Software

Installing Linux: The Good, Bad and Ugly

Good or bad, useful or not, implementation of the Unified Extensible Firmware Interface and Microsoft’s Secure Boot extension might well foul the fuel driving consumer migration to the Linux desktop.

I have extensive practice with installing various Linux distros on older and new computers. I am handy at setting up disk partitions and dual booting to maintain a working Microsoft Windows OS alongside numerous Linux distros. I also have routinely installed Linux on older and new computers by removing the Windows OS and replacing the entire drive with one or more Linux distros.

However, it was not until I attempted to do a Linux installation on a new Gateway Series DX desktop with Windows 8 installed that I stared that UEFI monster down. At first I nearly ran back to the big box store to return the shiny new Windows box. I was not able to get the BIOS settings for the UEFI and Secure Boot permissions to even see USB and DVD live sessions for Ubuntu, Linux Mint, Korora 19 or Puppy Linux. That made routine installation of Linux impossible.

The current use of UEFI and Secure Boot technologies might all too conveniently lock down the hard drive to lock out the installation of other operating systems — like Linux. Successfully installing Linux on UEFI/Secure Boot hardware controls depends on which computer brand or model you buy. Some of the newest BIOS versions effectively lock down any other OS access.

So if the implementation of UEFI and Secure Boot can essentially prevent a consumer from installing a free OS, is Microsoft encouraging computer makers to lock down users to just the Windows OS?

In short, “No,” said Vojtech Pavlik, director of Suse Labs.

“In the x86 market, it is a technology to prevent persistent stealth rootkit attacks, the most vicious form of malware attacks, a security threat that affects primarily the Microsoft Windows world,” he told LinuxInsider.

Battling UEFI

On my new computer, I ran into a brick wall installing Linux. Some of the installation methods that worked with legacy and recently purchased machines no longer worked on the newest BIOS on my shiny new computer. When less-experienced computer users hit this wall, will they find a way around it or just stop trying? Or will migrating to Linux be relegated to older hardware?

For instance, even with all of the obvious BIOS options set to allow legacy boot and with Secure Boot turned off, installing Linux failed. My new computer balked at letting the Linux installation disk see the existing Windows partition. The only option offered was reformatting the hard drive. Various tech support centers warned me that doing so might still prevent a Linux installation. UEFI and Secure Boot controls in the hardware would still be activated.

Trial and error got me to the correct combination of Legacy/Secure Boot/ UEFI options to load the Linux DVD. Still, none of the distros would get beyond hanging the system during early stages of partitioning the drive to start installation. The only solution was letting Windows 8.0 partition the hard drive.

Once the new partitions were created, Linux Mint 16 installed. However, I had to use the included UEFI folder on the Linux DVD to handle the Linux installation.

Fighting Windows

A computer tech friend warned me about upgrading to Windows 8.1 from the Microsoft Store before I did the Linux installation. Upgrading to Windows 8.1 first would return the hard drive to its OEM condition. It would overwrite the Linux installation.

I really should not have to do any of that, suggested Greg Kroah-Hartman, a fellow at the Linux Foundation and a Linux Kernel maintainer.

All that is needed should be booting in secure boot and leaving the BIOS settings alone, he explained.

The problems I encountered were the result of distro-specific issues that did not know how to handle UEFI boot mode, Kroah-Hartman believed. Yet some of the distros supplied the UEFI folder.

“Anyway, booting in dual-boot mode can be tricky, as usually the non-Linux operating system has no idea that it is not the only OS on the disk, and sometimes odd things can happen. There’s nothing that Linux can do about that, as it is not running at the moment,” Kroah-Hartman told LinuxInsider.

UEFI Basics

The Unified Extensible Firmware Interface is a specification for a software interface between an approved operating system and platform firmware. It looks for a key or certified operating system. Only then it passes on the control to that operating system.

Microsoft Secure Boot is a component of Microsoft’s Windows 8 operating system built into the UEFI hardware specification. Until Secure Boot appeared in 2012, computers booted using BIOS. The Secure Boot feature permits only authentic drivers certified by Microsoft to be loaded. This blocks malware.

