secureboot in mint 17 ??

Questions and thoughts about present and future editions
Forum rules
Before you post please read this

secureboot in mint 17 ??

Postby mbohets on Mon May 05, 2014 4:45 pm

In the mint7 blog I read: Edit by Clem: No, it won’t support secureBoot

This seems strange, as new PCs all come with the new UEFI secureboot thing which is mandatory to use W8, so I wonder what could be the reason for not supporting this feature ?
Also I see that Ubuntu supports this, and since Mint is based on Ubuntu, why is this not ported over to mint ? is this not a prime feature of open source that you are allowed to do that ?

On the other hand I see plenty of post about dual booting with W8, so how can you dual boot if mint does not support this boot method ?

It all seems confusing, but since I am new to this UEFI thing, I am probably missing something.
User avatar
mbohets
Level 2
Level 2
 
Posts: 89
Joined: Sun Apr 28, 2013 8:26 am
Location: Belgium

Linux Mint is funded by ads and donations.
 

Re: secureboot in mint 17 ??

Postby eanfrid on Mon May 05, 2014 5:08 pm

Yes you probably missed something: https://www.fsf.org/campaigns/secure-bo ... /statement tells you what the FSF think about the benefits of "secure boot".
Main desktop: Debian GNU/Linux Wheezy 64bit - MATE 1.8.1
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox
User avatar
eanfrid
Level 7
Level 7
 
Posts: 1871
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: secureboot in mint 17 ??

Postby mbohets on Mon May 05, 2014 5:41 pm

Thanks for the link, I signed the petition.

Technically I am still confused aibut the difference between UEFI and secureboot.
My interpretation of this was that M$ requires other OSs like linux to include a microsoft issued certificate to be able to boot
on PCs that are running W8.
As mint seems to be able to do that, I supposed that mint implemented this.
But when reading the mint 17 blog, I saw this remark from Clem that mint 17 will not support secure boot, so how will mint be able to boot in a W8 dual boot environment
without going into the bios to switch secure boot on and of depending on what OS you want to boot ?
User avatar
mbohets
Level 2
Level 2
 
Posts: 89
Joined: Sun Apr 28, 2013 8:26 am
Location: Belgium

Re: secureboot in mint 17 ??

Postby DrHu on Mon May 05, 2014 6:24 pm

http://www.webopedia.com/TERM/M/microso ... _boot.html
http://technet.microsoft.com/en-us/wind ... 37995.aspx

http://www.pcmag.com/article2/0,2817,2411464,00.asp
    While PC makers have to have Secure Boot enabled in the UEFI firmware by default, if they want to be able to slap the Windows logo outside the box, the feature can be disabled within the UEFI interface. Anyone who wants to install a non-Windows operating system on Windows 8-certified hardware would first have to manually disable SecureBoot.
http://www.webopedia.com/TERM/U/uefi.html



Secure boot is an MS marketing gimmick, I would think; and if not that, then it is a limiting of any competition, either as a market feature or simply by making it difficult to install other OS, if you follow all the rules: that is do not disable secure boot or uefi secure mode..
--does it really help the end-user in any way..
User avatar
DrHu
Level 17
Level 17
 
Posts: 7098
Joined: Wed Jun 17, 2009 8:20 pm

Re: secureboot in mint 17 ??

Postby xerion567 on Tue May 06, 2014 12:23 am

mbohets wrote:My interpretation of this was that M$ requires other OSs like linux to include a microsoft issued certificate to be able to boot on PCs that are running W8. As mint seems to be able to do that, I supposed that mint implemented this. But when reading the mint 17 blog, I saw this remark from Clem that mint 17 will not support secure boot,

M$ probably isn't in the business of issuing security certificates for free, or to untrusted user communities. Ubuntu has a company- Canonical- standing behind it's product, that is the biggest difference I see from Mint.

mbohets wrote:so how will mint be able to boot in a W8 dual boot environment without going into the bios to switch secure boot on and of depending on what OS you want to boot ?

