New EFI boot manager available: rEFInd

[srs5694]

Is this the best boot loader for Linux? If so, maybe it should be bundled with the next version of LM?

As rEFInd's maintainer, I'm biased, so I won't answer directly; however, be aware that rEFInd is useful only on EFI-based computers. It's useless on older BIOS-mode installs. This creates problems for distribution maintainers, who generally prefer using the same software on both BIOS-mode and EFI-mode installs. That said, some distributions (most notably [url=http://www.altlinux.com/]ALT Linux[/url] and [url=http://puppylinux.org/main/Overview%20and%20Getting%20Started.htm]Puppy Linux[/url] do use rEFInd, so some maintainers are willing to go to the extra effort to use it by default.

[YeeP]

I don't know when efi started being used, because the computer I owned before was made in 2004, then step forward to my 2013 laptop. Somewhere between there the process began. Eventually the domain of computers running linux will become weighted to the efi side, and the distro designers are going to need to make some decisions/changes. When those days come, we will see what happens....

[phrostbyte]

Is this the best boot loader for Linux? If so, maybe it should be bundled with the next version of LM?

As rEFInd's maintainer, I'm biased, so I won't answer directly; however, be aware that rEFInd is useful only on EFI-based computers. It's useless on older BIOS-mode installs. This creates problems for distribution maintainers, who generally prefer using the same software on both BIOS-mode and EFI-mode installs. That said, some distributions (most notably [url=http://www.altlinux.com/]ALT Linux[/url] and [url=http://puppylinux.org/main/Overview%20and%20Getting%20Started.htm]Puppy Linux[/url] do use rEFInd, so some maintainers are willing to go to the extra effort to use it by default.

well, for me, that's the whole issue. my computer came with windows 8 pre-installed (new toshiba satellite). that means that uefi and secureboot are enabled by default. I know how ubuntu handles secureboot, but I'd like to find out how the next version of LM will handle it. I'd prefer to install LM and keep secureboot enabled, but obviously I'll use whatever method works best

[srs5694]

well, for me, that's the whole issue. my computer came with windows 8 pre-installed (new toshiba satellite). that means that uefi and secureboot are enabled by default. I know how ubuntu handles secureboot, but I'd like to find out how the next version of LM will handle it. I'd prefer to install LM and keep secureboot enabled, but obviously I'll use whatever method works best

I don't know what the Mint architects have planned in that respect. At the moment, there seems to be some limited "piggybacking" off of Ubuntu's Secure Boot support, which follows a shim->GRUB->kernel authentication path, by using Ubuntu's kernels. Most users, however, disable Secure Boot entirely when installing Mint, since what Mint does seems to work poorly in practice.

More broadly speaking, to the best of my knowledge, only GRUB 2 and rEFInd fully support Secure Boot, in that they both work as follow-on boot programs from shim and they both honor Secure Boot limitations in launching kernels. This is valuable if you care about having the kernel continue to extend the chain of trust, which is something that Fedora is pushing heavily but that most other distributions (including Ubuntu) are less concerned about doing. If you don't care about extending the chain of trust up through the kernel, you could use shim to launch ELILO, GRUB Legacy, SYSLINUX, or something else and have it work, in the sense that the kernel would boot. The kernel would be unable to verify the authenticity of kernel modules, though. As a practical matter, I know of no actual exploits that involve malware masquerading as Linux kernel modules, but such an attack is theoretically possible, so there is merit to what Fedora is doing along these lines.

A special case in all this is gummiboot. Like rEFInd, gummiboot relies on the EFI to launch follow-on programs; but unlike rEFInd, gummiboot includes no explicit code to link in to the shim authentication services. This means that you can't use gummiboot with shim; if you try, your signed gummiboot will launch, but it in turn won't launch anything that isn't signed with a key that's built into the firmware, so it won't launch most Linux kernels. You can, however, use gummiboot with PreLoader, which provides its authentication tools by linking to the EFI so that PreLoader gets called as part of the standard Secure Boot checks. (This contrasts with shim, which requires that follow-on programs explicitly support it.) PreLoader is easier to set up than shim if you're starting from scratch, and some smaller and less-well-funded distributions (like Arch) use it; but it requires user action to register each boot loader (and sometimes each kernel), so it's more hassle for end users than if the distribution pays the $99 so that it can get its own customized version of shim to be signed.