Of course, the malware issue — at least by today’s standards — does not effect Linux code. So the entire process only benefits the security of the Windows OS. Secure Boot blocks the use of other boot loaders such as GRUB or LILO in Linux.

Early in the development process, the Linux Foundation worked with Microsoft to permit keys from participating Linux distro developers. That agreement allows some Linux distros to run on the UEFI/Secure Boot hardware.

“We did not negotiate anything. We just submitted a boot loader shim that is signed by the Microsoft key that allows the Linux kernel to then be booted in Secure Mode. We worked with Microsoft and the UEFI Group to help implement a solution such that all operating systems can properly boot in secure mode. The shim solution is available for all Linux distros to use, as well as any BSD that wishes to use it,” said Kroah-Hartman.

Cure for Some

Opinions vary on whether the UEFI standards are helping or hurting the migration to Linux. Enterprise users can select a Linux distro certified to work with UEFI standards, but not all Linux distros have keys that allow it to install. Despite the intent of the UEFI standards, the process so far is not universally successful.

It should “just work,” asserted Kroah-Hartman — but that depends on the distro you install. It also depends on which hardware you are installing it on. If you try to install a Linux distro on hardware that was created after the distro was released, it might be a bit hard to do.

“A successful installation does depend on the quality of implementation of the UEFI firmware and adherence to the UEFI 2.3.1c standard by the computer manufacturer. With the use of the UEFI standard still in its infancy, it is not all that rare to come across noncompliant implementations,” said Suse Labs’ Pavlik.

That is where some Linux officials part company. Some insist that Linux installations are not impacted.

“Generally, all major manufacturers of x86/64 systems follow the UEFI specification, meaning that the specific brand or model of a computer will not matter. Outside of the x86/64 server marketplace, including the consumer market, this can change — but for the most part, brand is irrelevant,” Eric Paris, supervisor for the Red Hat Enterprise Linux security team, told LinuxInsider.

Linux Not Equal

It is important to differentiate between UEFI and Secure Boot, insisted Paris.

UEFI is a specification that defines the software interface between an operating system and a platform’s firmware. Secure Boot is a security protocol component of UEFI that — shockingly — secures the boot process by preventing the loading of drivers or OSes that are not digitally signed with an acceptable marker, he explained.

The objective of Secure Boot is to ensure that the operating system bootstrap process does not introduce malware with the assistance of hardware verification. This is something that all Linux distros would like to embrace, according to Paris.

However, the reality is that not all distros support Secure Boot-enabled platforms, he said. One example of a platform that does not play nice with Secure Boot is Red Hat’s own Red Hat Enterprise Linux 6; the platform supports UEFI, but not the Secure Boot protocol.

“A counterpoint, however, is Fedora, which will load on UEFI machines with secure boot enabled right out of the box. Currently, Red Hat Enterprise Linux 7 Beta requires the user to put Secure Boot into learning mode and load the Red Hat Secure Boot Beta key, but we plan to further improve the end-user experience for Secure Boot by the time that Red Hat Enterprise Linux 7 reaches [general availability],” said Paris.

Another issue is that some distributions follow the Linux Foundation’s work or their own, while other distros simply do not have Secure Boot enabled as a default setting, he noted.

Trading Experiences

UEFI and Secure Boot are technologies that some Linux experts approach with a sense of curiosity. Take the case of James Bottomley, chair of the Linux Foundation’s Technical Advisory Board.

He recently did an install of openSuse 13.1 on a Samsung 9 AT IV. He was curious to see if it would work out of the box. He installed it on the system as delivered in Secure Boot mode using the USB key image. The install went flawlessly except that openSuse could not resize the Windows partition to allow it to share the disk. So he just erased Windows.

“We were initially worried about the problem of installing Linux on Secure Boot hardware. But thanks to a fairly long lead time and lots of work done by Greg [Kroah-Hartman], me, Matthew Garrett and Peter Jones, any distribution that wants to can get it to work easily,” Bottomley told LinuxInsider.

