|UEFI stands for Unwarranted Elimination of your Freedom and Independence (or something like that).
One of the more dubious features of UEFI is called Secure Boot aka the Microsoft Kill Switch. We covered the history of UEFI in an earlier chapter. Before we review the steps for adding Linux Mint to a Windows 8 or Windows 10 computer, we will review the problems with Secure Boot and UEFI. These problems are so horrific that our advice is –rather than installing Linux Mint onto a Windows 8 or Windows 10 computer – we hope you will strongly consider returning your Windows 8 or Windows 10 computer to the store where you bought it and insist on a refund. It is likely that you have an old Windows 7 or XP computer sitting around the house or can buy one at a used computer store for pretty cheap. Installing Linux Mint on either of these older computers would be a much better and safer option than keeping a rather dangerous Windows 8 or Windows 10 computer. Here’s why:
Problem #1: Secure boot is not secure
Secure boot uses a combination of keys to prevent you from downloading any program Microsoft feels they do not like. The problem is that some of the keys are public and the rest have been hacked in the past – and will be hacked again in the future. So the only one blocked from installing programs to your computer by secure boot is you. Microsoft has left the back door to your computer open since 1997. With Windows 8, they have now also left the front door to your computer open. Secure Boot opens up the Startup program to attack because it uses the same top down easily copied digital image system the Microsoft Windows uses to protect its open back door. This lulls users into a false sense of security that they are covered when they are not.
Problem #2: Secure boot is dangerous and could crash the entire world economy
Nearly every business in the world uses computers to manage their business and store their data. Imagine what would happen to the economy if all of the computers were brought down due to a secure boot failure. Even if you are willing to trust that Microsoft will not push the Kill button deliberately – or accidentally – the real problem is that hackers can and will use this Kill button. Think of the Flame virus only much worse. Secure Boot is like a digital nuclear weapon in the hands of economic terrorists.
Problem #3: Secure boot limits your freedom
With every prior version of Windows, Microsoft allowed you to decide whether a program was safe to load to your computer. With Secure Boot, it will be Microsoft who will get to decide what is acceptable to load to your computer. Load the wrong program and your computer might no longer start. Think of it as the police owning the keys to your home and telling you whether you can go in or not.
Problem #4: Secure boot will kill software innovation
Nearly all innovations have come from the thousands of small time programmers who write applications for themselves and then share them with others. These programmers will be tossed out of business with Secure Boot as most will not be able to jump through all of the hoops imposed by Microsoft to get an officially signed key.
Problem #5: Secure Boot is very difficult for many users to disable
Supposedly we have the option of turning off secure boot. The problem is that there are four major “families” of secure boot and every manufacturer has a different implementation of secure boot. Without any consistency, this means that there are literally dozens of different kinds of secure boot systems.
Below we will show you screen shots of how to disable secure boot with some of the most common systems. But the actual pathway to find and disable secure boot can be much different on your Windows 8 or Windows 10 computer. First imagine how hard it would be to disable secure boot without our detailed instructions and screen shots. Then imagine how difficult it would be for your mother to disable secure boot!!
Problem #6: Even if you disable secure boot, UEFI still has huge problems
Secure boot is just the tip of the iceberg in terms of all of the problems of UEFI. UEFI specifications are a secret. But what is known about them is that they are thousands of pages long. Subtracting the driver code, the size of UEFI is actually larger than the size of the entire Linux Kernel. What is in all of these thousands of files and lines of UEFI code? Many of the files in UEFI begin with a “win” prefix – meaning that they were written by Microsoft for Microsoft and Microsoft does not want to let us know what is in this code.
UEFI is also written with Microsoft back slashes as path separators – just like Microsoft file paths– making it easier for hackers to attack it. Because UEFI is new it is certain to have many bugs and will have unpredictable reactions with many other programs. In particular, most of the new code affects boot loaders such as GRUB 2 and the Windows Boot Manager.
Incredibly, there is no way to know about what is in the UEFI program or what kinds of bugs have been discovered because all members of the UEFI forum must sign an oath of secrecy. Even UEFI documentation is kept under secure files requiring UEFI passwords to access. This is the exact opposite of how the open source community works – where everyone knows about all bug reports and everyone works together and shares ideas and solutions to fix the bugs.
