| From: "Steve Petrie, P.Eng. via talk" <talk@gtalug.org> | ----- Original Message ----- From: "o1bigtenor" <o1bigtenor@gmail.com> | > I cannot speak to whether or not it is actually supported but I can tell you | > that you can install Linux (Debian in my case) on a system with both | > secure boot and UEFI. | > | | You are correct -- according to the debian 8 docs, there is (improved) UEFI | support in debian 8. It is the secure boot that is not supported. Here's my understanding. I could be wrong about some details. Secure boot requires a signed bootloader. The signing can by any private key that matches the public keys known by the UEFI firmware. Out of the box, the only such key is owned by Microsoft. Linux distros have gotten a signed-by-Microsoft bootloader. I think that there is only one such bootloader. It is used by Suse, Ubuntu, Fedora, and Red Hat (at least). So all those can be used with Secure Boot enabled. Currently, all PCs that get Windows branding (i.e. essentially all PCs) have to allow additional keys to be added to the firmware. But it must be a manual process so that malware cannot add keys. I, as a human, don't wish to type in a key (I imagine 256 or more hex digits). Currently, all PCs that get Windows branding have to allow Secure Boot to be turned off. But it must be enabled by default. These two rules appear to me to be promulgated by Microsoft to avoid anti-monopoly scrutiny. FFurther evidence for this theory: Microsoft took the opposite approach for Windows RT which was in a market that they did not dominate. | > (My system was in for warranty repair and when I got it back the main | > system disc had been replaced. As well the windows boot manager had | > been enabled (and used), all this even though I had had Debian (testing) | > installed previously. Of course: warranty repair that involves replacing a disk drive will give you back the system as it was born: a fresh install. Anything else is too expensive for them to accomplish. If you bought your system from a small integrator, anything is possible, but it is pretty labour-intensive for him to recreate your disk. That's what your backups are for, right? PC warranties are essentially about the hardware. Software is pretty much out of anyone's control. I've tried to get support for software and it has almost always been hopeless UNLESS I've made a really stupid and obvious mistake (it happens). Googling is the best software support there is provided you are reasonably knowledgable. Of course "reasonable" is subjective. | So, is it a correct presumption that, when you got the system back from | warranty repair, the new main system disk had been configured with a PC | seller's "standard" Microsoft Windows installation, setup to secure boot only | windows, through the windows boot manager? Surely. In fact, for security reasons, I try to wipe any disk that I return for warranty support. | I am hoping that it will be feasible for me to specify to the PC system | builder, both: 1. HDD partitioning configuration (there's only one HDD), and | 2. multi-boot setup (ready for a drop-in debian 8 installation). So the debian | installation I will do myself, requires minimal messing with the boot setup. I think that you are overly limiting the pool of suppliers with this requirement. And for not much of a win. | >This were not straightforward but I was able to get | > things to where I wanted them. Had to disable the windows boot manager | > and use the UEFI disc configuration (gpart/gparted is your friend here!) | > and then determine how to work through the secure boot malaise. | > What I did I don't remember | | Too bad you don't remember. Sadly there are many variants to this. One recipe won't work. But the ideas carry over. This is where experience, not just theory, is useful. I have a modest number of scars in this area. This is actually a small area. Not that much lore. Just no particularly good source (as far as I know). I don't think any of this is documented in a way you can just read about it. But at least you know that there must be a way through the maze. | The "odessey" part I can relate to. I like to refer to those kinds of | struggles as "character building". More like Theseus (Labyrinth) than Odysseus. | My preferred scenario has the PC system builder delivering the new PC, with | Microsoft Windows 7 (OEM) installed to boot onto bare metal, but with a | pre-agreed HDD partitioning and multi-boot setup, so it's a straightforward | drop-in installation task, for me to add a debian 8 Linux, that also boots | onto bare metal. The idea is to avoid wiping the windows installation and boot | setup, as delivered by the PC system builder, so as to keep the system builder | committed to my mental health Essentially any conventional PC can be wrangled to run Debian UNLESS it has as-yet-unsupported hardware. Most system integrators don't know how. At least some of us in this community do and are willing to help. Unsupported hardware is rare, but I will mention exceptions that I know: - video cards can be tricky, expecially new models - Intel has screwed up on some bits of support for some current Atom-family processors (but you were not considering those) - the latest family of intel processors ("Skylake") have some minor surprises that are still being worked out. You really want to be able to do this stuff yourself so that you can recover from system failures. What better way to learn than before you have anything important on your system? | To add complication, I would like, once the new PC is booting debian Linux | from the HDD onto bare metal, to imrove performance by providing for debian to | boot (mostly) from a "shadow" copy on the HDD, and then do all subsequent | dynamic loading of debian components, from the SSD. I generally consider my OS disposable. So I keep it on the SSD. That makes it much more resposive. No backup: I can easily recreate it. I lean towards keeping my data on the HDD. I don't do data-intensive things. Backing it up is important. SSD failures seem to be more sudden that HDD failures.