Installation can fail if you install a distro’s older version, he agreed. It also can get troublesome when using non-Microsoft keys.

User Tips

In most cases, users can install almost any Linux distro on a computer that predates the UEFI and Secure Boot standards without difficulty. That process can involve repartitioning the hard drive, overwriting an earlier version of Microsoft Windows, or creating a dual boot environment. For less-experienced users with a new computer, a better option could be buying a computer with a specific Linux distro already installed.

“Unfortunately, there’s no clear-cut answer here, as the installation process, even without Secure Boot, will vary from distro to distro. To ensure that the installation process goes smoothly, home users should follow the process recommended by the distribution that they’re looking to install,” said Paris.

What steps should the typical Linux home user take to get Linux on a new computer? That depends on whom you ask. The process is documented (albeit for developers) here.

All of the major Linux distros should work out of the box just fine. That includes Fedora, openSuse and Ubuntu, according to Kroah-Hartman.

“Just use the install media and go through the steps provided by the distro. You should not have to modify any BIOS settings in order to install Linux. Windows has a boot to USB restart option somewhere in the shutdown menu, and then boot off of the USB install media, and you should be fine,” he suggested.

In most cases, nothing changes, according to Pavlik. On UEFI machines, just put in the DVD, boot from it, click through the installation screens, and you are done. If Secure Boot is enabled on the machine, use a distribution that supports UEFI Secure Boot. Then again, the procedure is unchanged.

For distributions that do not support Secure Boot, enter the firmware setup page, either by pressing a key during the boot sequence or from the presently installed OS on the laptop, and disable Secure Boot there.

Jack M. Germain has been writing about computer technology since the early days of the Apple II and the PC. He still has his original IBM PC-Jr and a few other legacy DOS and Windows boxes. He left shareware programs behind for the open source world of the Linux desktop. He runs several versions of Windows and Linux OSes and often cannot decide whether to grab his tablet, netbook or Android smartphone instead of using his desktop or laptop gear.

11 Comments

  • I’m a bit surprised to see someone writing about secure boot now, given that it was implemented in Windows 8 which was released on October 26, 2012.

    The author appears to be confused about secure boot and UEFI; secure boot is part of the UEFI specification but has only been implemented by Microsoft – and given that Microsoft has influence over all hardware manufacturers, it is turned on for evey machine that is pre-loaded with Windows 8.

    Linux was ready for UEFI years and years ago. Not so for secure boot, as developers had to first see how it was implemented in order to develop methods of booting on machines that have it turned on. Fedora, Ubuntu, and openSUSE, to name three all boot easily on machines with secure boot turned on.

  • Once again someone who should know better conflating Microsoft’s "SecureBoot" with UEFI.

    Linux based Operating Systems will install on UEFI systems without the necessity of a key. It is only where those systems are using Microsoft’s Proprietary Extension to UEFI… "SecureBoot", that a key is need to install any operating system be it Linux or Windows.

    • "I hope can install a Linux distro on them, currently Asus P8Z77 Lga1155. I hope this board will work."

      I bought an Asus P8Z77 Pro motherboard with LGA1155 socket and installed Fedora on it with no problems at all. I did not use the UEFI boot mechanism at the time because I was not planning to boot Windows and it was the easy way out. After installing Fedora on two Lenovo laptops in dual boot with UEFI and Secure Boot I would have no worries about installing Linux with UEFI boot. You simply need UEFI boot enabled in the BIOS setup and you need installation media that is UEFI boot enabled.

  • I work for a Retailer that sells pcs. I will not buy a pc from them because they all have win8/apple oses. Their tech does not know if I can install Slackware linux on them. So I am sourcing out motherboards that I hope can install a Linux distro on them, currently Asus P8Z77 Lga1155. I hope this board will work. I stopped trying to learn anything MS years ago. Its a waste of my time. To think that two people, Bill Gates and Steve Jobs have had so much control of the computing market is asinine in my mind. At work, we do not provide staff with PC’s. They buy their own, but have to have a windows 7 in the cloud virtual environment. Most people choose macbook air. It is the epitome of contradictions, buy a mac, work in a windows virtual environment. Secure boot and UEFI should be completely open, not proprietary.

