Install Linux with Windows 8 and Secure Boot

Understanding UEFI Secure Boot and Dual Booting

The introduction of the UEFI Secure Boot system with Windows 8 has generated considerable uncertainty, particularly for individuals who utilize a dual boot configuration.

Many users have expressed confusion regarding compatibility and the process of installing multiple operating systems alongside Windows 8.

The Source of the Question

This discussion originates from a question posed on SuperUser, a segment of the Stack Exchange network.

Stack Exchange is a collaborative platform comprised of numerous question-and-answer websites, driven by its user community.

Addressing Misconceptions About Dual Booting

It’s important to dispel common misunderstandings surrounding dual booting Windows 8 and Linux distributions.

While UEFI Secure Boot aims to enhance system security, it doesn't inherently prevent dual booting.

How Secure Boot Impacts Booting

Secure Boot verifies the digital signature of boot loaders and operating system kernels before allowing them to execute.

This process ensures that only trusted software can load during startup, protecting against malware.

Dual Booting with Windows 8 and Linux: Is it Possible?

Yes, dual booting Windows 8 and Linux is indeed achievable, but it may require adjustments to the UEFI settings.

Specifically, users might need to temporarily disable Secure Boot or enroll the Linux bootloader's key into the UEFI database.

Steps to Consider

• Disable Secure Boot: Access the UEFI settings (usually by pressing Del, F2, or F12 during startup) and disable Secure Boot.
• Enroll Keys: Alternatively, some distributions offer tools to enroll their bootloader keys into the UEFI database, allowing Secure Boot to remain enabled.
• Legacy/CSM Mode: In some cases, enabling Legacy or Compatibility Support Module (CSM) mode may be necessary.

The exact procedure can vary depending on the motherboard manufacturer and the specific Linux distribution being installed.

It's crucial to consult the documentation for both your hardware and operating system for detailed instructions.

Understanding UEFI Secure Boot and Operating System Compatibility

A SuperUser user, Harsha K, recently inquired about the implications of the new UEFI system. Specifically, he sought clarification regarding UEFI Secure Boot in Windows 8.

Harsha’s concern stemmed from reports suggesting that Secure Boot prevents the execution of "unauthorized" bootloaders, ostensibly as a security measure against malware.

The Concerns Surrounding Secure Boot

The Free Software Foundation has voiced opposition to Secure Boot, and online discussions have characterized it as a potential "power grab" by Microsoft, potentially leading to the exclusion of free and open-source operating systems.

Harsha’s core question was whether a computer pre-configured with Windows 8 and Secure Boot would still allow for the subsequent installation of Linux, or other alternative operating systems.

Can You Still Dual Boot?

The central issue is whether users desiring a multi-boot setup will be hindered by Secure Boot’s restrictions. The initial concerns raised legitimate questions about operating system compatibility.

The situation isn't as restrictive as some initial reports suggested. While Secure Boot does enforce restrictions on bootloaders, it doesn't inherently preclude the installation of other operating systems like Linux.

How Secure Boot Works and Its Impact

UEFI (Unified Extensible Firmware Interface) is the modern successor to BIOS. Secure Boot is a feature of UEFI that verifies the digital signature of bootloaders before allowing them to execute.

This verification process is designed to ensure that only trusted software is loaded during the startup sequence, thereby mitigating the risk of rootkits and boot sector viruses.

Installing Linux with Secure Boot Enabled

Installing Linux on a system with Secure Boot enabled requires a bootloader that is either signed by Microsoft or that can be enrolled as a trusted key in the UEFI firmware.

Many modern Linux distributions, such as Ubuntu, now offer signed bootloaders that are compatible with Secure Boot. This allows for seamless installation and operation alongside Windows 8.

Disabling Secure Boot as an Alternative

If a Linux distribution doesn't have a signed bootloader, or if you encounter compatibility issues, you can typically disable Secure Boot in the UEFI settings.

However, disabling Secure Boot reduces the security benefits it provides, potentially leaving your system more vulnerable to certain types of malware.

Conclusion

Users who wish to dual boot Windows 8 and Linux are not necessarily "out of luck" due to UEFI Secure Boot. Compatibility is achievable through signed bootloaders or by temporarily disabling Secure Boot.

The key is to ensure that the chosen Linux distribution supports Secure Boot, or to understand the implications of disabling it before proceeding with the installation.

Understanding UEFI and Secure Boot

A detailed explanation of UEFI and Secure Boot is provided by SuperUser contributor Nathan Hinkle, offering valuable insights into this technology.

To begin, a straightforward answer to the initial question:

• ARM Tablet Users: If your device is an ARM tablet operating on Windows RT, such as the Surface RT or Asus Vivo RT, disabling Secure Boot or installing alternative operating systems is not possible. These devices, similar to many other ARM tablets, are restricted to running their pre-installed OS.
• Non-ARM Computer Users: If you possess a computer that isn't ARM-based and runs Windows 8 (like the Surface Pro, or various ultrabooks, desktops, and tablets with an x86-64 processor), then Secure Boot can be fully disabled. Alternatively, you can install custom keys and sign your own bootloader. Consequently, installing a third-party OS, like a Linux distribution, FreeBSD, or DOS, becomes feasible.

Now, let's delve into the specifics of how Secure Boot functions, addressing common misconceptions, particularly those originating from the Free Software Foundation and similar organizations. This misinformation has complicated the search for accurate information, so a clear explanation is crucial. It’s important to note this understanding is based on research, not direct development experience.

