How to boot and install Linux on UEFI PC with Secure Boot [Tip]

The new Windows systems are coming with UEFI firmware in which Secure Boot is enabled. The primary job of Secure Boot is to prevent the operating systems from booting unless a key is loaded into UEFI. Only Microsoft authenticated software can boot it. The users are unable to disable Secure Boot on ARM devices that have Windows RT.

How Secure Boot Works?secure-boot-utility

Systems with Windows 8 and Windows 8.1 don’t have traditional BIOS but instead they have a UEFI firmware. The system’s UEFI firmware will only boot the boot loaders that are signed with a key embedded in the UEFI firmware by default. This feature of the UEFI firmware is known as Trusted Boot or Secure Boot. If the system doesn’t have this security feature, then a rootkit will install itself on the operating system and it will become the boot loader. The rootkit will be loaded at boot time by the computer’s BIOS, which would boot and load the Windows. During this process, it will hide from the operating system and will embed itself at a deep level. The malicious bootloaders won’t be able to infect the system as the computer will only be booted by trusted software.boot-uefi

Options to Install Linux:

The user can have several different options for installing Linux on a system that has Secure Boot:

  • Add a Signing Key to the UEFI Firmware:

Some of the Linux distributions have the ability to sign their bootloaders with their key, which the user can add to their UEFI firmware. This is not very common now.

The user should view that which processes by the Linux distribution of choice are recommended.  The user has to disable the Secure Boot if he needs to boot an older Linux distribution that does not contain any information about this.

  • Select a Linux Distribution That is Supported by Secure Boot:

The latest versions of Ubuntu that has Ubuntu 12.04.2 LTS and 12.10 will boot and install casually on most systems that have enabled the Secure Boot. The reason behind this is that Ubuntu’s first stage EFI boot loader was signed by Microsoft. An Ubuntu developer notices that the Ubuntu’s boot loader was not signed with a key that was needed by certification process of Microsoft. This shows that Ubuntu will not boot on all UEFI systems. If the users want to use Ubuntu on some systems, then that may have to disable Secure Boot.

  • Disabling the Secure Boot:

The Secure Boot can be physically challenged, which means that it can exchange the security benefits for the ability boot anything on your system, same as the older ones that have the traditional BIOS will do. If the user wants to install a previous version of Windows that was not developed by keeping in mind the Secure Boot the disabling the secure boot is also necessary, such as Windows 7.

The user will be able to install the current versions of Ubuntu either the latest release or the LTS release without facing any issue on most of the systems.

Related Posts