  • Before installing Fedora on my new Lenovo with Secure Boot and UEFI Bios, I asked on the Fedora Forums where the tutorial was for those issues. Eventually I was told, "no tutorial because it should just work."

    We went back and forth a bit with my questions being mostly graciously answered. I also looked online because I wanted to shrink down the Windows 8 partition more than the Windows Disk Management tool wanted to give me (it wanted to stop at half the partition and I wanted 80+% for Fedora). Googling I got a recipe from a forum on how to eliminate the barriers that Windows sets up for shrinking the partition.

    At first I had a bit of trouble getting Fedora to boot from CD. I disabled Secure Boot keeping UEFI and it booted and installed quite readily. Rebooting and I got Fedora but no Windows in grubs menu.

    I went into the UEFI BIOS’s boot manager and sure enough it found both Windows and Fedora. So, F12 on my Lenovo gave me access to boot either. I enabled SB and Fedora with its "shim" still booted. Ditto for Windows in its shrunken partition.

    On the Fedora Forum Rod Smith told us about his rEFInd boot manager software. After I had fully set up my preferred apps in Fedora and gotten some business done I settled in to read up on rEFInd. Rod’s documentation is in several web pages of his site. Some were too detailed on too many aspects that were unnecessary for my purposes but his quick install guide was great.

    I downloaded the rEFInd CD iso, burned it and booted it. It found Windows and Fedora and also the UEFI Bios entry point. Slick. I installed the rpm from Fedora and booted and voila–I had all those choices from the rEFInd boot menu. Cool.

    So, 1) it wasn’t necessary to enable legacy boot and that would have made Windows unavailable. 2) With a version of Linux that is installable with a Secure Boot-registered shim, installation is pretty straightforward but grub being grub doesn’t work too well in finding the Windows efi bootmanager. The rEFInd software is simple, straightforward for most situations and Rod knows how to help folks who have the more awkward issues.

  • I’ve been running each version of Ubuntu as they have come out for the last 5 years, starting with 8.10. I’ve installed Ubuntu on about 25 computers over these 5 years for friends, family, and coworkers, mostly dual boots with Windows. The installs were relatively simple. In the last 2 months, I’ve installed Ubuntu 13.10 on two new Lenovo desktops with Windows 8. This was also my first experience with Windows 8. On both systems, I did the Windows 8.1 update before installing Ubuntu. On one the update went fine. On the other, I had a terrible time because one Windows 8 file would not update, and Windows 8.1 would not update without that being done. Finally I managed to get that file updated. When I went to install Ubuntu, I turned off Secure Boot and Fast Boot before installing, as per recommendations on the web. Then I put the install disk in the DVD drive and started the Ubuntu install. Ubuntu would get to the point where normally you would partition the hard drive to install Ubuntu alongside Windows. No such option existed. From more research on the web, I found I needed to resize the Windows partition in Windows. The reason being windows has some non movable files on the hard drive. On both of these machines, there was a non movable file right in the middle of a 1 TB hard drive. The only reason I can figure Microsoft would do that is to thwart Linux installs, or greatly limit the amount of hard drive space Ubuntu could use. Anyway, once I shrank the hard drive, I had free space. Then I could go back to the Ubuntu install and when I would get to the screen where you would normally choose to install alongside Windows 8, there was still no option to install Ubumntu alongside Windows 8. I needed to create a swap partition and a partition for Ubuntu to be installed in with a mount point in the free space. Any new person like I was 5 years ago trying to do an install would certainly have given up at that point. When I was new to Ubuntu I knew nothing about partitioning a hard drive. I would never have made it that far. Anyway, the installs with that having been done, went perfectly fine. They finished. I removed the install disks from the DVD drives, and rebooted. On both machines all I had on the reboot was Windows 8 booting. There wasn’t any option boot to Ubuntu. Upon further research on the web, it was recommended that I run the Boot-Repair utility. I did it from the live DVD and terminal. In both instances it took several minutes, and when finished, I had the Grub dual boot menu options show up on a re-start, and, on both machines, dual boot worked perfectly after that. But after doing those two Ubuntu installs on two Windows 8 computers, I decided that no person new to Ubuntu, or Linux, and with average, or maybe above average computer skills, would ever be able to do an Ubuntu install on a Windows 8 machine. All due to Microsoft!!!!!!!!!!!!!