This can be a lot to take in and there are a lot of subtleties involved, but I hope that this helps to introduce you to how different boot loaders and boot managers interact with Secure Boot.

[phrostbyte]

Yeah, that was a great explanation, thanks. I had already done my research about this prior, but hearing it from an LM-centric perspective helps me.. since most of the SecureBoot information out there is based on Ubuntu or Fedora..

I guess I'll be disabling unless there's some sort of miraculous development before the next Ubuntu/LM releases... DAMN Microsoft and Intel for making this so difficult for us open source people... why is it such a crime to want to use free software on a computer that I paid for? If I simply don't like Windows, why do I have to jump through hoops to use something else? Do you think the best solution would be for all of us to donate a little bit of money and just buy a certification key?

[srs5694]

I guess I'll be disabling unless there's some sort of miraculous development before the next Ubuntu/LM releases... DAMN Microsoft and Intel for making this so difficult for us open source people...

Disabling Secure Boot is not that hard. It's hard to document how to do it, though, because the procedure varies so much from one computer to another. For any given computer, though, it's usually just changing one option in the firmware setup utility.

Running Linux with Secure Boot active can be fairly easy, but only if the distribution's maintainer goes to the effort to provide a customized and signed shim and related tools. This path does add complications if you want to triple-boot with something else (another Linux distribution or something more exotic) or if you want to use a boot loader, boot manager, or kernel other than the one provided with the distribution.

Do you think the best solution would be for all of us to donate a little bit of money and just buy a certification key?

Yes. Of course, this needs to be handled through the Mint developers. I don't know what their plans are, or even who to contact to try to coordinate such a thing.

[phrostbyte]

Last time I used LM.. probably two years ago, Clem was the guy in charge.

http://community.linuxmint.com/user/view/3

Maybe we should talk to him about it? You can probably explain the problem much better than I can... if we work quick we can probably get the upcoming LM16 release to install seamlessly on any BIOS/EFI setup!

[dwd]

I want to try your UEFI boot but not sure if it is what I need.

I want to load LM15 on a USB stick, not a live version, but a full version. I'm using a UEFI system in Secure Boot mode, and the Live Mint USB drive boots fine. But I have confirmed that the Full USB install of LM on a USB drive will not boot in a non UEFI system also. So I don't know what I am doing wrong.

What I did was boot from a LM Live usb and then install it on another USB. Partitioning went ok, added the swap partition, installed LM on the USB drive, and it won't boot. I'm assuming it has something to do with what Linux needs to boot as a full install and is missing something.

Any help would be appreciated.

[srs5694]

I want to load LM15 on a USB stick, not a live version, but a full version. I'm using a UEFI system in Secure Boot mode, and the Live Mint USB drive boots fine. But I have confirmed that the Full USB install of LM on a USB drive will not boot in a non UEFI system also. So I don't know what I am doing wrong.

If you want to boot your USB drive on both EFI and BIOS computers, you'll need to install both EFI and BIOS boot loaders. In theory, you can use any BIOS boot loader and any EFI boot loader. In practice, it may be easier to use different boot loaders -- that is, do not use GRUB 2 for both of them. The reason is that if you use the same boot loader for both, you may need subtly different configuration files for the two modes, and setting that up can be a bit confusing.

[phrostbyte]

does anyone know what kind of boot loader LM will have planned by default? Will it work with my Windows 8.1 UEFI/SecureBoot?

[dwd]

I want to load LM15 on a USB stick, not a live version, but a full version. I'm using a UEFI system in Secure Boot mode, and the Live Mint USB drive boots fine. But I have confirmed that the Full USB install of LM on a USB drive will not boot in a non UEFI system also. So I don't know what I am doing wrong.

