Newbie wants to install Linux on laptop with UEFI secure boot

Xinuli Xunilu Xuinl, dear Linux community!

I sincerely beg pardon for molesting you with a lengthy introduction, but it is optional to read it. If you do not have the spare time to do so, then jump straight to the section that starts: With this in my mind,...

To boot with, I would like to already say a big thank you: simply for being such a nice people in the world wide web. I have observed that it is plagued by angry, obnoxious or outright evil beings that bully mankind into a state of nervous distress and make civilized living together sink into oblivion.You are a true treasure island of kindness. Your altruistic and empathic helpfulness creates great, soothing bliss. As a demostration of my gratitude, I try to please your eyes with splendid combinations of letters and contents which will hopefully have an effect of massive joyfulness. Please accept my humble gift of linguistic sensitivity.

I came here in search of some expert opinion, as I am a bit doubtful as for how to go about your operating system in general and choosing a suitable distribution. I would like to make clear that I am computer literate to some degree, but it will be my first Linux installation and I am serious about learning to use the shell and also some programming eventually. I am aware that it is a big project and I will do my best to make it last. So, I am a potential new user and I will try to keep collaborating, so that the future of Linux may be bright and succesfull. Also, I have already had a closer look at the offer of useful information that is being generously provided here and elsewhere. Therefore, I will try to be as precise as possible with my questions.

My initial thought about installing Linux on my laptop that runs Windows was this:

I would just completely remove the preinstalled system, go directly Full Debian and navigate the world wide web with Enormous Awesomeness. I came to realize that due to my lack of experience, I would just as well paint a face on a brick and type melancholically on a piano. It was not a great plan, I found out. Thankfully, this happened without self-harm being done.

Having overcome my initial naivety, I came to see that there is a major obstacle in the way of realizing such an ambitious task: UEFI secure boot. I read that it prevents me from taking complete control of my user interface (i.e. laptop). I am not amused. Not at all.
{
Optional: insert your own favourite rant about corporate greed.
}
Please be free to clarify anything with respect to this, as I am not really knowledgeable about it and confusions about technical terms may impede me from understanding the complexity of the issue.

With this in my mind, I rearranged my plan and came up with this lofty goal: install a newbie friendly distribution in order to start using Linux and have another partition for installing my chosen Debian Blend, that I could learn to use and get operative little by little. This brought me to the question of how to set up my partitions in order to get this done. The newbie distribution would probably not need as much space as I would go Full Debian eventually. Naturally, I would need some time in order to make the transition. I understand data could be shared in a mutual partition. Does this make sense? Can I have secure dual boot from the very beginning? Or would it be recommendable to install otherwise and fix it later if possible? Which newbie distro could I get running without serious problems?

I know you need some technical details about the resources so that a fitting assessment can be done. So, here we go:

It is an Acer Aspire E1-530 in which bootmode can be switched in BIOS.

Processor: ACPI\GenuineIntel_-_Intel64_Family_6_Model_58_-_________Intel(R)_Pentium(R)[email protected]_1.80GHz\_1

4 GB DDR3 Memory

1000 GB HDD

BIOS: Insyde Corp. V2.06, 08/10/2013

Qualcomm Atheros AR956x Wireless Network Adapter

802.11 b/g/n + BT



I would be thankful for any clarifications and recommendations. Be free to ask for relevant technical details in case deemed necessary.

Feel free to read the whole writing, share and modify it a bit if necessary. Grammar bugs and other orthographic atrocities may need corrections, given that english is not my native tongue. I apologize already if something is to be considered off-topic, I am a newbie after all. I just want to help other users that might face similar dilemmas. May the good vibes be with you!

Thank you so much for your attention.

Sincerely yours,

Linubi McLuinxdowsface
 


arochester

Moderator
Staff member
Gold Supporter
UEFI secure boot
You should be able to turn this off in the BIOS if you want to.

UEFI support in live images
Since the first release of Stretch (9.0), UEFI is now supported on both installation and live images.

In previous releases, UEFI support existed only in Debian's installation images. The accompanying live images did not have support for UEFI boot.
- https://wiki.debian.org/UEFI

For newbies, to Debian, the most common problems are the installation of wifi and installing any graphics firmware. This can be overcome by using the unofficial install disk. https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/

It would be interesting to know what you mean by "full" Debian. Debian installs Gnome by default but it can install a range of Desktop Environments and Windows Managers. Presumably, you do not mean to install all available apps because you will not need many of them.
 
Thank you for your response and the references. Sorry, I could have googled a bit more before asking. Nevertheless, it does seem a bit complicated to me.