Problem #7: There is a safer free open source option to UEFI called Core Boot
If either Microsoft or computer manufacturers really cared about safety, they would have installed the Core Boot Start up program. It is faster and safer than UEFI. By placing the passwords and control of the computer in the hands of the actual owner (you), there is no set of keys to be copied. A maker of processors, called AMD, now fully supports Core Boot. So manufacturers do have an easy option. Our hope is that if enough people return their Windows 8 computers and demand a computer with Core Boot, we will eventually be able to put this Windows 8/UEFI/Secure Boot Nightmare behind us.
Problem #8 Claims that there are advantages to UEFI are false
We are currently being subjected to a wave of propaganda trying to convince us that UEFI has some kind of benefit. For example, they claim that UEFI can handle partitions bigger than 2 Terabytes. Well, so can Core Boot. Even the old BIOS can as long as they are divided between partitions. If you have more than two terabytes of data, you should not be putting so much data on a single hard drive anyway. You should use a second hard drive if only for safety reasons.
You will also hear that UEFI allows you to have a much larger number of partitions. This is also not true. Core Boot has the same partitioning ability as UEFI and even the old BIOS system will let you have as many partitions as you want as long as you use the fourth partition to create an extended partition.
You will also be told that Secure Boot protects against Root Kit infections. It does not. Anyone capable of creating a root kit attack is also capable of creating fake keys similar to the process used by the Flame virus. So do not be fooled. The only purpose of UEFI is to maintain and expand the Microsoft monopoly. If you want your system to be safe and under your control, then install and use Linux. If you really want security, then you need to get a computer with Core Boot.
Problem #9: Even if you want to install a Linux Distribution which comes with the UEFI Secure Boot keys, you are better off disabling secure boot AFTER installing Linux.
As of June 2013, several Linux distributions including Ubuntu, Mint and Fedora now come with the necessary Microsoft keys to permit installation with secure boot enabled. However, you should still disable secure boot after the installation has been completed. There are two reasons for this. First, Microsoft can switch keys at any point in the future and there goes your Linux operating system and all of your data with it. Second, the keys may not allow you to install other programs you want with your Linux system. In fact, you should also disable Microsoft Updates as this can also wind up deleting your Linux system.
Windows 8 will work (maybe even better) without secure boot enabled and without all of the monthly updates from Microsoft. And so will Linux and all of your other programs. We will therefore review some tips for setting up a dual boot with Linux and Windows 8. We will then show you how to disable secure boot in some of the most common brands
Problem #10: Why not just get rid of UEFI?
Unfortunately, it is quite difficult to get rid of UEFI – or replace UEFI with Core Boot because UEFI is not on your hard drive. The only way you can get rid of UEFI is to return the computer to the store where you bought it, demand a refund and demand the option to buy a computer with Core Boot on it. It is also not likely that Windows 8 will work on anything other than UEFI because UEFI and Windows 8 were basically made for each other.
Why you should install a dual boot of Linux before disabling Secure Boot
There is a great deal of misinformation on Linux forums about how to install a dual boot of Linux with Windows 8. This is because the partition system for Windows 8 and especially the partitioning for Boot Managers with Windows 8 and the UEFI system is completely different than it was with Windows 7 and the BIOS system. With Windows 7 (or XP) with the BIOS system, the Windows Boot Manager was in two places. First, it was in the source of the hard drive (before any of the partitions). The area was called “sda.” Then it was also in the Windows System partition at the beginning of the group of partitions. The area was called “sda1.”
When we installed Linux in the BIOS system with the “Automatic Install” method, the default installation placed GRUB 2 in the sda slot. In other words, GRUB 2 replaced the Windows Boot Manager. GRUB 2 automatically recognized where the second copy of the Windows Boot Manager was and included it in the GRUB 2 startup screen – allowing us to boot into either Linux or Windows 7 (or XP). With the “Something Else” installation method, we could also create an extended partition and place whatever items we wanted in as many partitions as we wanted. So we could have a separate data partition and boot partition in addition to our normal Root partition and swap partition. Things were pretty simply and pretty flexible. Kiss all of that goodbye with UEFI.
First, the initial partition arrangements are different depending on what version of Windows 8 was installed in your computer. The basic version of Windows 8 comes with two partitions – one for a systems file and the other for your Windows C drive. The Pro version of Windows 8 comes with four partitions. If you are self-installing Windows 8, you do not have to create any partitions because UEFI will create then for you. Below is a 4 partition version of Windows 8:
There are three smaller systems partitions and one main Windows 8 (C Drive) partition. The remaining space is called Drive 0 Unallocated Space. However, one of the many problems with UEFI is that there is no longer any space to put the Boot Manager in front of the hard drive. In other words, assigning a boot manager to the sda slot no longer works. This in my opinion is a major booby trap as Linux users have been used to using sda to place the GRUB 2 boot manager in. Instead of placing the boot manager in sda, UEFI places the Windows boot manager in one of the partitions - in a folder called EFI.
