| View previous topic :: View next topic |
| Author |
Message |
pensador_13
n00b
Joined: 15 Nov 2017
Posts: 7
Location: Portugal
|
 Posted: Sun Nov 19, 2017 2:05 pm Post subject: [SOLVED] Partitioning with UEFI and Secure Boot enabled |
 |
|
Hello 
I intend to use only Gentoo on my laptop.
The BIOS of my laptop has two boot modes: UEFI and Legacy.
UEFI has secure boot enabled and I couldn't disable it, it seems that if a computer includes Windows 10, manufacturers can choose to enable Secure Boot and not give users a way to turn it off 
Then I switched to Legacy and I was able to boot the USB stick with the minimal Gentoo install.
I read the Preparing the disks section of the AMD64 Handbook, but the following question remain unanswered:
Is it possible to configure the partitioning in a way that will run with UEFI mode and Security Boot enabled?
Thanks in advance,
Luís Carneiro
Last edited by pensador_13 on Wed Nov 22, 2017 9:35 am; edited 1 time in total |
|
| Back to top |
|
 |
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 31280
Location: here
|
| Posted: Mon Nov 20, 2017 10:45 am Post subject: |
|
|
I've any experience of dual boot with windows and secure boot, but sakaki guide maybe is a good starting point.
Minimal gentoo cd not support EFI, if I remember correctly, but you can use SystemRescueCd that is gentoo based
_________________
Questions are guaranteed in life; Answers aren't. |
|
| Back to top |
|
|
pensador_13
n00b
Joined: 15 Nov 2017
Posts: 7
Location: Portugal
|
| Posted: Mon Nov 20, 2017 11:04 am Post subject: |
|
|
Thanks for the suggestion, but I don't want to do a dual boot, I want the whole disk to be Gentoo Linux.
If I choose the UEFI method described in the handbook, will it work with Secure Boot enabled? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54578
Location: 56N 3W
|
| Posted: Mon Nov 20, 2017 11:35 am Post subject: |
|
|
pensador_13,
Not really. To use secure boot, the boot leader and kernel (and initrd) needs to be signed by one of the keys in the firmware, so that it can be validated at boot.
Microsofts key is there, so it can boot windows.
You have two approaches. Add your own key, or sign your boot files with a key known to the BIOS.
Adding you own key is risky. The system may never boot again.
Having your boot files signed by Microsoft is expensive.
I believe that one or two of the bigger binary distros did some work on booting with secure boot.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
DONAHUE
Watchman
Joined: 09 Dec 2006
Posts: 7651
Location: Goose Creek SC
|
| Posted: Mon Nov 20, 2017 12:37 pm Post subject: |
|
|
Best references on handling Secure Boot:
https://www.rodsbooks.com/efi-bootloaders/secureboot.html
https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
| Quote: | | Furthermore, Microsoft requires that x86 and x86-64 computers provide the means to completely disable Secure Boot, giving users control over the process. (ARM users aren't so lucky; Microsoft requires that Secure Boot can not be disabled on ARM systems bearing a Windows 8 logo.) For those who are interested, this ALT Linux page describes the process of having Microsoft sign a binary in excruciating detail. |
Pretty sure this is a true statement for window 10 also. It might be good to tell us what the manufacturer and model of your laptop are, some (most) manufacturers use codewords for "disable secure boot" that are not obvious. "Other OS" comes to mind. Some hide the choice in an obscure sub-menu. If your equipment is identified someone here may know the location and choice to disable Secure Boot.
_________________
Defund the FCC. |
|
| Back to top |
|
|
pensador_13
n00b
Joined: 15 Nov 2017
Posts: 7
Location: Portugal
|
| Posted: Mon Nov 20, 2017 12:59 pm Post subject: |
|
|
Thank you for the answers 
Laptop's information:
Manufacter: Acer
Model: Aspire E5-575G-78H4 |
|
| Back to top |
|
|
Roman_Gruber
Advocate
Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria
|
| Posted: Mon Nov 20, 2017 2:48 pm Post subject: |
|
|
Well you have another way.
When it is quite freshly purchased, return it with unuseable, locked down hardware.
I did return a lot of notebooks, mice and other hardware.
I ended up purchasing second hand asus g75vw, decent screen, and last generation, without some ryzen based desctop notebooks, intel based desctop notebooks, where not everything is soldered on the mainboard.
---
Also bear in mind, I expect that with every windows update, windows may overwrite your bootloader too. |
|
| Back to top |
|
|
Fitzcarraldo
Advocate
Joined: 30 Aug 2008
Posts: 2056
Location: United Kingdom
|
| Posted: Mon Nov 20, 2017 3:24 pm Post subject: |
|
|
Or use BIOS-GPT.
_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC systemd-utils[udev] elogind KDE on both.
My blog |
|
| Back to top |
|
|
DONAHUE
Watchman
Joined: 09 Dec 2006
Posts: 7651
Location: Goose Creek SC
|
| Posted: Mon Nov 20, 2017 5:27 pm Post subject: |
|
|
acer apparently wants to control their laptops without input from the people who bought them. A google search for 'Acer Aspire E5-575G-78H4 disable secure boot' will provide some discussion of that and provide some workarounds. Seems to me: tapping f2 during boot to enter the UEFI (frequently miscalled BIOS), select Security, select Set Supervisor Password, enter a supervisor password, select Password on Boot Enable, exit (f10) saving changes. Reboot into the UEFI, enter password, select Boot, select UEFI Mode, select Secure Boot Disable, disable Password on Boot (your option), exit saving changes.
_________________
Defund the FCC. |
|
| Back to top |
|
|
pensador_13
n00b
Joined: 15 Nov 2017
Posts: 7
Location: Portugal
|
| Posted: Tue Nov 21, 2017 5:20 pm Post subject: |
|
|
Thank you for all the information
I will go with the Legacy mode, and I intend to have only two primary partitions: / and swap.
Questions that I have in this situation:
a) Should I choose MBR or GPT?
b) Either the choice is MBR or GPT, in order to have a bootable OS with GRUB2 , is it necessary to have a BIOS boot partition and a Boot partition? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54578
Location: 56N 3W
|
| Posted: Tue Nov 21, 2017 6:42 pm Post subject: |
|
|
pensador_13,
Grub needs some space on the HDD outside of any filesystem.
When you use GPT, this space does not exist. Hence the 2Mb partition which grub uses itself.
When you use MSDOS, there is some unused space between the partition table and the start of the first partition.
Grub uses that.
Mixing legacy mode and GPT leads to complications that you don't need and on occasions, is not possible.
Go with legacy mode and MSDOS.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
|
Installing Gentoo