If you want to boot your USB drive on both EFI and BIOS computers, you'll need to install both EFI and BIOS boot loaders. In theory, you can use any BIOS boot loader and any EFI boot loader. In practice, it may be easier to use different boot loaders -- that is, do not use GRUB 2 for both of them. The reason is that if you use the same boot loader for both, you may need subtly different configuration files for the two modes, and setting that up can be a bit confusing.

Thanks for the response. I just need to boot it to my UEFI system. Alternately I would go with ANY-way to boot a full USB version. I really don't care at this point. I just can't get a USB full install to boot at all. Once I can get the USB full install booted, I can start my Linux education and in hopefully a month or so, completely move to Linux instead of Windows. This is the only thing stopping me and it's frustrating.

[srs5694]

does anyone know what kind of boot loader LM will have planned by default? Will it work with my Windows 8.1 UEFI/SecureBoot?

To date, LM has used the same boot loader as Ubuntu -- GRUB 2 for the last several releases. I don't know if any changes are planned. Ubuntu officially supports Secure Boot, but I've seen lots of problem reports. Mint provides the same files as Ubuntu, but seems to have even more problems on that score. Note that UEFI is not the same thing as Secure Boot -- the latter is just one optional feature of the former.

Thanks for the response. I just need to boot it to my UEFI system. Alternately I would go with ANY-way to boot a full USB version. I really don't care at this point. I just can't get a USB full install to boot at all.

Have you tried (re-)naming your EFI boot loader to EFI/BOOT/bootx64.efi on the USB flash drive's ESP? See [url=http://www.rodsbooks.com/refind/installing.html#naming]here[/url] for a brief discussion of this topic (in reference to rEFInd, but the same principles apply to any EFI boot program).

[dwd]

Thanks for the response. I just need to boot it to my UEFI system. Alternately I would go with ANY-way to boot a full USB version. I really don't care at this point. I just can't get a USB full install to boot at all.

Have you tried (re-)naming your EFI boot loader to EFI/BOOT/bootx64.efi on the USB flash drive's ESP? See [url=http://www.rodsbooks.com/refind/installing.html#naming]here[/url] for a brief discussion of this topic (in reference to rEFInd, but the same principles apply to any EFI boot program).

Nope and I thank you for that. I'll check it out--thanks! I'm very excited to get away from MS. I've been using all of the OS software I can for years, and now it's time to take the last step and go Linux for good.

[phrostbyte]

Ok thanks.. I hope when LM16 comes out, there will be a guide for people with computers with Windows 8 pre-installed, and secureboot enabled.

[dwd]

Just to clarify before I go off on a wild goose chase, I installed LM 15 to a USB drive after booting from a LM Live USB drive. Do the naming changes above apply? Also, I see in your renaming explanation a path and a file name. I'm not sure I understand what is going on in order to carry out the changes.

[srs5694]

Just to clarify before I go off on a wild goose chase, I installed LM 15 to a USB drive after booting from a LM Live USB drive. Do the naming changes above apply?

EFI boots as follows:

1. The firmware scans its own boot loader list, maintained in NVRAM, and tries to boot each boot loader in that list in the order defined by the BootOrder variable.
2. If this fails, the firmware may boot the EFI/BOOT/bootx64.efi file (on x86-64 hardware) from any disk that's marked as bootable, such as a USB flash drive.

Because USB flash drives are often moved from one computer to another, you can't count on an NVRAM entry existing for them. Thus, these devices almost always boot from a boot loader called EFI/BOOT/bootx64.efi. If you've installed something locally yourself, or if you've used efibootmgr or the like to create an NVRAM entry, it might work from some other name. Even then, though, some EFIs "helpfully" remove entries that they can see are invalid, so you might lose the entry if you unplug the USB device. Overall, then, the only safe name for a bootable USB flash drive's boot loader is EFI/BOOT/bootx64.efi (on x86-64 hardware; the name varies from one CPU type to another).