With going Full Debian I meant the transition from closed source to as free and open source as you can get. It also refers to the naivety of thinking that installing Debian to start with may be accomplished without traumatic experiences. As you already mentioned, problems for Debian newbies may be actually difficult to resolve. Also, I would like to end up using only the Debian Blend that I marked as a goal.
I thought it might be best to get started with an user friendly distro that works out of the box.

It seems Fedora/RedHat, Ubuntu, Arch Linux and Linux Mint support secure UEFI boot:

https://linuxhint.com/secure-boot-linux/

Also, I am now aware that Debian Buster will support secure boot.

https://wiki.debian.org/SecureBoot

I will have a look if the secure boot installation of the aforementioned distros implies complications of the matter at hand.

Anyway, I do keep asking myself how I should go about the partitioning in order to accomplish my goal.

I will keep going studiously.

Thanks.
 

TechnoJunky

Silver Member
Silver Supporter
As a newbie, I'd suggest going with Linux Mint. They've done a lot to make so it 'just works' right out of the box. They have default installs for most apps that you'd need as well.
As far as partitioning goes, you can let it handle your partitions for you. But doing this may mean wiping out your home drive every time you do a fresh install of Linux. You DON"T have to do a fresh install if you don't want, there are ways to just upgrade what you have. But I like to switch distros occasionally and that requires a fresh install. So I manually partition my drive, putting a swap partition equal to the amount of Ram, a Root (/) partition of about 40 to 50 gigs, EFI System partition (used for UEFI) of 500 MB, the rest is assigned to /home. When doing new installs, I remount all of those but only format /. This preserves my /home information so I never lose those documents, pics, music, whatever.
You can leave Secure boot turned on, or turned off, but I don't think you can't swap back and forth after the install.
 

Condobloke

Well-Known Member
Linux Mint
 

wizardfromoz

Super Moderator
Staff member
Gold Supporter
A lot of great replies on this thread
Hang about - I haven't put my 2 cents in yet :D:D

G'day Lin (Australians always shorten things, and you know with an ID like that ....?? :rolleyes:)

1000 GB HDD
1. Do you know if you are on GPT or MBR? If not, you can likely get answers through Windows Disk Management.

2. Which version of Windows?

When I have the answers I can better advise on partitioning.

Cheers

Chris Turner
wizardfromoz
 
Hi Chris,

Thanks for your willingness to help out. Let's see what can be done. Creating shortcuts is a very sound approach.

1. I had to check what you are talking about:

https://en.wikipedia.org/wiki/GUID_Partition_Table

https://www.howtogeek.com/245610/how-to-check-if-a-disk-uses-gpt-or-mbr-and-how-to-convert-between-the-two/

It's in GPT:

DISKPART> list disk

Núm Disco Estado Tamaño Disp Din Gpt
---------- ---------- ------- ------- --- ---
Disco 0 En línea 931 GB 0 B *

2. Microsoft Windows 10 Pro

I have not activated it yet, though. I bought the laptop with Linux in mind.


Also, many thanks to TechnoJunky for your advice.

Kind regards,

Lin Luinxy
 
I have been trying to wrap my mind around this:

https://community.linuxmint.com/tutorial/view/2360

"I wrote this guide/tutorial with the hope that it will be useful for everyone who need a Linux installation with UEFI Secure Boot enabled. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 18.X (Cinnamon and Mate) and Ubuntu 16.X, 17.X, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY."

Given that I have not much experience with Linux and none with its installation, I do not think that this is really my cup of tea. I'll try to find out if there is another way that might be more newbie friendly.

Studiously,

Luinxy
 

TechnoJunky

Silver Member
Silver Supporter
Why do you HAVE to have secure boot enabled? You can use Linux just fine without it. Without secure boot, Mint will install ease and should be your cup of tea. As I stated above, I installed Neon, and today Kubuntu on my UEFI computer (secure boot disabled) and I couldn't tell the difference between it and when I installed it on a computer with legacy BIOS. Yesterday for shits and giggles, I enabled Secure Boot and it booted up just as it had when it was disabled. The only thing was once I logged in to the desktop, it prompted me for a password to create a password for it. I didn't want to so I rebooted and disabled. But I was able to switch back and forth.
Maybe if you could explain the need for secure boot, it might help someone help you out.
 

Condobloke

Well-Known Member
Seeing you are a 'newbie' to Linux etc etc.....that article is so far above your paygrade its not funny. Please...learn to crawl first.

I have had Linux Mint installed for over 4 years now, and would just glance at info like that and promptly close the page.

Granted, it is hard to know just what info is important to get you off to a good start with Linux....and what info can/should be flicked to one side.

Advice : Follow the people here...their advice is NOT meant to send you down a rabbit hole, and involve you in chaos and disorder.

No one here will offer incorrect advice......and if they did the ink would not be dry before out resident super moderator kicked their butts.