The second crazy thing to understand about UEFI is that all of the boot loaders are put in the same partition. This is the opposite of BIOS where each boot loader was put in a different partition. This is why it is a mistake to disable Secure Boot before installing Linux. On some systems, when you disable secure boot, UEFI automatically converts to “legacy” mode and when you install Linux, this uses the BIOS/MBR partition system. Suddenly, the GRUB 2 boot loader is put in the wrong partition – leading to a nightmare series of problems.
Below is the screen of a person who tried to install Linux Ubuntu with Secure Boot turned off:
Notice that the file was an MBR or Master Boot Record file. UEFI and Windows 8 have a very hard time with this. So save yourself some grief and install Linux with UEFI turned on and Secure Boot turned on. Installing Linux with UEFI turned on is the best way to be sure that UEFI automatically places GRUB 2 in the correct partition. Only after Linux and Grub 2 are in the correct partitions – then we can disable secure boot and live somewhat happily ever after.
First, Shrink the C drive to create unallocated space
In the UEFI partition screen above, there is unallocated space. However, it is likely that you will not have any unallocated space on your computer and that all of the space will be taken up by the C drive. Therefore the first step you should do – before installing Linux – is to select the partition with the C drive and shrink it to create some unallocated space. Follow the steps and screen shots we used to shrink the C drive in the last chapter. Remember that Windows does not work well without a lot of extra space. So if you have 70 GB of data in Windows, leave at least 100 GB for the C drive. The rest can be left unallocated. This remaining space can be used to install Linux and you can decide exactly how much you want for Linux during the Linux installation.
Second, create the Linux Live USB Flash Drive
UEFI is pretty inflexible. It only works with x64 bit operating systems. So choose a x64 bit version of Linux. Also UEFI will only install versions of Linux with signed keys. This includes the latest versions of Ubuntu, Mint and Fedora (and possibly others by the time you read this book). Our recommendation is to download the Linux Mint Mate x64 bit ISO to your download folder. Then create an installation Live USB with UNetbootin as we described above.
Third, change the boot order to USB
Open UEFI by pressing on the Start button and then clicking on F10. Go to the Boot Order screen and Move USB to the top of the list – just as we did in the last section.
Fourth, restart your computer using the Live USB
Place the Live USB Flash Drive in your USB port and restart your computer. It should now boot into the installation screens for Linux Mint Mate. Follow these screens until you get to the Installation Type screen:
UEFI is so complex that there is really only one way for a normal person to make sure that the Linux Boot Loader (GRUB 2) gets installed into the correct UEFI partition. That way is to use the automatic install method by leaving the Installation Type set for “Install Linux Mint alongside Windows 8” and then click on Install Now. Do not Alternately, you can select “Erase Disc” if you have made a copy of all of your documents and programs from your C Drive. This will completely wipe out Windows 8 or Windows 10 – but it will not wipe out UEFI.
Why you should not use the Something Else Custom Partition option
If you are brave, and want to set up your own partitions, you can click on “Something Else” and then set up your partitions. But do not create a boot partition because GRUB must go in the UEFI boot partition – not in its own partition. Also do not change the Mount Point to sda because this will not work. Even with these precautions, the installation will not result in a dual boot option.
To get this, you will need to open your Linux Mint operating system and click on the Software Manager and install the Ubuntu Disc Repair extension. There is an explanation of how to use this to fix UEFI to create a dual boot. However, if you make even the slightest mistake, your computer’s goose will be cooked.
Before attempting the Something Else option, I urge you to watch the following short You Tube video. https://www.youtube.com/watch?v=_cEwj8bBBC4
Practical UEFI Secure Boot Part 3: UEFI dual boot setup with Linux
On Channelintel 5 minutes published on Feb 22 2013
In this video, Brian runs into a problem with being unable to bring up the GRUB 2 menu after setting up custom partitions. Towards the end of this video, he is forced to use the Ubuntu Partition Repair tool in order for the Grub menu to work properly. He describes this Ubuntu tool as performing “magic.” I believe the mistake he made was that he only set two mount points for Grub in his custom partition when in fact UEFI may require four different points. I think all Ubuntu tool is doing is making sure that all of the UEFI partition points are made correctly. This issue is discussed more fully on the Ubuntu and Linux Mint forums.
