Secure boot / win 8 / linux

Similar Messages

• T450s downgrade Win 8.1 Pro to Win 7 Pro Secure Boot Process?

  Hi all, New owner of a T450S with 8.1 Pro. I have a Windows 7 Pro OEM disc (no serial number) that I can put on a USB thumb drive. Prior to owning a secure boot machine I would just format the hard and install Win 7. With secure boot and the downgrade I'm not sure how this works. 1. Is the serial number that I have backwards compatable? Can I just format, install and use the 8.1 Pro serial number on my Lenovo? 2. I believe I will have to disable secure boot but I'm not sure. Any help or link to a tutorial would be appreciated. ThanksChrissy  

  @ the OP,
  The article ColonelOneill linked says "You’ll need to activate by phone. Call up the phone number displayed in the activation window and explain that you’re exercising your Windows 8 Pro downgrade rights. Have your Windows 8 Pro key ready; you’ll need it to prove your PC has downgrade rights."
  Here's a link to Microsoft's description of how to activate a downgrade:  Understanding downgrade rights
  Z.

• Dual booting S540 and linux with Secure Boot?

  At some point I intend to install archlinux with dual boot on my Thinkpad S540 which currently runs Windows 8.1.
  All the current advice about dual boot on UEFI machines seems to indicate that the way to go is to disable Secure Boot (and Fastboot) for Windows, and then do the linux install choosing a linux bootloader to allow booting either O/S. I believe I know the steps needed to do that.
  Does anyone have any experience with dual booting Windows 8.1 and ArchLinux on the S540?  I would like to retain Secure Boot for Windows, and in the ideal world have Secure Boot running for ArchLinux also. However Secure Boot is fraught with problems for Linux. There are a few distributions such as Ubuntu which will in principle support Secure Boot but I only use ArchLinux and want to install that particular flavour of linux on my machine. It is of course possible to keep switching Secure Boot on and off in the BIOS before booting either of the two installed operating systems but it would be neater and cleaner to have it all with Secure Boot on, or all with it off.
  This is all very new stuff so there may well be a lot of problems, but it is worth exploring. I use rEFInd as my bootloader on another UEFI desktop computer to boot ArchLinux so I am familiar with that bootloader, but dual boot is another thing, and Secure Boot with the fast moving developments in that area is something that until now very few people have tinkered with.
  Any replies and guidance/suggestions appreciated.

  I'm guessing /boot can run from ntfs, however probably not as efficiently as if it were running on ext3/4. Mine runs on Ext4.
  To add confusion, you only create one Extended partition, all partitions you create within the Extended partition are called Logical partitions. You should be able to create enough Logical partitions for your needs.
  Primary/Extended partitions are normally sda1-4 and Logical partitions will usually start from sda5 on modern Sata HDD systems.
  For /boot I would create a small 100mb Ext4 Logical partition. This partition cannot be inside LVM nor encrypted when using Grub1.  I'm not familiar with Grub2.

• Can't activate secure boot after upgrading from Win 7 to Win 8 on a Spectre XT

  Hi everybody,
  my first post here, so please forgive me if the topic has already been discussed
  I did search before posting anyway, but I couldn't found anything addressing this specific point.
  My (small, I must admit) problem is as follows:
  I recently purchased a Spectre XT 13-2005tu (i7 processor, 4Gb RAM, 256Gb SSD) with Windows 7 pre-installed.
  After installing my favourite applications and using it for a few weeks without any trouble, I thought to take the opportunity of the $14.99 upgrade to Win 8, so I downloaded Windows 8 Pro and installed it (as an upgrade, rather than a fresh installation, because I didn't want to loose the customizations I already made).
  I also installed all the updates available on HP website (sp59158 for updated BIOS, sp58404 for UEFI support, ecc.)
  The whole upgrade worked nicely, and the PC is now up and running with Win 8.
  Now, I'm trying to use at best all the possibilities Win 8 has to offer, and among them, the UEFI secure boot.
  I found the "legacy support" option in the BIOS settings, which as I understand must be disabled to activate the UEFI secure boot, but if I do that the PC tells that there's no operating system on the disk and doesn't boot anymore.
  Which was a bit scary by the way, but eventually I could re-enable the legacy support in the BIOS and have the PC working again, but of course with no secure boot.
  I suppose there must be some other re-configuration that should be done before changing the BIOS parameter, but I couldn't find any instruction for that anywhere on the web.
  On the other hand, it would be indeed weird if the secure boot could not be configured AFTER the OS upgrade, and a new fresh installation would be necessary.
  I'd rather part with the secure boot than re-install everything, but that would be a shame... :-(
  I hope someone can explain what should be done, many thanks in advance!