  • I started the New Year with a new computer from ZaReason, which preloaded my system at purchase with my favorite spin of Fedora. This article gives me a bit of confidence that I could load linux onto a UEFI machine. I am still glad that I have a new machine in which this is not an issue.

    Perhaps part of the Linux revolution will be for Linux users to buy pre-loaded linux from companies like Lini PC, emperorpenguin, ZaReason, System 76 or even the pre-loaded Ubuntu from ecollegepc.com or Dell. The way to create a market which supplies linux-install-friendly computers is to buy them.

  • You are one of two tech journalists I know of who have the knowledge and confidence to tackle a project such as this, and the calibre of writing which makes the reader feel as though (s)he is watching over your shoulder as you explain what has gone right, or wrong. You also share another attribute in common: calling a spade a spade.

    If you, U-N (un-named), and James Bottomley can’t get Linux to play nicely with UEFI/Secure Boot, what chance do we ignoramuses have?

    I just must quote from your article for those who may have let it slip by:

    "UEFI and Secure Boot are technologies that some Linux experts approach with a sense of curiosity. Take the case of James Bottomley, chair of the Linux Foundation’s Technical Advisory Board.

    He recently did an install of openSuse 13.1 on a Samsung 9 AT IV. He was curious to see if it would work out of the box. He installed it on the system as delivered in Secure Boot mode using the USB key image. The install went flawlessly except that openSuse could not resize the Windows partition to allow it to share the disk. So he just erased Windows.

    "We were initially worried about the problem of installing Linux on Secure Boot hardware. But thanks to a fairly long lead time and lots of work done by Greg [Kroah-Hartman], me, Matthew Garrett and Peter Jones, any distribution that wants to can get it to work easily," Bottomley told LinuxInsider.

    Installation can fail if you install a distro’s older version, he agreed.

    The only way out of this mess? DEMAND that hardware manufacturers provide a platform option which is totally and completely free of any taint of Microsoft.

    With all the unsold Microsoft inventory gathering dust, now’s the perfect time to be VERY strident with PC makers regarding selling you a no-OS PC with an "ancient" BIOS.

    ps: heard the latest story of how HP is going to start moving its unsold Win8 PCs? Simple: it’s going to wipe all those drives of ANY Win8 sh*t, and INSTALL WIN7! How’s THAT for creativity?

    Let’s all start the negotiations!

  • I will buy a computer without any OS, or a ZaReason or System 76 computer. I will NOT support windows when I buy my next computer, no matter they try to lure me with a low price(cheap) computer. I hope others think and feel the same way.

  • Thank you for the update. I enjoyed reading your UEFI article.

    I must agree with Jack, the solution is simple: Avoid a Winbox. It is asinine that Microsoft should dominate this discussion.

    We must insist as a community that hardware vendors build OS neutral hardware allowing any OS to boot.

    I’m not apposed to UEFI, but I am confused as to why the keys cannot be universally controlled by the end user; even on a Winbox— the end user should be able to disable the keys/UEFI and use or not… reset the key, load whatever they want.

    Microsoft must get out of our lives— it is way past time for this.

    Cheers

  • Thank you for update. My solution is very simple. Don’t buy winbox. There are other makers like Systems76 with computers one can install anything on. After years paying MS ransom for, every so often, new version of the old trouble I will never again buy computer with pre-install Microsoft product. It is waist of time and money. Even very good products can be made useless by unnecessary demands and updates and unwanted automatic actions. To serve this demands one needs to learn about system anyway, so why not to have it my way from the beginning?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Software

LinuxInsider Channels