PC 21C & Secure Boot

From Info Wiki
Revision as of 13:03, 10 January 2013 by Rpeters (talk | contribs) (added outline of requirements to get Linux working on computers having Secure Boot)

Jump to: navigation, search

The new technologies being introduced with PC & disk drives manufactured in 2011 and later include the core technology of UEFI firmware and its related technologies:

  • AF disk drives
  • GPT disk partitioning
  • EFI boot routine
  • Secure Boot (within the UEFI firmware)

More detailed guidelines, help and recommendations are available from:


Many mainboards that were manufactured by Intel from 2006 include (U)EFI, but are likely to require upgrading to the latest available firmware release, in order to work reliably with the first three technologies above. Intel provide an ISO image of a bootable CD, which allows the upgrade to be done without Windows.

EFI Boot

The EFI bootloader within UEFI is capable of booting a kernel image directly, provided that the image has an extension of .efi. Getting this working, directly, requires being able to add to the boot entries in the mainboard's setup and this feature is not implemented on all mainboards. After entering the mainboard's setup, folllow the trail:

Boot tab -> Boot Priority -> Add entry

Workarounds include:

  1. many current Linux installer routines will place an entry for a bootloader (eg grub.efi, although it is likely to be named after the distro) in the mainboard's boot priority list
  2. the rEFInd boot manager from the above site will place an entry for itself in the mainboard's list.
    • rEFInd is more flexible, being able to select various boot devices:
      • a bootloader such as grub.efi
      • a CD or USB boot device or
      • a kernel file having .efi extension
    • rEFInd also presents an attractive boot menu, having icon-interface

EFI boot looks for FAT32 partitions having type code ef00 (type ESP). Contemporary kernel + initrd occupy > 20 MB. An ESP of several hundred MB is advisable if many OS will be installed on the PC or if older kernels are being retained.

Secure Boot

As of early 2013 the ability of Linux to work with secure boot is still uncertain. The pre-requiiste is one or both of:

  • Secure Boot being able to be set to DISABLED in UEFI
  • UEFI containing a Linux key
    • presently none do

The UEFI specification does provide for Secure Boot to be able to be disabled

  • AMI provide this feature in their UEFI (although hardware makers might not implement it)

Linux users are advised not to purchase a new computer (desktop or laptop) without first confirming that it will boot Linux (eg from CD Live CD or installed to USB stick) Secure boot can be disabled on the following models:


[Category:Technical Info]] Rpeters14:03, 10 January 2013 (EST)