secureboot in mint 17 ??

Chat about anything related to Linux Mint
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Locked
mbohets

secureboot in mint 17 ??

Post by mbohets »

In the mint7 blog I read: Edit by Clem: No, it won’t support secureBoot

This seems strange, as new PCs all come with the new UEFI secureboot thing which is mandatory to use W8, so I wonder what could be the reason for not supporting this feature ?
Also I see that Ubuntu supports this, and since Mint is based on Ubuntu, why is this not ported over to mint ? is this not a prime feature of open source that you are allowed to do that ?

On the other hand I see plenty of post about dual booting with W8, so how can you dual boot if mint does not support this boot method ?

It all seems confusing, but since I am new to this UEFI thing, I am probably missing something.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
eanfrid

Re: secureboot in mint 17 ??

Post by eanfrid »

Yes you probably missed something: https://www.fsf.org/campaigns/secure-bo ... /statement tells you what the FSF think about the benefits of "secure boot".
mbohets

Re: secureboot in mint 17 ??

Post by mbohets »

Thanks for the link, I signed the petition.

Technically I am still confused aibut the difference between UEFI and secureboot.
My interpretation of this was that M$ requires other OSs like linux to include a microsoft issued certificate to be able to boot
on PCs that are running W8.
As mint seems to be able to do that, I supposed that mint implemented this.
But when reading the mint 17 blog, I saw this remark from Clem that mint 17 will not support secure boot, so how will mint be able to boot in a W8 dual boot environment
without going into the bios to switch secure boot on and of depending on what OS you want to boot ?
DrHu

Re: secureboot in mint 17 ??

Post by DrHu »

http://www.webopedia.com/TERM/M/microso ... _boot.html
http://technet.microsoft.com/en-us/wind ... 37995.aspx

http://www.pcmag.com/article2/0,2817,2411464,00.asp
  • While PC makers have to have Secure Boot enabled in the UEFI firmware by default, if they want to be able to slap the Windows logo outside the box, the feature can be disabled within the UEFI interface. Anyone who wants to install a non-Windows operating system on Windows 8-certified hardware would first have to manually disable SecureBoot.
http://www.webopedia.com/TERM/U/uefi.html



Secure boot is an MS marketing gimmick, I would think; and if not that, then it is a limiting of any competition, either as a market feature or simply by making it difficult to install other OS, if you follow all the rules: that is do not disable secure boot or uefi secure mode..
--does it really help the end-user in any way..
xerion567

Re: secureboot in mint 17 ??

Post by xerion567 »

mbohets wrote:My interpretation of this was that M$ requires other OSs like linux to include a microsoft issued certificate to be able to boot on PCs that are running W8. As mint seems to be able to do that, I supposed that mint implemented this. But when reading the mint 17 blog, I saw this remark from Clem that mint 17 will not support secure boot,
M$ probably isn't in the business of issuing security certificates for free, or to untrusted user communities. Ubuntu has a company- Canonical- standing behind it's product, that is the biggest difference I see from Mint.
mbohets wrote:so how will mint be able to boot in a W8 dual boot environment without going into the bios to switch secure boot on and of depending on what OS you want to boot ?
I could be wrong on this one, but I'm not sure W8 requires you to have SecureBoot in order to function, but it might require that you have UEFI.
mbohets wrote:Technically I am still confused aibut the difference between UEFI and secureboot.
SecureBoot is a feature of UEFI which prevents a machine from starting an unauthorized boot-up program. UEFI itself is a replacement for the BIOS of old, and changes a broad scope of things in the machine. For example: a machine with UEFI firmware is much more flexible with hard drive partitioning (splitting up the disk into sections) compared to BIOS which only lets you have 4 partitions (3 primary and one "extended").
mbohets

Re: secureboot in mint 17 ??

Post by mbohets »

Thanks for the replies, it is clear now.

In the mean time I was able to check that W8 effectively boots normally with secure boot disabled on a friends new msi W8 laptop.
Also a Kubuntu 14.04 bootable USB stick boots without problems :D, I'll see what happens when mint 17 comes out.
icmp_request

Re: secureboot in mint 17 ??

