Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Partitioning with UEFI and Secure Boot enabled
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
pensador_13
n00b
n00b


Joined: 15 Nov 2017
Posts: 7
Location: Portugal

PostPosted: Sun Nov 19, 2017 2:05 pm    Post subject: [SOLVED] Partitioning with UEFI and Secure Boot enabled Reply with quote

Hello :)

I intend to use only Gentoo on my laptop.

The BIOS of my laptop has two boot modes: UEFI and Legacy.
UEFI has secure boot enabled and I couldn't disable it, it seems that if a computer includes Windows 10, manufacturers can choose to enable Secure Boot and not give users a way to turn it off :(

Then I switched to Legacy and I was able to boot the USB stick with the minimal Gentoo install.
I read the Preparing the disks section of the AMD64 Handbook, but the following question remain unanswered:

Is it possible to configure the partitioning in a way that will run with UEFI mode and Security Boot enabled?

Thanks in advance,
Luís Carneiro


Last edited by pensador_13 on Wed Nov 22, 2017 9:35 am; edited 1 time in total
Back to top
View user's profile Send private message
fedeliallalinea
Administrator
Administrator


Joined: 08 Mar 2003
Posts: 30822
Location: here

PostPosted: Mon Nov 20, 2017 10:45 am    Post subject: Reply with quote

I've any experience of dual boot with windows and secure boot, but sakaki guide maybe is a good starting point.
Minimal gentoo cd not support EFI, if I remember correctly, but you can use SystemRescueCd that is gentoo based
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
pensador_13
n00b
n00b


Joined: 15 Nov 2017
Posts: 7
Location: Portugal

PostPosted: Mon Nov 20, 2017 11:04 am    Post subject: Reply with quote

Thanks for the suggestion, but I don't want to do a dual boot, I want the whole disk to be Gentoo Linux.

If I choose the UEFI method described in the handbook, will it work with Secure Boot enabled?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54028
Location: 56N 3W

PostPosted: Mon Nov 20, 2017 11:35 am    Post subject: Reply with quote

pensador_13,

Not really. To use secure boot, the boot leader and kernel (and initrd) needs to be signed by one of the keys in the firmware, so that it can be validated at boot.
Microsofts key is there, so it can boot windows.

You have two approaches. Add your own key, or sign your boot files with a key known to the BIOS.

Adding you own key is risky. The system may never boot again.
Having your boot files signed by Microsoft is expensive.

I believe that one or two of the bigger binary distros did some work on booting with secure boot.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 7651
Location: Goose Creek SC

PostPosted: Mon Nov 20, 2017 12:37 pm    Post subject: Reply with quote

Best references on handling Secure Boot:
https://www.rodsbooks.com/efi-bootloaders/secureboot.html
https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
Quote:
Furthermore, Microsoft requires that x86 and x86-64 computers provide the means to completely disable Secure Boot, giving users control over the process. (ARM users aren't so lucky; Microsoft requires that Secure Boot can not be disabled on ARM systems bearing a Windows 8 logo.) For those who are interested, this ALT Linux page describes the process of having Microsoft sign a binary in excruciating detail.
Pretty sure this is a true statement for window 10 also. It might be good to tell us what the manufacturer and model of your laptop are, some (most) manufacturers use codewords for "disable secure boot" that are not obvious. "Other OS" comes to mind. Some hide the choice in an obscure sub-menu. If your equipment is identified someone here may know the location and choice to disable Secure Boot.
_________________
Defund the FCC.
Back to top
View user's profile Send private message
pensador_13
n00b
n00b


Joined: 15 Nov 2017
Posts: 7
Location: Portugal

PostPosted: Mon Nov 20, 2017 12:59 pm    Post subject: Reply with quote

Thank you for the answers :D

Laptop's information:

Manufacter: Acer

Model: Aspire E5-575G-78H4
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria

PostPosted: Mon Nov 20, 2017 2:48 pm    Post subject: Reply with quote

Well you have another way.

When it is quite freshly purchased, return it with unuseable, locked down hardware.

I did return a lot of notebooks, mice and other hardware.

I ended up purchasing second hand asus g75vw, decent screen, and last generation, without some ryzen based desctop notebooks, intel based desctop notebooks, where not everything is soldered on the mainboard.

---

Also bear in mind, I expect that with every windows update, windows may overwrite your bootloader too.
Back to top
View user's profile Send private message
Fitzcarraldo
Advocate
Advocate


Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom

PostPosted: Mon Nov 20, 2017 3:24 pm    Post subject: Reply with quote

Or use BIOS-GPT.
_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
DONAHUE
Watchman
Watchman


Joined: 09 Dec 2006
Posts: 7651
Location: Goose Creek SC

PostPosted: Mon Nov 20, 2017 5:27 pm    Post subject: Reply with quote

acer apparently wants to control their laptops without input from the people who bought them. A google search for 'Acer Aspire E5-575G-78H4 disable secure boot' will provide some discussion of that and provide some workarounds. Seems to me: tapping f2 during boot to enter the UEFI (frequently miscalled BIOS), select Security, select Set Supervisor Password, enter a supervisor password, select Password on Boot Enable, exit (f10) saving changes. Reboot into the UEFI, enter password, select Boot, select UEFI Mode, select Secure Boot Disable, disable Password on Boot (your option), exit saving changes.
_________________
Defund the FCC.
Back to top
View user's profile Send private message
pensador_13
n00b
n00b


Joined: 15 Nov 2017
Posts: 7
Location: Portugal

PostPosted: Tue Nov 21, 2017 5:20 pm    Post subject: Reply with quote

Thank you for all the information :D

I will go with the Legacy mode, and I intend to have only two primary partitions: / and swap.
Questions that I have in this situation:

a) Should I choose MBR or GPT?

b) Either the choice is MBR or GPT, in order to have a bootable OS with GRUB2 , is it necessary to have a BIOS boot partition and a Boot partition?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54028
Location: 56N 3W

PostPosted: Tue Nov 21, 2017 6:42 pm    Post subject: Reply with quote

pensador_13,

Grub needs some space on the HDD outside of any filesystem.
When you use GPT, this space does not exist. Hence the 2Mb partition which grub uses itself.
When you use MSDOS, there is some unused space between the partition table and the start of the first partition.
Grub uses that.

Mixing legacy mode and GPT leads to complications that you don't need and on occasions, is not possible.
Go with legacy mode and MSDOS.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum