Zorba wrote:I have installed Linux Mint 17 and Ubuntu 14.04 in UEFI mode on a DEll Vostro i3 after disabling secure boot and everthing is running out of-the-box. Today I have read an alarmin article on Wikipedia saying that "In January 2013, a bug surrounding the UEFI implementation on some Samsung laptops was publicized, which caused them to be bricked after installing a Linux distribution in UEFI mode"
This is true, although the word "surrounding" is wrong. Replace it with "in" and it's more accurate. Using "surrounding" in that context makes it sound ominous, as if the bug were some vaporous cloud that could spread and infect other (presumably EFI-based) computers. Furthermore, that quote in isolation omits certain critical details, such as the fact that at least two workarounds were quickly implemented in the Linux kernel, so that modern kernels will not trigger that bug. I don't know offhand if Samsung (or other affected vendors) have fixed their EFIs; some may still be susceptible to the problem from other OSes or EFI applications.
There's lots of information on this topic. Matthew Garrett (formerly a Red Hat developer and an expert on EFI issues) has written a number of blog posts on it, such as this one.
Overall, today this just isn't an issue.
and that secure boot restricts our control over our PC and allows a third party to control it without us knowing.
Viewed from a certain perspective, this is true, but the way it's phrased leads to runaway images of Big Brother watching our every keystroke, and that's simply inaccurate. Secure Boot is simply a way to control what EFI programs (such as boot loaders) can run on a computer. This is done by use of cryptographic keys and signed binaries, which implies that at least one public key must be stored in the firmware, either as delivered with the computer or placed there by the computer's owner/user. When enabled, Secure Boot prevents unsigned binaries, or those signed by private keys that don't have public counterparts in the key library, from running. Since every OS requires a boot loader, this means that OSes that lack such keys won't run. More importantly, it means that unsigned pre-boot malware won't run. Such malware is a real threat, and can be written in such a way as to make it impossible to detect from an infected OS -- hence the desire to block it with something like Secure Boot. Used properly, Secure Boot can increase
the control of owners over their own computers. Implementing such improved control can be technically challenging, though.
The trouble, from a Linux perspective, is that Microsoft requires that Secure Boot be active by default on computers that ship with Windows 8 and 8.1. This in turn means that these computers need to have Microsoft's keys embedded in their firmware, and of course many manufacturers won't bother to embed any other key. Furthermore, the Linux community was caught off-guard by this new Microsoft requirement; if there'd been more of a warning about this coming, efforts might have been made to find or create some common independent third-party signing service and push to get its keys in every PC's firmware. As it is, though, we're stuck with Microsoft's keys being the only ones that are more-or-less guaranteed to be installed in every computer. Fortunately, Microsoft offers a service where it signs third-party binaries, and Linux distributions have used this to get a simple pre-bootloader signed. This pre-bootloader (there are two: Shim and PreLoader) adds new authentication tools and then launches GRUB, rEFInd, ELILO, or whatever other boot loader you specify. The new authentication tools provide a streamlined way to add your own keys to the process, thus giving Linux distributions a uniform method of managing keys and giving users more control over the process.
Furthermore, Microsoft's own requirements for Windows 8/8.1 on x86 and x86-64 PCs specify that users be able to disable Secure Boot. Thus, you can install completely unsigned binaries if you like. If you get an x86 or x86-64 PC and find that you can't disable Secure Boot, then the manufacturer has violated Microsoft's requirements. There is a darker side to this, though: Microsoft requires that Secure Boot can not
be disabled by the user on ARM-based computers. The good news is that ARM devices that ship with Windows 8 are vanishingly rare -- they're mainly a few tablets and phones. Also, most manufacturers of such devices have long attempted to lock their devices down against end-user "tampering," so this really isn't anything new. (That's not to say isn't good, but if you're upset about it, you should have been equally upset about similar policies on lots of devices in the past, too.)
In sum, Chicken Little cries that the world is ending because of Secure Boot are ridiculous. Although Secure Boot could
turn into a way to lock users into one OS, this risk is small for standard PCs and is no greater than the status quo for more specialized devices.
Contradictingly, Ubuntu official documentation says that UEFI mode extends the life of your battery and prevents your hardware from heating up while making your PC boot faster!!
I can't speak to heat, power, and battery-life claims, but EFI certainly can boot faster than BIOS. The effect occurs in the early stages of booting, before the GRUB menu appears, and it amounts to a savings of roughly 0-10 seconds. It's greater on the latest computers that take best advantage of EFI. (Early models often slapped EFI atop an inefficient BIOS, or didn't take advantage of some of the opportunities that EFI presents for shaving a few milliseconds off the boot time here and there, so there's no advantage on such computers.)
If this is the case why would Linux support this mode?
Because Linux must.
Walk into a Fry's, Best Buy, or WalMart today and buy a standard x86-64 laptop or desktop computer. It will almost certainly have EFI firmware, not the old-style BIOS. A Linux distribution that ignores this fact and that sticks stubbornly to the BIOS mode of booting will be extinct before too long, or at least relegated to a niche category.
ways to boot in BIOS mode even on a new EFI-based computer, but they tend to be inefficient and they make dual-booting harder.)
Now I'm worried sick about my laptop. Do I have to format it again and disable this mode?
No. If it's booting fine now it won't stop booting just because you used EFI. (Of course, it might
stop booting for any number of reasons, but the same is true of a BIOS-mode installation.) Nor will Microsoft, Apple, the NRA, or Green Peace be able to take control of your computer just because you used EFI or Secure Boot.