  Thanks for your feedback, but I don't think your issue is the same as the one I previously explained.
  The UEFI/secure boot setting is a basic configuration affecting the way the PC boots, regardless of whether it is connected to a network or not.
  By the way, in the meantime I've seen in a shop exactly the same PC model which I'm using, now sold with Win 8 pre-installed, and it was working with the UEFI enabled (= BIOS "legacy support" disabled).
  Therefore, the configuration I'm interested in has to be feasible, one way or another...!

• Tutorial - How to triple boot OSX, Linux and Windows 8.1 with a shared Data Partition without any third party Win / OSX softwares

  This is not a question, but rather a personal guide that has proved to be running successfully.
  I would like to thank numerous sources, including Christopher Murphy's suggestions at:
  Re: Repairing Boot Camp after creating new partition
  Before proceeding, there are certain concepts needs to know:
  Why Boot Camp does NOT allow further partitioning of drives after Windows has installed?
  Answer: Because the way Apple configures the Mac to be recognized as non UEFI capable system on Windows.
  Quote from Christopher Murphy based on the above line:
  However, Windows on Macs right now use CSM-BIOS mode in Mac firmware that presents BIOS to Windows rather than EFI. Windows thinks it's on a BIOS computer, and therefore mandates the use of MBR for boot disks, rather than GPT. So that's why we have this hybrid MBR+GPT approach on Mac with Windows on it. You inherit the limitations of MBR, which is four primary partitions.
  So what does it means?
  It means that OSX + EFI + Recovery HD + Boot Camp partition = 4 primary partitions and thus any attempt to modify the disk will render booting issues of either system.
  For more info on GPT (GUID Partition Table disks VS Master Boot Record or MBR in short, you may visit: http://msdn.microsoft.com/en-us/library/windows/hardware/dn640535%28v=vs.85%29.a spx)
  So, how to overcome it?
  The general guideline is to install ALL GPT ready OS first then create a Data partition, before installing Windows (Which is again, NOT supported GPT due to EFI configuration by Apple where end-users are not able to modify it).
  Interestingly, since Mac Pro 2013 Late supports only Windows 8 and above, thus it is not known if this CSM-BIOS applies to it or not.
  Do take note that GPT disks in Windows can only be booted when the system meets the 2 requirements:
  http://msdn.microsoft.com/en-us/library/windows/hardware/dn640535%28v=vs.85%29.a spx#gpt_faq_win7_boot
  1) Windows x64 version (Which is a must for newer Macs. If you cannot go to Boot Camp 5, then you need Windows 7 x86 or 32bit version)
  2) UEFI system. However, Windows sees all Macs (With the possibility of Mac Pro 2013 Late is an exception. To be determined) as BIOS, or rather NON-UEFI system.
  In short, booting on GPT disks is not possible for Mac in Windows.
  Summary,
  It is tested that a combination of the following will not work:
  - OSX + Windows + Linux
  - Windows + OSX + Linux
  - Windows + Linux + OSX
  Usually it can create the system un-bootable or OSX refused to install due to the system does not recognize such partitions and / or Disk Utility refused to format a free space. An example screen-shot is provided below:
  The error message is shown as
  Title: "Failed to erase volume" Message: "Failed to wipe volume, as an error occurred: MediaKit has reported that the device does not have enough free space to execute the requested operations."
  The second thing is about the preparations we need.
  1) 1X Windows 7 or 8 DVD or USB thumbdrive
  1A) If you uses a DVD to install, you will need another thumbdrive to load the BootCamp drivers for Windows as well as may requires an external DVD drive for newer Macs
  2) 1X Linux DVD of your choice. Personally I choose Fedora 20.
  So ready? Let's go.
  1. Using Disk Utility, shrink the OSX's partition size to what is needed. For me, I give OSX 150GB. Do NOT create any new partition.
  Disk Utility should see something like below whereby only OSX partition is left with desired disk space. The remaining space are to be unused disk space for the moment.
  Note: Click on the top most item that should start with the size of your HDD / SSD. Then clicked on "Partition" and specify the desired OSX size. Hit "Apply" after that.
  2: Download Boot Camp drivers only via Boot Camp Assistant. The USB thumbdrive shall be used later after Linux's installation.
  Boot Camp Assistant should see this:
  I have only selected "Download latest Windows Support Files from Apple"
  3. Insert Linux DVD, reboot Mac into EFI mode (The left most first "EFI mode").
  Note 1: Before rebooting, please plugged in an Ethernet adapter because Wi-Fi drivers is not installed.
  Note 2: For Thunderbolt adapters, it must be plugged in before reboot as hot-swapping is not supported under Linux. More on the tips at the end of this article.
  Note 3: Press and hold "Option" after the screen turns black. Release Option key after you see the image as below:

  For the unfortunate part that did not make it on time to edit the images:
  9. Install the Windows Support software from your CD/USB drive to gain full functionality of your computer. Reboot and go to Windows again.
  Note 1: You may choose to eject disc at this point of time. For Apple SuperDrive users, you will need to wait until the drivers (i.e. Boot Camp support files) is installed and rebooted before ejecting is reasonably possible (As I failed to figured out how to right click without the drivers)
  Note 2: Unlike Windows 7 on KBase article TS4599 Keyboard/trackpad inoperative, black screen, or alert messages when installing Windows 7, USB stick can be plugged in after the Windows installation is done. This is because Windows 7 (And probably Windows 7 with SP1 DVD) does not have a built in USB 3 drivers when it was released back in 2009 where USB3 has not arrived then.
  Note 3: Due to TPM, Bitlocker is not supported without the use of thumbdrives.
  10. Using Disk Management to determine the given drive letter for the DATA partition (DO NOT DELETE and RECREATE partition or else you can goodbye to booting Linux and OSX). Disk Management will not allow you to format it as exFAT / FAT32 in graphical way.
  Note: You may remove or modify some of the disk letters in Disk Management. However, do NOT remove / modfify the drive letter for the partition with 200MB size in HFS. This is because it will disallow booting of Linux and neither could Windows nor OSX can do anything EXCEPT to reinstall Linux only.
  11. Open Command Prompt in Administrator Mode (Important!!), and key in the following command:
  format F: /FS:exFAT
  Give this volume a label after it has successfully formatted before hitting "Enter" again.
  Note: Mine Data partition was assigned as F drive. Please make necessary adjustment to "F:" should your Data partition is assigned to other letters.
  12. After that, Setup your Data partition structure as you like.
  Tip: Minimally create the important folders such as:
  - Music
  - Documents
  - Movie (Videos)
  - Downloads
  - Pictures
  All these folders are commonly used by the 3 OSes. I do NOT recommend changing of /home (OSX and / or Linux) and / or user home directory (Windows) either partially or as a whole.
  This is because of compatibility issue.
  On a side note, iTunes Media Library used in OSX and Windows are NOT able to be use interchangably due to hard-coded path used.
  13. Useful troubleshooting in Fedora / Linux:
  With references to these:
  http://chaidarun.com/fedora-mbp
  http://anderson.the-silvas.com/2014/02/14/fedora-20-on-a-macbook-pro-13-late-201 3-retina-display/
  http://unencumberedbyfacts.com/2013/08/16/linux-on-a-macbook-pro-101/
  I would like to highlight a few important points:
  1) Wi-Fi driver:
  http://rpmfusion.org/Configuration
  Note 1: The sound driver should be installed at Out of Box Experience. However, the Wi-Fi is not.
  Note 2: Install both free and non-free repository. By the way, some other software like VLC can only be found after the Free Repository is installed.
  Search for "akmod-wl" in Gnome-Package-Installer in order to install Wi-Fi drivers
  Note 3: For those who do not have Ethernet adapters and their Mac does NOT have a built-in Ethernet port, it is recommended to get one. This is because Fedora 20 does not have a good support for iPhone USB tethering. Unsure for Andriod / Blackberry / Windows Phone users.
  2) Grub Menu:
  It will show several options to boot into OSX, even of the capability to boot into x86 or x64 mode. However, neither of them is bootable except Linux and the rescue.
  Hence, it is recommended to remove the items by hand in this file:
  /boot/efi/EFI/fedora/grub.cfg
  Command to be used:
  "sudo gedit /boot/efi/EFI/fedora/grub.cfg"
  Parts to be removed:
  - For any extra kernels, delete the target entry by locating the line "menuentry" under "/etc/grub.d/10_linux" sector to one line above the next "menuentry".
  It is recommended to keep one main kernel, and one recovery at the minimal.
  - For other OS, delete all the entry (Since neither it can works) under "/etc/grub.d/30_os-prober" sector without removing the lines starts with ###.