I could be wrong on this one, but I'm not sure W8 requires you to have SecureBoot in order to function, but it might require that you have UEFI.

mbohets wrote:Technically I am still confused aibut the difference between UEFI and secureboot.

SecureBoot is a feature of UEFI which prevents a machine from starting an unauthorized boot-up program. UEFI itself is a replacement for the BIOS of old, and changes a broad scope of things in the machine. For example: a machine with UEFI firmware is much more flexible with hard drive partitioning (splitting up the disk into sections) compared to BIOS which only lets you have 4 partitions (3 primary and one "extended").
All work and no play makes Linux a dull OS,
All work and no play makes Linux a dull OS,
All work and no play makes Linux...viewtopic.php?f=58&t=164690
User avatar
xerion567
Level 3
Level 3
 
Posts: 108
Joined: Sun Mar 30, 2014 12:38 am
Location: Colorado, USA

Re: secureboot in mint 17 ??

Postby mbohets on Tue May 06, 2014 12:53 pm

Thanks for the replies, it is clear now.

In the mean time I was able to check that W8 effectively boots normally with secure boot disabled on a friends new msi W8 laptop.
Also a Kubuntu 14.04 bootable USB stick boots without problems :D, I'll see what happens when mint 17 comes out.
User avatar
mbohets
Level 2
Level 2
 
Posts: 89
Joined: Sun Apr 28, 2013 8:26 am
Location: Belgium

Re: secureboot in mint 17 ??

Postby icmp_request on Mon May 12, 2014 7:24 am

I believe you can install Secure Boot on rEFInd. It's a little tricky, haven't tried yet:

http://www.rodsbooks.com/refind/secureboot.html

Anyway, it's a nice Boot Manager for UEFI, Secure Boot Enabled or not. You don't even need to install GRUB or any boot loader if you install rEFInd as it searches automatically for linux kernels/initrds ;)
icmp_request
Level 1
Level 1
 
Posts: 21
Joined: Sun Jan 09, 2011 9:20 am

Re: secureboot in mint 17 ??

Postby srs5694 on Tue May 13, 2014 8:59 am

mbohets wrote:In the mint7 blog I read: Edit by Clem: No, it won’t support secureBoot


I've not read the referenced blog (you've provided no link), and I have no inner knowledge of the Mint developer's intentions on this score, so I can't really comment on that. I do know that, the last I checked (Mint 16, IIRC), Mint shipped with the boot loaders and kernels from Ubuntu, which do support Secure Boot; but many people (myself included) have had more trouble getting them to work on a Mint installation than on an Ubuntu installation. I haven't investigated this in depth, though; it could be there's some simple tweak to get it to work better in Mint than in Ubuntu. In the meantime, though, if you need Secure Boot, it's better to stick with Ubuntu (or switch to Fedora) than to use Mint.

This seems strange, as new PCs all come with the new UEFI secureboot thing which is mandatory to use W8, so I wonder what could be the reason for not supporting this feature ?


I can't speak for the Mint developers, but it's probably a question of two factors: money and of the hassle of it. It costs $99 to get the right to send binaries off to Microsoft for signing, and recent changes to their policies require that you have another authoritative (not self-issued) signing key, so that will cost more money. This isn't a huge sum for the likes of Canonical, Red Hat, or Novell, but for an all-volunteer operation on a shoe-string budget, it could be a factor. There's also the fact that there are a lot of hoops to jump through to get things signed, procedures for building certain binaries must be changed, there's more testing involved, etc. This adds up to a lot of hassle.

Also I see that Ubuntu supports this, and since Mint is based on Ubuntu, why is this not ported over to mint ? is this not a prime feature of open source that you are allowed to do that ?


In theory, if Mint uses exactly the same binaries as Ubuntu for key items (Shim, GRUB, and the kernel), it should work directly. If any of those items were to be recompiled, though, they'd need to be re-signed, with either Microsoft's private key or with Canonical's private key. The former costs money (see above) and the latter is impossible because Canonical doesn't (to the best of my knowledge) sign third-party binaries with their private key.

On the other hand I see plenty of post about dual booting with W8, so how can you dual boot if mint does not support this boot method ?


You either jump through certain hoops yourself (as described here, among other places) or you disable Secure Boot. Just because a PC ships with Windows 8 and Secure Boot enabled does not mean that you have to leave it enabled.

eanfrid wrote:Yes you probably missed something: https://www.fsf.org/campaigns/secure-bo ... /statement tells you what the FSF think about the benefits of "secure boot".


Note that the FSF isn't opposed to Secure Boot per se; rather, they object to its use as a means of limiting end-users' ability to boot the OS of their choice. Theoretically, it's currently not a serious problem on x86 and x86-64 computers, although it can be an annoyance or extra hurdle for some people and OSes. ARM devices that ship with Windows, though, are more limiting, and should be avoided. It's also possible that future changes to Microsoft's licensing policies will create problems on other platforms.

mbohets wrote:Technically I am still confused aibut the difference between UEFI and secureboot.


Secure Boot is one feature -- and an optional feature -- of UEFI. Secure Boot is to UEFI as a GPS navigation system is to a car.

DruHu wrote:
PC Magazine wrote:Anyone who wants to install a non-Windows operating system on Windows 8-certified hardware would first have to manually disable SecureBoot.


This isn't correct. You can use Shim or PreLoader to boot just about anything with Secure Boot active. Big Linux distributions (and some not-so-big ones) distribute these programs and use them to support Secure Boot.

DrHu wrote:Secure boot is an MS marketing gimmick, I would think; and if not that, then it is a limiting of any competition, either as a market feature or simply by making it difficult to install other OS, if you follow all the rules: that is do not disable secure boot or uefi secure mode..
--does it really help the end-user in any way..


Secure Boot does have benefits to the end user. There are known boot kits that Secure Boot can block, therefore keeping the computer safe from infection by those items of malware.

Secure Boot does not limit competition, at least not in the x86-64 arena, where Shim and PreLoader are both available and can be used to launch Linux or other OSes. Furthermore, one of the "rules" you stated (namely, "do not disable secure boot") is flat-out wrong -- Microsoft's own certification requirements include the stipulation that users must be able to disable Secure Boot. If that option isn't there, then an EFI is not in compliance and the PC should not have a Windows 8 sticker on it. (For x86 and x86-64 systems, anyhow; for ARM it's another matter.)

xerion567 wrote:I could be wrong on this one, but I'm not sure W8 requires you to have SecureBoot in order to function, but it might require that you have UEFI.


There are two issues: Technical requirements and legal requirements. (The latter can be further subdivided depending on who is bound by the legal requirements.)

On a technical level, Windows 8 requires neither UEFI nor Secure Boot. If you get a retail copy of Windows 8, you can install it on a BIOS-mode computer without a trace of EFI, on an EFI-based computer that lacks Secure Boot, on an EFI-based computer with Secure Boot but that feature disabled, or on an EFI-based computer with Secure Boot enabled (provided it's got Microsoft's public keys in its firmware).

On a legal level, Microsoft's licensing agreement says that any manufacturer who wants to slap a Windows 8 sticker on a non-server PC must ship that computer with Secure Boot enabled. This in turn implies that the computer ship configured to boot in EFI mode. Note that this applies only to PC manufacturers, and to those who want a Windows 8 sticker. A Mom & Pop computer store that doesn't sign this licensing agreement can still sell you a Windows 8 PC that boots in BIOS mode -- they just could not legally put a Windows 8 sticker on the computer. You're also free to install a retail copy of Windows 8 in any way you choose. In theory, you could re-install in BIOS mode on something that came with Windows 8 in EFI mode, although in practice the recovery/installation tools provided by the manufacturer might not support this.
srs5694
Level 6
Level 6
 
Posts: 1020
Joined: Mon Feb 27, 2012 1:42 pm

Re: secureboot in mint 17 ??