Simply....disable secure boot....Install the OS (operating system))....and PLAY with it. You have NOTHING to lose. The download is free...so are all the apps/programs that come with or are easily accessible.

They do not cost you a cent. And if the worst comes to the worst and you totally screw the whole install......then you simply reinstall the OS and away you go again...armed with a little bit of knowledge of what Not to do !

Jump in......have a ball.....we ARE here to help you.

(Losing the windows mind set is/can be difficult. There is an element of fear attached. With Linux, you are Truly free.)
 
Thank you very much for the replies. I totally agree that I should learn the basics first. I would resume the response as: No, there is no Linux distro that works out of the box with secure boot enabled. I have to get started without, I guess...

Also, I ascertain you that I came here precisely because I trust you and not Windows. As for the question about why secure boot, I think it comes down to principles: do I want to let Windows have the control over my device or do I have the freedom to decide what to do with it. At least for me, Linux is not the choice because it is free, but because it is more ethical. If you could ask yourself what is wrong with Windows and the like, I will happily give you a more thorough answer and references.

As for choosing the distro, I will do what you recommend: try it out. I assume it makes more sense to check them live first, before I move on to the question about the partitioning.

Thanks a lot for your help!

Studiously,

Luinxy
 

wizardfromoz

Super Moderator
Staff member
Gold Supporter
....and if they did the ink would not be dry before out resident super moderator kicked their butts.
That would be ... moi.

But I have soft moccasins on when I kick butt. :)

Lin, it may be worth explaining what Secure Boot does and does not do, in order to settle any apprehensions you may have.

First up, it does not do anything to enhance your computer's security. Therefore working without it does nothing to put you or your data at risk.

Secure Boot was a protocol implemented by Microsoft in 2011 with the introduction of Windows 8. It was adopted by computer manufacturers whom supplied Microsoft systems on their rigs, and effectively gives Microsoft a degree of control over which OSes (operating systems) can run on a computer running with Windows.

One Matthew Garrett, a former developer with Redhat Linux, wrote some software named "shim", which allows LInux Distributions to report to Windows that they contain keys that are registered with and certified by, Microsoft, in order to allow them to be installed on computers running Windows. Over time, if you install Linux and watch some of the updates being installed, you will see occasional references to shim and "shim-signed" passing by.

Secure Boot is actually supported by a small number of Linux Distros. These include but are not limited to
  • Fedora
  • openSUSE
  • Redhat Enterprise Linux
  • CentOS and
  • Ubuntu


In addition to the shim process, many Distros "report themselves" to Windows as being already recognised by Microsoft. They do this by having in their software that their system is "basically this or basically that" Linux that is approved.

I'll give you an example with Linux Mint, Ubuntu and Debian (Ubuntu is based on Debian, and Linux Mint is based on Ubuntu).

In any Linux you use, the following command (can be varied a little but with the same result) shows as follows

Code:
cat /etc/*release*
... on my LM 19.1 this outputs

DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=19.1
DISTRIB_CODENAME=tessa
DISTRIB_DESCRIPTION="Linux Mint 19.1 Tessa"
NAME="Linux Mint"
VERSION="19.1 (Tessa)"
ID=linuxmint
ID_LIKE=ubuntu
PRETTY_NAME="Linux Mint 19.1"
VERSION_ID="19.1"
HOME_URL="https://www.linuxmint.com/"
SUPPORT_URL="https://forums.ubuntu.com/"
BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
PRIVACY_POLICY_URL="https://www.linuxmint.com/"
VERSION_CODENAME=tessa
UBUNTU_CODENAME=bionic
cat: /etc/upstream-release: Is a directory

... my highlighting.

So Linux Mint "passes inspection" to be installed alongside Windows, by mimicking Ubuntu.

Performing the same command in Ubuntu results in similar output but with a line

ID_LIKE=debian

If you perform the same command on Debian, it has no "ID_LIKE" reference, only

ID=debian

So a considerable number of Linux Distros can be installed with Secure Boot enabled, but far more cannot, so if you have problems, your first action should be to disable Secure Boot in your PC's setup utility, and try again.

I have more, but see if you have questions about the above.

Cheers

Chris Turner
wizardfromoz
 

Northerner

New Member
First up, it does not do anything to enhance your computer's security. Therefore working without it does nothing to put you or your data at risk.
That's true for Linux systems, though not as a blanket statement.

Secure boot puts a great big hurdle in the way of the persistence of many legacy rootkits that effect Windows, which was previously a major issue. Sure enough malware writers have finally figured out how to get around that recently, but it really upped the ante by forcing boot code to be signed by the system. Sadly the majority of budding cybercrims then turned to ransomware and now phishing... the war continues.