  Auto Mount exFAT partition:
  - After installing extra packages for exFAT support (Since it is not supported by Fedora 20 from a default installation), you may wish to edit "/etc/fstab" in order to mount the exFAT partition during boot time.
  Command to be used:
  "sudo gedit /etc/fstab"
  Add the following line in gedit:
  UUID=702D-912D /run/media/Samuel/DATA                   exfat    defaults        1 2
  Note 1: For DATA partition, OSX & Boot Camp partition, Fedora defaults mounts under: "/run/medua/<Username with case sensitive>/<Partition Label Name>"
  Note 2: UUID is unique ID. You can find out the UUID by:
  Step 1: First determine the DATA partition number:
  "sudo gdisk /dev/sda"
  Step 2: Determine the UUID of this partition number:
  "sudo blkid /dev/sda8"
  Reference 1: http://manpages.courier-mta.org/htmlman5/fstab.5.html
  Reference 2: http://liquidat.wordpress.com/2007/10/15/short-tip-get-uuid-of-hard-disks/
  3) Overheating CPU
  Solution is to issue the following command in Linux terminal: su -c "echo -n 1 > /sys/devices/system/cpu/intel_pstate/no_turbo"
  4) System resumes immediately after suspend
  Solution is to issue the following command in Linux terminal: su -c "echo XHC1 > /proc/acpi/wakeup"
  5) What does not works well out of box:
  - Both GNOME and KDE's fonts are too small to be readable for out of box experience. Additional configuration is a need. (Some of the info can be found on "More Tips" later)
  - Thunderbolt hotplugging is NOT supported under Windows and Linux so far. Neither FaceTime HD camera works as well.
  - The red light in Headphone jack is always on. I do not have luck in switching off the light without losing the sound.
  Note 1: It is determined that the module "snd_hda_intel" is used by both cards (HDMI and normal output)
  Note 2: It is also known that blacklisting it can switch off the redlight at the price of muting the system.
  Note: Based on this article, http://support.apple.com/kb/TS1574
  A Mac (Except Mac Pro) needs servicing when there is a red light while the system fails to detect internal speakers. However, this article does NOT applies to this issue.
  5A) More Tips:
  Install gnome-tweak-tool for more customization
  Search for: "gnome-package" to install:
  Install Gnome Package Installer for advanced package repository
  Install Gnome Package Updater for advanced updates to be install (Whereby Fedora's App Store alike might not show the relevant updates)
  14. Verify if disk is still GPT:
  Use Gdisk to determine if the disk is pure GPT:
  http://ubuntuforums.org/showthread.php?t=1742682
  Command: sudo gdisk -l /dev/sda (The entire hard drive)
  You should see the MBR is "Protective" instead of anything else.
  15. Congrats, the system is ready for triple boot. (I forgot to eject my Windows DVD when the photo was taken)
  Note 1: You cannot set the default startup disk in Linux due to the lack of Boot Camp Control Panel in Linux.
  Neither is changing startup disk recommended in Windows due to the inability to display correctly.
  For me, I click "Cancel" whenever I am on this tab (Feel free to make other Boot Camp adjustments in other tabs).
  Only OSX I know that can show the startup disk options correctly.
  Note 2: For some reason, OSX likes to auto mount the EFI partition everytime it boots up. It is not known to have any issue for ejecting other disks or mounting disks via Disk Utility.
  Note 3: It is not determined if any Firmware or System upgrades will cause issues. It is only known that all 3 OS's regular updates should not be an issue.
  System Updates excludes Mac OSX 10.9.3 updates to OSX 10.9.4 type as I had done it on a OSX 10.9.4 Mac or Windows 8.1 to Windows 8.1 Update 1 since my Windows DVD comes with Update 1.
  System Upgrades refers to OSX Mavericks to Yosemite, Fedora 20 to Fedora 21, Windows 8.1 Update 1 to Windows 8.2 / Windows 9 for that matter.
  Note 4: Reset SMC and / or PRAM will NOT affect your ability to boot any of the OS (OSX, Recovery HD, Fedora & Windows 8)
  Yup, that is it!

