Linux Mint Forums

Anyone here have a computer with UEFI (secure boot) without the ability to disable it in the BIOS?

I'm wondering because some folks thought that secure boot was yet another MS effort to block Linux installs.

Did they have any success?

Thanks.

No, but the problem is the option to be able to disable secure boot depends on the hardware manufacturer, who could be persuaded not to provide the option.

FreedomOfTheOpenCode wrote:No, but the problem is, the option to be able to disable secure boot depends on the hardware manufacturer, who could be persuaded not to provide the option.

Thanks for your feedback. I understand what you're saying, which is why I'm asking if anybody here has run into manufacturers that have chosen not to provide the option.

First, UEFI and Secure Boot are not the same thing.

The Extensible Firmware Interface (EFI) and its newer variant, the Unified EFI (UEFI), is a type of firmware that's intended to replace the older Basic Input/Output System (BIOS) firmware. EFI boots in a fundamentally different way from BIOS.

Secure Boot is just one optional feature of UEFI. There are lots of (U)EFIs that lack Secure Boot support, although at this point they're mostly older ones, because Microsoft is requiring that Secure Boot be enabled on shipping non-server computers that bear a Windows 8 sticker. Thus, all the major laptop and desktop manufacturers now have UEFIs with Secure Boot support.

Furthermore, the exact same certification document that requires Secure Boot be active also requires that consumers be able to disable Secure Boot, at least on x86 and x86-64 computers. Thus, if you've got such a computer, and if it has a Windows 8 sticker on it from the factory, and if you can't disable Secure Boot, then the manufacturer is in violation of their agreement with Microsoft. It's more likely that you've simply missed the option in the firmware, though; there's no requirement that it be labelled anything sensible.

OTOH, if you've got a Windows 8 computer with an ARM CPU, the requirements are the opposite: They say that users should not be able to disable Secure Boot. At the moment, this isn't a bigger problem than it's ever been, since ARM-based Windows devices are mostly tablets, cell phones, and the like. These types of computers have traditionally been locked down in other ways, so Microsoft's Secure Boot requirements don't really change things. (That's not to say the status quo on this point is good, of course.)

If you have an EFI-based computer, it makes no sense to talk about "disabling the EFI" -- at least, short of re-flashing the firmware chip with something else, like CoreBoot. The EFI is always active, even when you activate the Compatibility Support Module (CSM), which is EFI's way of booting BIOS-mode boot loaders. CSM is to EFI something like what WINE is to Linux -- a way of running non-native programs. Some user interfaces may enable you to boot in BIOS/CSM/legacy mode exclusively, but except for some older and klunky implementations in which EFI is build atop BIOS, they're still doing so via a CSM atop an EFI. You can however, disable Secure Boot, at least on x86/x86-64 computers.

http://ubuntuforums.org/showthread.php? ... st12832540

I think only ATOM and ARM chips are ones where you can't disable the secure boot.

From what I've read Microsoft requests that manufacturers who build for windows 8 still include a way to disable secure boot in the BIOS. So I think pretty much every AMD/Intel machine should be able to disable the secure boot. (As srs5694 said above.)

However, there do seem to be a few complaints about ASUS motherboards in particular (The option being grayed out), I haven't heard anything about inability to disable secure boot on other motherboard manufacturers like Gigabyte or Intel.

I doubt we have a lot people here who've experienced one of these bad apples. (Most of the people here are pretty knowledgeable about linux-compatable hardware and steer clear of the non-compatable stuff, the less knowledgeable tend to go back to windows if they run into problems, and not stay here)

skywolfblue wrote:From what I've read Microsoft requests that manufacturers who build for windows 8 still include a way to disable secure boot in the BIOS. So I think pretty much every AMD/Intel machine should be able to disable the secure boot. (As srs5694 said above.)

In terms of their marketing agreements to get a Windows 8 sticker for the computer, Microsoft doesn't request that Secure Boot be disable-able; they require it.

However, there do seem to be a few complaints about ASUS motherboards in particular (The option being grayed out), I haven't heard anything about inability to disable secure boot on other motherboard manufacturers like Gigabyte or Intel.

The user interface requirements are non-existent, so you could, in principle, find the option only if you activate another option that reads "do not activate under penalty of the law." My own ASUS motherboard had a pretty strangely-worded option initially; it was under "OS Type," with the options being "Windows 8 UEFI" and "Other Legacy & UEFI" -- the former activated Secure Boot and the latter disabled it. IIRC, a firmware update changed the wording to something more sensible.

srs5694 wrote:In terms of their marketing agreements to get a Windows 8 sticker for the computer, Microsoft doesn't request that Secure Boot be disable-able; they require it.

Ah, that's good then!

srs5694 wrote:The user interface requirements are non-existent, so you could, in principle, find the option only if you activate another option that reads "do not activate under penalty of the law." My own ASUS motherboard had a pretty strangely-worded option initially; it was under "OS Type," with the options being "Windows 8 UEFI" and "Other Legacy & UEFI" -- the former activated Secure Boot and the latter disabled it. IIRC, a firmware update changed the wording to something more sensible.

I can't really fathom what point in obscuring the option in the bios would be...

...What kind of benefit would it be to the MB manufacturer to obscure it? Is it just negligence and accidental sloppy naming? Or are they doing it deliberately, and why?

Thanks for the great discussion here, Srs5694 and Skywolfblue. I think I understand now. It looks like, with used desktops and laptops using any variant of x86 architecture, I don't have to worry about any used computer locking out non-Windows OSs via Secure Boot. On ARMs and ATOMs, however, it's a different story. Thanks again.

benali72 wrote:Thanks for the great discussion here, Srs5694 and Skywolfblue. I think I understand now. It looks like, with used desktops and laptops using any variant of x86 architecture, I don't have to worry about any used computer locking out non-Windows OSs via Secure Boot. On ARMs and ATOMs, however, it's a different story. Thanks again.

The Intel Atom is a line of low-cost and low-voltage x86 and x86-64 CPUs. Thus, Atoms follow the x86/x86-64 rule: If they ship with Windows 8/8.1, their Secure Boot must be user-controllable (and disable-able).

but if you were in the market for a new PC,
you would have to test each PC 'in store' or be able to research that PC model,
- Before you bought it ..

Pierre wrote:but if you were in the market for a new PC,
you would have to test each PC 'in store' or be able to research that PC model,
- Before you bought it ..

Not to determine if Secure Boot can be disabled or controlled by the user. If it has a Windows 8 sticker on it, then either you can disable and control Secure Boot or the manufacturer is in violation of their contract with Microsoft.

UEFI hardware is a mess. Basically there are two features which are of importance to dual-booting:

1) Secure Boot
2) BIOS Legacy Mode (or Compatibility Support Module)

The former is all the cryptography stuff about signed drivers and what-not. The latter is to emulate Legacy BIOS. Assuming the hardware manufacturers have followed this and given the options in the BIOS to turn them on and off, jobs a good one.

Simple, right? NO. Unfortunately, some vendors have combined the two options, or not even named them correctly, though most of the issues will be in the early days of MS implementing UEFI.

As for the OP's question, there is the WIndows 8 and ARM situation, and then vendors that basically made a mess of their early UEFI implementation. Those aside, most people should be able to disable Secure Boot.