Anyone have a UEFI machine without ability to disable it?

Chat about Linux in general

Anyone have a UEFI machine without ability to disable it?

Postby benali72 on Fri Mar 07, 2014 2:38 pm

Anyone here have a computer with UEFI (secure boot) without the ability to disable it in the BIOS?

I'm wondering because some folks thought that secure boot was yet another MS effort to block Linux installs.

Did they have any success?

Thanks.
benali72
Level 2
Level 2
 
Posts: 77
Joined: Sat Mar 23, 2013 11:49 am

Linux Mint is funded by ads and donations.
 

Re: Anyone have a UEFI machine without ability to disable it

Postby FreedomOfTheOpenCode on Fri Mar 07, 2014 4:18 pm

No, but the problem is the option to be able to disable secure boot depends on the hardware manufacturer, who could be persuaded not to provide the option.
Last edited by FreedomOfTheOpenCode on Wed Jul 16, 2014 2:20 pm, edited 2 times in total.
FreedomOfTheOpenCode
Level 2
Level 2
 
Posts: 79
Joined: Thu Mar 14, 2013 3:16 pm

Re: Anyone have a UEFI machine without ability to disable it

Postby benali72 on Fri Mar 07, 2014 9:31 pm

FreedomOfTheOpenCode wrote:No, but the problem is, the option to be able to disable secure boot depends on the hardware manufacturer, who could be persuaded not to provide the option.


Thanks for your feedback. I understand what you're saying, which is why I'm asking if anybody here has run into manufacturers that have chosen not to provide the option.
benali72
Level 2
Level 2
 
Posts: 77
Joined: Sat Mar 23, 2013 11:49 am

Re: Anyone have a UEFI machine without ability to disable it

Postby srs5694 on Sat Mar 08, 2014 4:26 pm

First, UEFI and Secure Boot are not the same thing.

The Extensible Firmware Interface (EFI) and its newer variant, the Unified EFI (UEFI), is a type of firmware that's intended to replace the older Basic Input/Output System (BIOS) firmware. EFI boots in a fundamentally different way from BIOS.

Secure Boot is just one optional feature of UEFI. There are lots of (U)EFIs that lack Secure Boot support, although at this point they're mostly older ones, because Microsoft is requiring that Secure Boot be enabled on shipping non-server computers that bear a Windows 8 sticker. Thus, all the major laptop and desktop manufacturers now have UEFIs with Secure Boot support.

Furthermore, the exact same certification document that requires Secure Boot be active also requires that consumers be able to disable Secure Boot, at least on x86 and x86-64 computers. Thus, if you've got such a computer, and if it has a Windows 8 sticker on it from the factory, and if you can't disable Secure Boot, then the manufacturer is in violation of their agreement with Microsoft. It's more likely that you've simply missed the option in the firmware, though; there's no requirement that it be labelled anything sensible.

OTOH, if you've got a Windows 8 computer with an ARM CPU, the requirements are the opposite: They say that users should not be able to disable Secure Boot. At the moment, this isn't a bigger problem than it's ever been, since ARM-based Windows devices are mostly tablets, cell phones, and the like. These types of computers have traditionally been locked down in other ways, so Microsoft's Secure Boot requirements don't really change things. (That's not to say the status quo on this point is good, of course.)

If you have an EFI-based computer, it makes no sense to talk about "disabling the EFI" -- at least, short of re-flashing the firmware chip with something else, like CoreBoot. The EFI is always active, even when you activate the Compatibility Support Module (CSM), which is EFI's way of booting BIOS-mode boot loaders. CSM is to EFI something like what WINE is to Linux -- a way of running non-native programs. Some user interfaces may enable you to boot in BIOS/CSM/legacy mode exclusively, but except for some older and klunky implementations in which EFI is build atop BIOS, they're still doing so via a CSM atop an EFI. You can however, disable Secure Boot, at least on x86/x86-64 computers.
srs5694
Level 6
Level 6
 
Posts: 1014
Joined: Mon Feb 27, 2012 1:42 pm

Re: Anyone have a UEFI machine without ability to disable it

Postby skywolfblue on Sat Mar 08, 2014 4:46 pm

http://ubuntuforums.org/showthread.php?t=2129119&p=12832540#post12832540

I think only ATOM and ARM chips are ones where you can't disable the secure boot.

From what I've read Microsoft requests that manufacturers who build for windows 8 still include a way to disable secure boot in the BIOS. So I think pretty much every AMD/Intel machine should be able to disable the secure boot. (As srs5694 said above.)

However, there do seem to be a few complaints about ASUS motherboards in particular (The option being grayed out), I haven't heard anything about inability to disable secure boot on other motherboard manufacturers like Gigabyte or Intel.

I doubt we have a lot people here who've experienced one of these bad apples. (Most of the people here are pretty knowledgeable about linux-compatable hardware and steer clear of the non-compatable stuff, the less knowledgeable tend to go back to windows if they run into problems, and not stay here)
Image
User avatar
skywolfblue
Level 2
Level 2
 
Posts: 77
Joined: Sun Feb 03, 2013 6:59 am

Re: Anyone have a UEFI machine without ability to disable it

Postby srs5694 on Sun Mar 09, 2014 9:23 am

skywolfblue wrote:From what I've read Microsoft requests that manufacturers who build for windows 8 still include a way to disable secure boot in the BIOS. So I think pretty much every AMD/Intel machine should be able to disable the secure boot. (As srs5694 said above.)