• GE70 dual booting with linux

  Has anyone installed linux as a dual booting OS on their MSI laptop?  I've gone through a lot of stuff online to try and install, but the UEFI isn't recognizing anything I have as far as live booting dvd or usb.  I've turned off secure boot and fast boot.  I can get it to boot off the disk/usb in Legacy mode, but if I install from there it installs as MBR which can cause problems.  If anyone's had success, please, let me know.
  Thanks!
  B

  If the laptop came with Win 8 pre installed then bios is set to UEFI, a new measure made by Microsoft to ensure nobody tries to boot other system rather than windows. The only way to boot a linux is to change bios to Legacy and then try to boot, after that, to boot windows you have to change that setting again, so not very efficient really.
  My advice is to reinstall windows but in Legacy mode, there is software on the internet to check your windows key and reinstall.
  All in all, while you have Windows in UEFI mode forget about dual booting, reinstall windows on Legacy or just erase it and go for linux.

• Unable to boot Win 7 after cleaning factory installed Win 8.1_shuts down at preparing desktop

  I had factory installed Win 8.1 on my HP P 206TX laptop but I wanted to install some software which does not support any OS above Win 7, so I wanted to remove this.
  I did the following process:-
  1. Created Win 8.1 recovery media(DVD) for future usage.
  2. BIOS setting:-
     a. Secure boot - Disabled
     b. Legacy boot - Enabled
  3. Cleaned hard disk through DISKPART
  4. Converted GPT to MBR
  5. Installed Win 7 Ultimate 64bit (DVD).......almost done till preparing desktop....
  Then just during preparing desktop, system logged off, shut down and restarted....
  But the restart does not boot windows at all.
  It only shows "press ESC for startup menu" and then restarts again with the same process repeating again & again.
  I have tried Repair through Win 7 DVD but it shows "this version of system recovery options is not compatible with the version of windows".
  Please help as I am unable to find any solution anywhere on the internet.
  I hope HP can help me...PLEASE