Also, I see in your renaming explanation a path and a file name. I'm not sure I understand what is going on in order to carry out the changes.

Use "mv" in Linux, or a file manager. EFI boot loaders are ordinary files.

[YeeP]

Rod- Not sure if there is a better place to ask these type of questions so please point me in that direction if there is. I would like to try to setup a triple boot. I have windows, and would like to setup a Debian based distro and a redhat based distro. I see that rEFInd can be collected in both rpm and deb packages. I assume that I would just select a distro to manage and install the boot manager in?

[srs5694]

I would like to try to setup a triple boot. I have windows, and would like to setup a Debian based distro and a redhat based distro. I see that rEFInd can be collected in both rpm and deb packages. I assume that I would just select a distro to manage and install the boot manager in?

The RPM and Debian packages install various rEFInd files in the Linux filesystem (mostly in /usr/share) and then run the install.sh script, which copies the rEFInd binaries and related files to /boot/efi/EFI/refind and creates a /boot/refind_linux.conf. Once that's done, you can adjust the files in /boot/efi/EFI/refind from any OS you like -- those files are on the ESP, which is shared across OSes. In a multi-Linux installation, you're likely to want a /boot/refind_linux.conf file for each distribution, so you'll need to generate this manually or run the mkrlconf.sh script for the second distribution.

[dwd]

Just to clarify before I go off on a wild goose chase, I installed LM 15 to a USB drive after booting from a LM Live USB drive. Do the naming changes above apply?

EFI boots as follows:

1. The firmware scans its own boot loader list, maintained in NVRAM, and tries to boot each boot loader in that list in the order defined by the BootOrder variable.
2. If this fails, the firmware may boot the EFI/BOOT/bootx64.efi file (on x86-64 hardware) from any disk that's marked as bootable, such as a USB flash drive.

Because USB flash drives are often moved from one computer to another, you can't count on an NVRAM entry existing for them. Thus, these devices almost always boot from a boot loader called EFI/BOOT/bootx64.efi. If you've installed something locally yourself, or if you've used efibootmgr or the like to create an NVRAM entry, it might work from some other name. Even then, though, some EFIs "helpfully" remove entries that they can see are invalid, so you might lose the entry if you unplug the USB device. Overall, then, the only safe name for a bootable USB flash drive's boot loader is EFI/BOOT/bootx64.efi (on x86-64 hardware; the name varies from one CPU type to another).

Also, I see in your renaming explanation a path and a file name. I'm not sure I understand what is going on in order to carry out the changes.

Use "mv" in Linux, or a file manager. EFI boot loaders are ordinary files.

OK so it's just a file name change found in the
EFI/BOOT/bootx64.efi
directory? I'm assuming when I go looking that xxx.efi will be one file that needs its name changed to boot64.efi?

[YeeP]

Rod, you are all over the web! I found you on multiple Ubuntu help threads yesterday about triple boot partition schemes. I digress...

I have been reading this, over and over. http://www.rodsbooks.com/refind/installing.html#manual
I assume "manual install" <> running the debian package from the terminal.

Based on a previous post by you;

In a multi-Linux installation, you're likely to want a /boot/refind_linux.conf file for each distribution, so you'll need to generate this manually or run the mkrlconf.sh script for the second distribution.

I would guess that the steps in a simple description would be something like this

1) install first distro
2) reboot in CSM mode, install refind
3) reboot in EFI and check to make sure all is working, fix what is needed.
4) boot from live disc for distro #2 and install.
5) reboot distro 2, or just run the mkrlconf.sh script after install?
6) once script is complete make sure refind_linux.conf file is in the root of the boot folder, on ESP partition.
7) reboot in EFI mode and check rEFInd menu for additional distro

Of course that is a dumbed down description, but I am just looking for your confirmation/additions. I had to restore an early disc clone and lost my previous setup with rEFInd.

Thank you.