Post by icmp_request »

I believe you can install Secure Boot on rEFInd. It's a little tricky, haven't tried yet:

http://www.rodsbooks.com/refind/secureboot.html

Anyway, it's a nice Boot Manager for UEFI, Secure Boot Enabled or not. You don't even need to install GRUB or any boot loader if you install rEFInd as it searches automatically for linux kernels/initrds ;)
srs5694
Level 6
Level 6
Posts: 1386
Joined: Mon Feb 27, 2012 1:42 pm

Re: secureboot in mint 17 ??

Post by srs5694 »

mbohets wrote:In the mint7 blog I read: Edit by Clem: No, it won’t support secureBoot
I've not read the referenced blog (you've provided no link), and I have no inner knowledge of the Mint developer's intentions on this score, so I can't really comment on that. I do know that, the last I checked (Mint 16, IIRC), Mint shipped with the boot loaders and kernels from Ubuntu, which do support Secure Boot; but many people (myself included) have had more trouble getting them to work on a Mint installation than on an Ubuntu installation. I haven't investigated this in depth, though; it could be there's some simple tweak to get it to work better in Mint than in Ubuntu. In the meantime, though, if you need Secure Boot, it's better to stick with Ubuntu (or switch to Fedora) than to use Mint.
This seems strange, as new PCs all come with the new UEFI secureboot thing which is mandatory to use W8, so I wonder what could be the reason for not supporting this feature ?
I can't speak for the Mint developers, but it's probably a question of two factors: money and of the hassle of it. It costs $99 to get the right to send binaries off to Microsoft for signing, and recent changes to their policies require that you have another authoritative (not self-issued) signing key, so that will cost more money. This isn't a huge sum for the likes of Canonical, Red Hat, or Novell, but for an all-volunteer operation on a shoe-string budget, it could be a factor. There's also the fact that there are a lot of hoops to jump through to get things signed, procedures for building certain binaries must be changed, there's more testing involved, etc. This adds up to a lot of hassle.
Also I see that Ubuntu supports this, and since Mint is based on Ubuntu, why is this not ported over to mint ? is this not a prime feature of open source that you are allowed to do that ?
In theory, if Mint uses exactly the same binaries as Ubuntu for key items (Shim, GRUB, and the kernel), it should work directly. If any of those items were to be recompiled, though, they'd need to be re-signed, with either Microsoft's private key or with Canonical's private key. The former costs money (see above) and the latter is impossible because Canonical doesn't (to the best of my knowledge) sign third-party binaries with their private key.
On the other hand I see plenty of post about dual booting with W8, so how can you dual boot if mint does not support this boot method ?
You either jump through certain hoops yourself (as described here, among other places) or you disable Secure Boot. Just because a PC ships with Windows 8 and Secure Boot enabled does not mean that you have to leave it enabled.
eanfrid wrote:Yes you probably missed something: https://www.fsf.org/campaigns/secure-bo ... /statement tells you what the FSF think about the benefits of "secure boot".
Note that the FSF isn't opposed to Secure Boot per se; rather, they object to its use as a means of limiting end-users' ability to boot the OS of their choice. Theoretically, it's currently not a serious problem on x86 and x86-64 computers, although it can be an annoyance or extra hurdle for some people and OSes. ARM devices that ship with Windows, though, are more limiting, and should be avoided. It's also possible that future changes to Microsoft's licensing policies will create problems on other platforms.
mbohets wrote:Technically I am still confused aibut the difference between UEFI and secureboot.
Secure Boot is one feature -- and an optional feature -- of UEFI. Secure Boot is to UEFI as a GPS navigation system is to a car.
DruHu wrote:
PC Magazine wrote:Anyone who wants to install a non-Windows operating system on Windows 8-certified hardware would first have to manually disable SecureBoot.
This isn't correct. You can use Shim or PreLoader to boot just about anything with Secure Boot active. Big Linux distributions (and some not-so-big ones) distribute these programs and use them to support Secure Boot.
DrHu wrote:Secure boot is an MS marketing gimmick, I would think; and if not that, then it is a limiting of any competition, either as a market feature or simply by making it difficult to install other OS, if you follow all the rules: that is do not disable secure boot or uefi secure mode..
--does it really help the end-user in any way..
Secure Boot does have benefits to the end user. There are known boot kits that Secure Boot can block, therefore keeping the computer safe from infection by those items of malware.