In terms of their marketing agreements to get a Windows 8 sticker for the computer, Microsoft doesn't request that Secure Boot be disable-able; they require it.

However, there do seem to be a few complaints about ASUS motherboards in particular (The option being grayed out), I haven't heard anything about inability to disable secure boot on other motherboard manufacturers like Gigabyte or Intel.


The user interface requirements are non-existent, so you could, in principle, find the option only if you activate another option that reads "do not activate under penalty of the law." My own ASUS motherboard had a pretty strangely-worded option initially; it was under "OS Type," with the options being "Windows 8 UEFI" and "Other Legacy & UEFI" -- the former activated Secure Boot and the latter disabled it. IIRC, a firmware update changed the wording to something more sensible.
srs5694
Level 6
Level 6
 
Posts: 1014
Joined: Mon Feb 27, 2012 1:42 pm

Re: Anyone have a UEFI machine without ability to disable it

Postby skywolfblue on Sun Mar 09, 2014 5:52 pm

srs5694 wrote:In terms of their marketing agreements to get a Windows 8 sticker for the computer, Microsoft doesn't request that Secure Boot be disable-able; they require it.


Ah, that's good then!

srs5694 wrote:The user interface requirements are non-existent, so you could, in principle, find the option only if you activate another option that reads "do not activate under penalty of the law." My own ASUS motherboard had a pretty strangely-worded option initially; it was under "OS Type," with the options being "Windows 8 UEFI" and "Other Legacy & UEFI" -- the former activated Secure Boot and the latter disabled it. IIRC, a firmware update changed the wording to something more sensible.


I can't really fathom what point in obscuring the option in the bios would be...

...What kind of benefit would it be to the MB manufacturer to obscure it? Is it just negligence and accidental sloppy naming? Or are they doing it deliberately, and why?
User avatar
skywolfblue
Level 2
Level 2
 
Posts: 77
Joined: Sun Feb 03, 2013 6:59 am

Re: Anyone have a UEFI machine without ability to disable it

Postby benali72 on Mon Mar 10, 2014 1:33 pm

Thanks for the great discussion here, Srs5694 and Skywolfblue. I think I understand now. It looks like, with used desktops and laptops using any variant of x86 architecture, I don't have to worry about any used computer locking out non-Windows OSs via Secure Boot. On ARMs and ATOMs, however, it's a different story. Thanks again.
benali72
Level 2
Level 2
 
Posts: 77
Joined: Sat Mar 23, 2013 11:49 am

Re: Anyone have a UEFI machine without ability to disable it

Postby srs5694 on Sat Mar 15, 2014 3:24 pm

benali72 wrote:Thanks for the great discussion here, Srs5694 and Skywolfblue. I think I understand now. It looks like, with used desktops and laptops using any variant of x86 architecture, I don't have to worry about any used computer locking out non-Windows OSs via Secure Boot. On ARMs and ATOMs, however, it's a different story. Thanks again.


The Intel Atom is a line of low-cost and low-voltage x86 and x86-64 CPUs. Thus, Atoms follow the x86/x86-64 rule: If they ship with Windows 8/8.1, their Secure Boot must be user-controllable (and disable-able).
srs5694
Level 6
Level 6
 
Posts: 1014
Joined: Mon Feb 27, 2012 1:42 pm

Re: Anyone have a UEFI machine without ability to disable it

Postby Pierre on Sun Mar 16, 2014 8:28 am

but if you were in the market for a new PC,
you would have to test each PC 'in store' or be able to research that PC model,
- Before you bought it ..
Image
User avatar
Pierre
Level 6
Level 6
 
Posts: 1215
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Anyone have a UEFI machine without ability to disable it

Postby srs5694 on Sun Mar 16, 2014 8:49 am

Pierre wrote:but if you were in the market for a new PC,
you would have to test each PC 'in store' or be able to research that PC model,
- Before you bought it ..


Not to determine if Secure Boot can be disabled or controlled by the user. If it has a Windows 8 sticker on it, then either you can disable and control Secure Boot or the manufacturer is in violation of their contract with Microsoft.
srs5694
Level 6
Level 6
 
Posts: 1014
Joined: Mon Feb 27, 2012 1:42 pm

Re: Anyone have a UEFI machine without ability to disable it

Postby clfarron4 on Sun Mar 16, 2014 6:58 pm

UEFI hardware is a mess. Basically there are two features which are of importance to dual-booting:

1) Secure Boot
2) BIOS Legacy Mode (or Compatibility Support Module)

The former is all the cryptography stuff about signed drivers and what-not. The latter is to emulate Legacy BIOS. Assuming the hardware manufacturers have followed this and given the options in the BIOS to turn them on and off, jobs a good one.

Simple, right? NO. Unfortunately, some vendors have combined the two options, or not even named them correctly, though most of the issues will be in the early days of MS implementing UEFI.

As for the OP's question, there is the WIndows 8 and ARM situation, and then vendors that basically made a mess of their early UEFI implementation. Those aside, most people should be able to disable Secure Boot.
Problems? Tell us EXACTLY what you've done and what you expected to happen, IN DETAIL. That will save us questions, and we should get along better,

I have dysgraphia. This means I might have understood you incorrectly through no fault of my own.
User avatar
clfarron4
Level 5
Level 5
 
Posts: 508
Joined: Thu Sep 19, 2013 6:20 pm

Linux Mint is funded by ads and donations.
 

Return to Chat about Linux

Who is online

Users browsing this forum: No registered users and 6 guests