But think about this. If one of the lead engineers from Intel – the group that supposedly created UEFI – is unable to correctly set up custom partitions, what chance does the general public have in setting up custom partitions? I think the odds are close to zero. This is why I recommend only using the custom install option called “Install Linux Mint alongside Windows 8.” It is the only way to insure that all of the partitions have been correctly set. So please just use the “Install Linux Mint alongside Windows 8” option above. Then click on Install Now.
After installing Linux Mint and rebooting your computer, you will be presented with the standard GRUB 2 screen which will allow you to select which operating system you want to use. Now that we have installed Linux in a dual boot, we can safely turn off the UEFI secure boot “feature.”
How to disable secure boot and remove the digital handcuffs
Secure Boot is enabled by default on all computers that are manufactured with Windows 8 and Windows 10. Microsoft’s original plan did not include a way to disable secure boot until there was an uproar of protest by open source programmers. Microsoft then changed the specifications to provide a way to disable secure boot. However, the specification did not provide a consistent way to disable secure boot. Thus, each computer manufacturer will have a different process.
Our goal with all of the following screen shots is to help you figure out a way to turn secure boot off. Regardless of what brand of computer you have, the general plan is to start your computer and then immediately (within two seconds) press one of the Function keys repeatedly to open up UEFI. The most common keys to launch UEFI are F6, F10, F11 or F12. Once we are in UEFI, we click on tabs until we find something called Security or Secure Boot. We will then disable Secure Boot. Occasionally, we will also need to disable other things for this change to take effect.
Note: If you have a Windows ARM computer, you will not be able to disable secure boot and your only options will be to return this junk to the store where you got it or throw it in the dumpster and find a different computer.
Should you enable Legacy Mode?
As we discussed before, having Windows 8 in UEFI mode and trying to install Linux in Legacy mode creates lots of problems. Therefore you should first try to install Linux while your computer is in UEFI mode and save Legacy mode for a backup plan. Switching to Legacy typically disables secure boot automatically. So if you are having trouble disabling secure boot, this may be an option. However, Legacy may force you into a traditional MBR partition table. This is why you should try to use UEFI mode first as this will allow you to stay with the newer GPT partition table.
Note: Nearly all Linux distributions now work with UEFI enabled and thus Legacy mode hopefully will not be needed. Some UEFI screens call Legacy mode "Compatibility Support Module" or simply "CSM".
Disable Secure Boot on an HP Windows 8 desktop Computer
While the computer is off, put in your Live USB with Linux Mint on it – created as described in the last section. Then turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens. Use the left and right arrow keys to select the Security menu.
Use the down arrow key to select Secure Boot Configuration. Then press Enter. The Secure Boot Configuration warning displays. Press F10 to continue.
Below is the Secure Boot Configuration screen:
Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to disable it.
Press F10 to accept the changes. Then use the arrows to select FILE in the top menu. Use the down arrow to select Save Changes and Exit. Press F10 again, then press Enter twice to restart the computer with Secure Boot disabled.
As soon as the computer starts, a message appears indicating that the boot mode has changed.
Type the four-digit code shown in the message. Then press Enter to confirm the change. NOTE: No text field displays for the code. This is expected behavior. When you type the numbers, the code is logged without a text field. .
Disabling Secure Boot on an HP Windows 8 notebook computer
Most HP notebook computers use the Insyde BIOS. Use the instructions in this section to enable or disable Secure Boot on your HP notebook computer. They are about the same as the steps above only the screens and names are different. While the computer is off, put in your Live USB with Linux Mint on it – created just as described in the last chapter. Then turn on the computer and immediately press the ESCAPE key repeatedly, about once every second, until the Startup Menu opens. Use the left and right arrow keys to select the Security menu.
Use the right arrow key to choose the System Configuration menu, use the down arrow key to select Boot Options , then press Enter .
This takes you to the Boot Options menu:
Use the down arrow key to select Secure Boot. Press the Enter key, then use the down arrow key to modify the setting to Disabled.
Press Enter to save the change. Then use the left arrow key to select the File menu, use the down arrow key to select Save Changes and Exit , then press Enter to select Yes . The Computer Setup Utility closes and the computer restarts. When the computer has restarted, the Operating System Boot Mode Change screen appears, prompting you to confirm the Boot Options change. Type the code shown on the screen. Then press Enter to confirm the changes.