Secure Boot does not limit competition, at least not in the x86-64 arena, where Shim and PreLoader are both available and can be used to launch Linux or other OSes. Furthermore, one of the "rules" you stated (namely, "do not disable secure boot") is flat-out wrong -- Microsoft's own certification requirements include the stipulation that users must be able to disable Secure Boot. If that option isn't there, then an EFI is not in compliance and the PC should not have a Windows 8 sticker on it. (For x86 and x86-64 systems, anyhow; for ARM it's another matter.)
xerion567 wrote:I could be wrong on this one, but I'm not sure W8 requires you to have SecureBoot in order to function, but it might require that you have UEFI.
There are two issues: Technical requirements and legal requirements. (The latter can be further subdivided depending on who is bound by the legal requirements.)

On a technical level, Windows 8 requires neither UEFI nor Secure Boot. If you get a retail copy of Windows 8, you can install it on a BIOS-mode computer without a trace of EFI, on an EFI-based computer that lacks Secure Boot, on an EFI-based computer with Secure Boot but that feature disabled, or on an EFI-based computer with Secure Boot enabled (provided it's got Microsoft's public keys in its firmware).

On a legal level, Microsoft's licensing agreement says that any manufacturer who wants to slap a Windows 8 sticker on a non-server PC must ship that computer with Secure Boot enabled. This in turn implies that the computer ship configured to boot in EFI mode. Note that this applies only to PC manufacturers, and to those who want a Windows 8 sticker. A Mom & Pop computer store that doesn't sign this licensing agreement can still sell you a Windows 8 PC that boots in BIOS mode -- they just could not legally put a Windows 8 sticker on the computer. You're also free to install a retail copy of Windows 8 in any way you choose. In theory, you could re-install in BIOS mode on something that came with Windows 8 in EFI mode, although in practice the recovery/installation tools provided by the manufacturer might not support this.
ClutchDisc

Re: secureboot in mint 17 ??

Post by ClutchDisc »

I disabled UEFI on my laptop... it was awful!
clfarron4

Re: secureboot in mint 17 ??

Post by clfarron4 »

You should be able to install Mint 17 and configure a UEFI bootloader to work with it so you can boot with UEFI.
gnu2nix

Re: secureboot in mint 17 ??

Post by gnu2nix »

I am on an Acer Aspire V5 right now that has no possible way to shut off secure boot.

You either have UEFI and secure boot, or BIOS boot and lose the existing windows 8.
So she simply cannot run Mint 17 Mate because of this, which completely blows. :x

She is a good candidate for conversion, but wants windows to fall back on while she gets used to it.
It is a horrible start to tell her that is not a possibility, and an equally bad one to use Ubuntu, which
does not have her WiFi drivers.
WinterTroubles

Re: secureboot in mint 17 ??

Post by WinterTroubles »

Hi gnu2nix

According to this thread on the acer forum you can disable secure boot, but, you need to set a supervisor password 1st. I have no idea if it'll work for you, gotta be worth a read at least though http://community.acer.com/t5/Notebooks- ... td-p/44003
TheSuperfly

Re: secureboot in mint 17 ??

Post by TheSuperfly »

I have not had any trouble disabling Secureboot with Windows/Mint - it's an M$ "security feature" to help protect their vulnerable OS from rootkits or anything they cannot control/understand...thus effectively blocking other OS's... UEFI works perfectly without it i.e Mint doesn't need it.. :lol:
ClutchDisc

Re: secureboot in mint 17 ??

Post by ClutchDisc »

I run my laptop on legacy Bios instead of UEFI. Works great, very easy to turn the awful UEFI off.
Locked

Return to “Chat about Linux Mint”