First and foremost, Secure Boot was not developed by Microsoft. While they are the first to implement it widely, the technology itself is a component of the UEFI specification. UEFI serves as a modern replacement for the traditional BIOS, acting as the interface between the operating system and the hardware. UEFI standards are established by the "UEFI Forum," comprising representatives from the computing industry, including Microsoft, Apple, Intel, AMD, and numerous computer manufacturers.

A crucial point to understand is that enabling Secure Boot does not permanently restrict a computer to a single operating system. Microsoft’s Windows Hardware Certification Requirements mandate that non-ARM systems must allow both Secure Boot disabling and key modification (to accommodate other OSes). Further details will be provided shortly.

The Functionality of Secure Boot

The primary purpose of Secure Boot is to safeguard your computer against malware attacks during the boot process. Malware infiltrating the bootloader can be exceptionally difficult to detect and eliminate, as it can compromise low-level OS functions, remaining hidden from antivirus software. Secure Boot simply verifies the bootloader's origin and ensures it hasn't been altered. Consider it analogous to tamper-evident seals on bottles.

The highest level of protection is provided by the platform key (PK), which is unique to each system and installed by the OEM during manufacturing. This key protects the KEK database. The KEK database contains Key Exchange Keys, used to modify other secure boot databases. Multiple KEKs are possible. Next are the Authorized Database (db) and the Forbidden Database (dbx). These databases contain information about Certificate Authorities, cryptographic keys, and UEFI device images, allowing or blocking them respectively. A bootloader must be cryptographically signed with a key present in the db, and not in the dbx, to be permitted to run.

^{Image from Building Windows 8: Protecting the pre-OS environment with UEFI}

Secure Boot on a Windows 8 Certified System

The OEM generates its own PK, and Microsoft provides a KEK that the OEM is required to preload into the KEK database. Microsoft then signs the Windows 8 Bootloader, utilizing their KEK to place this signature in the Authorized Database. During boot, UEFI verifies the PK, Microsoft’s KEK, and the bootloader. If all checks pass, the OS can proceed to boot.

^{Image from Building Windows 8: Protecting the pre-OS environment with UEFI}

Integrating Third-Party OSes, such as Linux

A Linux distribution could generate a KEK and request OEMs to include it in the KEK database by default. This would grant them equivalent control over the boot process as Microsoft. However, as Matthew Garrett of Fedora explains, this presents challenges: obtaining inclusion from every PC manufacturer is difficult, and it would unfairly exclude other Linux distributions lacking similar OEM partnerships.

Fedora’s chosen approach (and one adopted by other distributions) is to leverage Microsoft’s signing services. This involves a $99 payment to Verisign (Microsoft’s Certificate Authority) to sign their bootloader using Microsoft’s KEK. Since Microsoft’s KEK is pre-installed on most computers, this allows Secure Boot compatibility without requiring a custom KEK. This is more compatible and cost-effective than establishing and maintaining a separate key signing system. Detailed information about this process (involving GRUB, signed Kernel modules, etc.) is available in the referenced blog post.

If opting out of Microsoft’s system or avoiding the $99 fee, or simply objecting to large corporations, Secure Boot can still be used with alternative OSes. Microsoft’s hardware certification mandates that OEMs provide a method for users to enter UEFI “custom” mode, allowing manual modification of Secure Boot databases and the PK. The system can be placed in UEFI Setup Mode, enabling users to specify their own PK and sign bootloaders independently.

Moreover, Microsoft’s certification requirements require OEMs to include a method to disable Secure Boot on non-ARM systems. Secure Boot can be turned off! The only exception is ARM systems running Windows RT, which operate similarly to iPads, restricting custom OS loading. While enabling OS changes on ARM devices would be desirable, Microsoft’s approach aligns with industry standards for tablets.

Is Secure Boot Inherently Negative?

As demonstrated, Secure Boot is not inherently malicious and isn’t exclusive to Windows. The Free Software Foundation’s concerns stem from the added complexity of using third-party operating systems. While Linux distributions may object to paying for Microsoft’s key, it represents the easiest and most cost-effective path to Secure Boot compatibility. Fortunately, disabling Secure Boot is straightforward, and key modification remains possible, circumventing the need to engage with Microsoft.

Considering the increasing sophistication of malware, Secure Boot appears to be a reasonable security measure. It’s not a sinister plot, and is less alarming than some free software advocates suggest.

Further Resources:

• Microsoft Hardware Certification Requirements
• Building Windows 8: Protecting the pre-OS environment with UEFI
• Microsoft presentation on Secure Boot deployment and key management
• Implementing UEFI Secure Boot in Fedora
• TechNet Secure Boot Overview
• Wikipedia article on UEFI

In short: Secure Boot protects your system from low-level malware during startup. Creating the necessary keys is possible for anyone, but convincing manufacturers to distribute your key is challenging. Alternatively, you can pay Verisign to use Microsoft’s key to sign your bootloaders. Secure Boot can also be disabled on any non-ARM computer.

Finally, regarding the FSF’s campaign against Secure Boot: While some of their concerns (increased difficulty installing free operating systems) are valid, the claim that it will “prevent anyone from booting anything but Windows” is demonstrably false, as illustrated above. Campaigning against UEFI/Secure Boot as a technology is misguided and unlikely to succeed. It’s more important to ensure manufacturers adhere to Microsoft’s requirements, allowing users to disable Secure Boot or modify keys as desired.

 

Do you have additional insights to share regarding this explanation? Please contribute in the comments section. For a more comprehensive discussion with other tech experts, visit the original Stack Exchange thread here.