Yes I agree Mint is the most newb friendly distro there is and swapping to it from Windows is likely to be painless. Then again Debian is a powerhouse and learning how to use it straight off the bat (like I did) really isn't such a bad idea, despite the small frustrations you will encounter in the steep part of the learning curve.
 
Thanks a lot for the clarification.

Now, I am using Linux Mint live booting from USB. I run the same command and I get this as output:

[email protected]:~$ cat /etc/*release*
DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=19.1
DISTRIB_CODENAME=tessa
DISTRIB_DESCRIPTION="Linux Mint 19.1 Tessa"
NAME="Linux Mint"
VERSION="19.1 (Tessa)"
ID=linuxmint
ID_LIKE=ubuntu
PRETTY_NAME="Linux Mint 19.1"
VERSION_ID="19.1"
HOME_URL="https://www.linuxmint.com/"
SUPPORT_URL="https://forums.ubuntu.com/"
BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
PRIVACY_POLICY_URL="https://www.linuxmint.com/"
VERSION_CODENAME=tessa
UBUNTU_CODENAME=bionic
cat: /etc/upstream-release: Is a directory

As far as I can see, secure boot is still enabled and Linux Mint works just fine. Does that mean that I could install it and it would work just as fine? Meanwhile, I will have a closer look at this new playground...

Studiously and exploringly,

Luinxy
 

wizardfromoz

Super Moderator
Staff member
Gold Supporter
Does that mean that I could install it and it would work just as fine?
The operative word is "would", or read "should" :)

But you will appreciate that there are so many computers "out there", all with different configurations, all with different software and firmware "foibles", that it is hard to say definitively. And the manufacturers of same computers had one OS in mind to install and sell, and that was not Linux :D

So my best advice is to have your Windows Recovery Plan in place, and then go ahead and give Linux a try?

Studiously and exploringly,
I like that - many of us have explored before you, and there will likely be many more to follow :D

Wizard
 
I guess I just found the answer to my question. I was looking at this:

https://fedoraproject.org/wiki/Unified_Extensible_Firmware_Interface

"
Here's what you need to know about Secure Boot:


  • It is not the same thing as UEFI. It is just one part of UEFI. You can boot in UEFI native mode with Secure Boot disabled.
  • You can turn it off in the firmware interface.
  • Turning it off is not turning off UEFI, in any sense of that phrase. Disabling Secure Boot does not automatically trigger BIOS compatibility mode. However, using BIOS compatibility mode implicitly disables Secure Boot, as there is no way Secure Boot can possibly work when booting in BIOS compatibility mode.
  • Secure Boot per se is fairly unlikely to be the cause of any problems you have installing Fedora on a UEFI system. If you have problems it is far more likely that they are caused by some of the other considerations discussed on this page.
  • When Secure Boot is enabled Fedora will prevent you doing certain things like loading un-signed kernel modules. This is to preserve the boot chain integrity that Secure Boot provides: if Fedora allowed loading un-signed modules in Secure Boot mode, for instance, it would be trivial to defeat the Secure Boot protections. You can happily do a UEFI-native install of Fedora and then turn Secure Boot on and off in your firmware, and Fedora should boot either way, enforcing the restrictions if you turn it on, not enforcing them if you turn it off.
In sum: don't worry too much about Secure Boot, and don't confuse "turning off Secure Boot" with "turning off UEFI" (or, to put it correctly, using BIOS compatibility mode)."

Now I understand that with secure boot enabled I might be running into problems with un-signed modules. Naturally, those kind of obstacles may make my newbie-experience a bit frustrating. Did I get it now?


Kind regards,

Luinxy
 
Last edited by a moderator:

wizardfromoz

Super Moderator
Staff member
Gold Supporter
Mate, I hope you don't mind, but everything between the link you posted and "Now I understand" is in a bright green I cannot read easily, I am editing it.

Wiz
 

wizardfromoz

Super Moderator
Staff member
Gold Supporter
That was a good find from our friends at Fedora :), I'll bookmark that.

Now I understand that with secure boot enabled I might be running into problems with un-signed modules. Naturally, those kind of obstacles may make my newbie-experience a bit frustrating. Did I get it now?
Travelling "studiously and exploringly" will reveal.

With your Linux Mint (& it can be installed on almost any Linux) make the acquaintance of Timeshift. Take a snapshot On Demand before trying experiments with Secure Boot.

Wizard
 
Update:

I am getting started step by step. I proceeded with installing Linux Mint and it worked out of the box nice and easy. In this case with secure boot disabled. What a charming experience. Really newbie friendly. No suffering.

I will try again with manual partitioning, let's see if that works out...

Studiously and exploringly,

Luinxy
 

Members online


Latest posts

Top