Postby ClutchDisc on Tue May 13, 2014 10:52 am

I disabled UEFI on my laptop... it was awful!
Gateway NE56R41u laptop, 2.20 GHz x2, 4 GB DDR3, 128GB SSD - Linux Mint 17.1 (Cinnamon)
Dell Dimension E310 desktop, 2.80 GHz, 2 GB DDR2 - Linux Mint 17.1 (Mate)
ClutchDisc
Level 5
Level 5
 
Posts: 593
Joined: Wed Mar 26, 2014 12:31 pm
Location: Detroit area

Re: secureboot in mint 17 ??

Postby clfarron4 on Tue May 13, 2014 5:46 pm

You should be able to install Mint 17 and configure a UEFI bootloader to work with it so you can boot with UEFI.
Problems? Tell us EXACTLY what you've done and what you expected to happen, IN DETAIL. That will save us questions, and we should get along better,

I have dysgraphia. This means I might have understood you incorrectly through no fault of my own.
User avatar
clfarron4
Level 5
Level 5
 
Posts: 510
Joined: Thu Sep 19, 2013 6:20 pm

Re: secureboot in mint 17 ??

Postby gnu2nix on Tue May 20, 2014 9:27 am

I am on an Acer Aspire V5 right now that has no possible way to shut off secure boot.

You either have UEFI and secure boot, or BIOS boot and lose the existing windows 8.
So she simply cannot run Mint 17 Mate because of this, which completely blows. :x

She is a good candidate for conversion, but wants windows to fall back on while she gets used to it.
It is a horrible start to tell her that is not a possibility, and an equally bad one to use Ubuntu, which
does not have her WiFi drivers.
Lenovo V570 (hackintoshed) w Windows 7, Compaq CQ62 with Mint 13 Mate, Netbook w ElementaryOS Linux, and others....
gnu2nix
Level 1
Level 1
 
Posts: 6
Joined: Thu Dec 24, 2009 2:59 pm

Re: secureboot in mint 17 ??

Postby WinterTroubles on Tue May 20, 2014 9:45 am

Hi gnu2nix

According to this thread on the acer forum you can disable secure boot, but, you need to set a supervisor password 1st. I have no idea if it'll work for you, gotta be worth a read at least though http://community.acer.com/t5/Notebooks-Netbooks/How-do-I-disable-secure-boot-on-an-Aspire-V5-171/td-p/44003
If solved please edit the subject line of your first post in the topic to include [Solved] so that other users know there is a solution in the thread.

Mint 17.1 Cinnamon 32 bit
User avatar
WinterTroubles
Level 5
Level 5
 
Posts: 923
Joined: Fri Apr 11, 2014 6:25 am
Location: UK

Re: secureboot in mint 17 ??

Postby TheSuperfly on Tue May 20, 2014 4:18 pm

I have not had any trouble disabling Secureboot with Windows/Mint - it's an M$ "security feature" to help protect their vulnerable OS from rootkits or anything they cannot control/understand...thus effectively blocking other OS's... UEFI works perfectly without it i.e Mint doesn't need it.. :lol:
User avatar
TheSuperfly
Level 1
Level 1
 
Posts: 3
Joined: Sat Apr 26, 2014 3:26 pm

Re: secureboot in mint 17 ??

Postby ClutchDisc on Tue May 20, 2014 4:22 pm

I run my laptop on legacy Bios instead of UEFI. Works great, very easy to turn the awful UEFI off.
Gateway NE56R41u laptop, 2.20 GHz x2, 4 GB DDR3, 128GB SSD - Linux Mint 17.1 (Cinnamon)
Dell Dimension E310 desktop, 2.80 GHz, 2 GB DDR2 - Linux Mint 17.1 (Mate)
ClutchDisc
Level 5
Level 5
 
Posts: 593
Joined: Wed Mar 26, 2014 12:31 pm
Location: Detroit area

Linux Mint is funded by ads and donations.
 

Return to About Mint Editions

Who is online

Users browsing this forum: No registered users and 2 guests