Disable Secure Boot on an Asus Windows 8 Computer
Turn on the computer and immediately press the F2, F10 or F12 key repeatedly, about once every second, until the Asus UEFI BIOS Utility opens.
Then go to the bottom of the screen and look for a tab called Advanced Mode (F7). Press the F7 key on your keyboard to go to Advanced Mode. Click OK. This take you to the Advanced Mode screen. Click on the Boot tab. Then scroll down this same screen to Setup Mode, Secure Boot:
If you understand these screens, you are doing better than me. Maybe this is why they call it Advanced Mode!
Disable secure boot on Lenovo Windows 8 computer
I am not a major fan of Lenovo. Following the release of Windows 8 in late-2012, it was discovered that certain Lenovo computer models with secure boot had firmware that was hard-coded to only allow "Windows Boot Manager" or "Red Hat Enterprise Linux" to load, regardless of their secure boot settings, preventing even a signed Linux distribution from loading. But below are the best screen shots I could find. Disable secure boot at the security screen:
Why Linux is a much more secure operating system than Windows
At the beginning of this chapter, I promised I would present a more detailed explanation of why Linux is more secure than Windows. I owe you that much since I just encouraged you to turn off secure boot.
Some claim the reason Linux is more secure is because it is not as much of a target as Microsoft. If a person is a hacker, they are going to go after the operating system with the most computers. While this appears to make sense, it is not why Linux is safer and it is not why those really concerned with security, including the International Space Station and the Los Alamos National Laboratory have moved to Linux.
Others have claimed that it is because Linus Torvalds is smarter than Bill Gates. While this may be true, this is also not the reason Linux is more secure than Windows. Linus Torvalds did not design the Linux security system by himself and Bill Gates likely had nothing to do with the Windows security system.
Linux is safer because it is open source
On September 15, 1999, one of nation’s leading security experts, Bruce Schneier wrote an important article, called Open Source and Security, which explained why open source programming will always result in a more secure system than closed source programming. He uses the term “algorithm.” But you can think of this as being the passwords and processes by which programmers protect programs from hackers. The term cryptographic refers to processes for securing data such as encryption.
What Bruce points out in this article is that open source development provides more feedback to close the weaknesses in a security system. Bruce has written many books and articles on this subject since 1999 and I encourage you to visit his website and read some of these. https://www.schneier.com/
The problem with the Microsoft development model is that it is done in secrecy. There is very little feedback and very little in the way of checks and balances. It therefore results in programs which are easily hacked. This is why I have maintained throughout this book that the entire Microsoft business model is fatally flawed. The Microsoft Monopoly model may make billions of dollars. But it results in extremely poor products such as Windows 8, UEFI and Secure Boot.
Distributed keys and passwords versus centrally controlled keys and passwords
There is another fundamental reason why UEFI and Secure Boot will not work. Both of these programs are top down and controlled from a central point - Microsoft. They therefore have a single point of failure. Linux and Core Boot on the other hand are designed from the bottom up. They are controlled by the local user – you. There is much greater safety in millions of local keys versus a few centrally controlled keys. Imagine if there were only a few keys which could open every lock on every home in America. Thieves would have no problem making copies of these keys and all homes would be in danger. The reason why locks work is because each home has a different key. Even if a crook could copy your key, they would only have access to a single home. They would need to start over and copy a second key to gain access to a second home and a third key to get access to the third home. In other words, the diversity inherent in Linux is a crucial part of the Linux safety structure.
The “Home” for your data is your computer – and Microsoft with UEFI and Secure Boot creates exactly that unsafe centrally located key structure. Even worse, these are digital keys - making them even easier to copy.
The benefit of Linux is that there is no single key. When you install Linux, you create your own key to access your own Linux system. Even if a cyber-thief could break your password, they would only have access to a single computer. This is the benefit of the Linux system – it is that the keys are created from the bottom up whereas with the Microsoft system, the keys are created from the top down. So one final reason to move towards Linux and open source is that in the long run not only will you have a more secure computer, but we will all have a much safer world.
This completes our chapter on dual booting Linux with Windows. In the next chapter, we will look at adding Libre Office. We will then look at using Libre Office and comparing it to Microsoft Office. Finally, we will also look at some of the terrific free programs we can add to Linux to help it work even better.