into the Windows 8 set up process. The manuals which came with the computer do not mention, in any fashion, accessing the BIOS/UEFI, changing boot order or disabling Secure Boot. Typically in the past computers have displayed hints, such as "Press F1 to edit settings" or "Press F9 to change boot device" when they power up. Not in this case, no hints are given and we're left to trial and error. F10, I found, would grant me access to the machine's start-up configuration, but getting my thumb drive to boot took a few steps beyond that.
First I tried to simply change the boot order and was told this was not possible while Secure Boot was enabled. Hunting through the menus I finally found the Secure Boot feature and, selecting it, I was informed (via a big, red warning box) that disabling Secure Boot was dangerous and not recommended. Then I had to disable Secure Boot and re-enabled "Legacy" boot options in the proper order and then, finally, I was able to enable specific devices from which I wanted to boot. After that I was able to boot from my thumb drive only if I knew to hold down F9 while the computer was starting up, we're not given that information.
In short, to get to the point where we can attempt to boot an alternative operating system we need to know our way through six steps:
To the more technically minded, this might not seem so bad, but keep in mind these steps are performed without documentation, with no hints and with big warning pop-ups letting the user know what a bad idea disabling Secure Boot is. This is not something the average user is going to know how to do, nor will they likely want to follow through if they read the on-screen messages. This is a problem as much of the growth in the Linux community over the past decade has come from the ease of installing mainstream distributions. Distributions like Fedora and Ubuntu have made setting up a fresh install as simple as "Insert CD -> Click Next -> Next -> Next -> Enter a username and password->Next". Computers with Secure Boot remove that ease of use factor by throwing up hidden options, scary warnings and multiple menu items which must be accessed in a specific order before the user can even get to the "Insert CD" part of the installation process. Certainly, system administrators and more experienced users can work around these barriers, but there is a large portion of the public which is relatively inexperienced and willing to try Linux if it is easy to set up. Secure Boot means Linux is no longer simple to install, or even try, from detachable media.
Now, you might be thinking, as I was, that it was foolish of me to purchase a machine with Secure Boot in the first place. After all, I've been warning people about it for long enough I should have been more careful. That was what was going through my mind as I went through the long process of getting my thumb drive to be recognized as a boot device. But then, the next day, I went back to the merchant's website and discovered something. There is no mention of Secure Boot, UEFI or Windows 8 certification anywhere on the page. How is a consumer to know, even if they are aware of the feature, whether a machine is locked down or not? Software freedom requires vigilance and I fear that is more true now than it was a year ago. Be careful when shopping for new computers, it is easy to purchase more trouble than one bargained for.
A few weeks ago one of my computers, a desktop machine, called it quits after many productive years of service. Following a respectful period of mourning, I decided to go out and get myself a new desktop computer. Nothing fancy, just a nice low-end box. I settled on HP's Pavilion P6-2310. The machine arrived in a timely manner, I hooked it up and realized that in my haste to get my shopping over with I had forgotten one important detail: Secure Boot.
Secure Boot, in case you missed all the excitement earlier, is a technology which is supposed to protect computer users from malware by insuring only trusted software can boot on the machine. How this works is, essentially, the computer comes with a security key (or keys) and any operating system or boot loader which we want to run on the machine needs to have a corresponding key. The idea is malware won't be able to sneak onto the computer and get loaded into memory before the operating system. A side effect, which many do not believe to be a coincidence, is operating systems other than Windows 8 are prevented from booting too. For some reason these details had slipped my mind when I was shopping on-line. When I hooked up the new computer and booted for the first time I was suddenly reminded in an unpleasant way.
The first symptom was that I could not boot from any device except the hard disk. I was thrown into the Windows 8 set up process. The manuals which came with the computer do not mention, in any fashion, accessing the BIOS/UEFI, changing boot order or disabling Secure Boot. Typically in the past computers have displayed hints, such as "Press F1 to edit settings" or "Press F9 to change boot device" when they power up. Not in this case, no hints are given and we're left to trial and error. F10, I found, would grant me access to the machine's start-up configuration, but getting my thumb drive to boot took a few steps beyond that.
First I tried to simply change the boot order and was told this was not possible while Secure Boot was enabled. Hunting through the menus I finally found the Secure Boot feature and, selecting it, I was informed (via a big, red warning box) that disabling Secure Boot was dangerous and not recommended. Then I had to disable Secure Boot and re-enabled "Legacy" boot options in the proper order and then, finally, I was able to enable specific devices from which I wanted to boot. After that I was able to boot from my thumb drive only if I knew to hold down F9 while the computer was starting up, we're not given that information.
In short, to get to the point where we can attempt to boot an alternative operating system we need to know our way through six steps:
- Boot machine while pressing F10
- Find Secure Boot in the menu tree, ignore warnings
- Disable Secure Boot feature
- Enable legacy boot options
- Enable specific legacy devices, such as USB devices
- Save and reboot while holding down F9
To the more technically minded, this might not seem so bad, but keep in mind these steps are performed without documentation, with no hints and with big warning pop-ups letting the user know what a bad idea disabling Secure Boot is. This is not something the average user is going to know how to do, nor will they likely want to follow through if they read the on-screen messages. This is a problem as much of the growth in the Linux community over the past decade has come from the ease of installing mainstream distributions. Distributions like Fedora and Ubuntu have made setting up a fresh install as simple as "Insert CD -> Click Next -> Next -> Next -> Enter a username and password->Next". Computers with Secure Boot remove that ease of use factor by throwing up hidden options, scary warnings and multiple menu items which must be accessed in a specific order before the user can even get to the "Insert CD" part of the installation process. Certainly, system administrators and more experienced users can work around these barriers, but there is a large portion of the public which is relatively inexperienced and willing to try Linux if it is easy to set up. Secure Boot means Linux is no longer simple to install, or even try, from detachable media.
Now, you might be thinking, as I was, that it was foolish of me to purchase a machine with Secure Boot in the first place. After all, I've been warning people about it for long enough I should have been more careful. That was what was going through my mind as I went through the long process of getting my thumb drive to be recognized as a boot device. But then, the next day, I went back to the merchant's website and discovered something. There is no mention of Secure Boot, UEFI or Windows 8 certification anywhere on the page. How is a consumer to know, even if they are aware of the feature, whether a machine is locked down or not? Software freedom requires vigilance and I fear that is more true now than it was a year ago. Be careful when shopping for new computers, it is easy to purchase more trouble than one bargained for.
(who needs to use real words 
)
Comment