  Hi 
    According to your machines support pages on HP website, Windows 7 drivers are not available for your machine this is more than likely the issue you are having . If you want to run software through Windows 8.1 that is not compatible for Windows 8.1 you can always run a Virtual box and install Windows 7 to Virtual box and run software via there..
        Google search Virtual box --- download and install then install your ISO image of Windows 7 and go from there..
                        Checkurtech 
  ****Click the White Kudos star to say thanks****
  ****Please mark Accept As Solution if it solves your problem****

• Dual booting win 7 and arch: cannot install grub to partition

  I have read the arch wiki page on dual booting and several other sources on line, but I am still struggling to get this to work.
  I am trying to dual boot arch and windows 7 on my lenovo ideapad s205. the machine comes with windows 7 pre-installed.
  I shrank the win 7 partition and added an extended partition with 3 logical partions for /boot, swap, and /.
  I am able to install and run arch by installing grub to the mbr. when I do this, though, I cannot boot windows. (the windows section of grub menu.lst is uncommented and points toward hda0,0. I have tried hda 0,1 as well).
  I have also tried to use the windows boot loader to load arch, as described in the arch wiki page on dual booting. The problem here is that, taking this approach, I should install grub to my /boot partition, but when I try to do this, the installer only allows me to install grub to sda or sdb (the usb stick).
  I have read that grub should be able to boot linux from a logical partition. Is this so?
  Is there something wrong with the arch installer that it is not giving me the option of installing to a partition rather than the mbr, or is this  a problem with my partition scheme, or something else?
  I am tempted to remove lenovo's recovery system, but on the other hand, I have already needed to use it several times while monkeying around with installing arch.
  Thanks for any help.
  UPDATE:
  I now have the laptop dual-booting win 7 and arch. My solution ( adapted from here: http://helms-deep.cable.nu/~rwh/blog/?p=177) was to:
  1. installed arch on the partitions I had created for it, but skipped the "install bootloader" stage.
  2. in win 7, I downloaded and installed EasyBCD and made an entry for arch in it. I checked the option to "Use EasyBCD's copy of GRUB"
  3. When I restarted, I got a grub error because the entry in grub's menu.lst was pointing at the wrong partitions for the kernel and root.
  4. So I went back into the arch live disk, mounted the boot partition and edited menu.lst.
  Now when I start the laptop, the windows boot loader starts and I can choose between win  7 and arch. when I select arch, grub4dos starts and gives me the option to start arch. this is not particularly elegant (nor is it fast), so I think this solution is less than ideal, but it does work.
  I'd be interestd in any thoughts about what went wrong and what a better solution would be.
  thanks.
  Last edited by ratchet (2011-10-10 19:09:16)

  ratchet wrote:II am able to install and run arch by installing grub to the mbr. when I do this, though, I cannot boot windows. (the windows section of grub menu.lst is uncommented and points toward hda0,0. I have tried hda 0,1 as well).
  Is this a typo in your post or how it was in menu.lst? Surely it should be hd0,0 and not hda0,0? The entry I have in my menu.lst is as follows:
  # (2) Windows
  title Windows
  rootnoverify (hd0,0)
  makeactive
  chainloader +1
  What was yours?
  Last edited by JHeaton (2011-10-10 20:18:22)

• Windows 8.1 Ent eval enabled Secure Boot I think

  I want to get my laptop back to its original format.
  Currently dual booting Windows7/8.1
  During the installation of Windows 8.1 Enterprise evaluation it paused to say it was going to enable secure boot.  I did'nt think much of it I thought I could change it back from the bios.  Did it flash my firmware?  I checked the system status
  with msinfo32.exe; was legacy mode and with powershell; secure boot not supported.  I don't have any options to disable secure boot in the bios nor from within Windows -"I know how to disable it in windows 8.1".  I can't boot a foreign
  operating system, but I can boot a Microsoft OS which sounds like secure boot to me.  I want to get it back to running Windows 7 dual booting with Linux.  I use both at work and need both.  I made the mistake by loading the Eval on my primary
  laptop.  I read I need to revert back to Windows 7 completely, formating and re-installing the OS.  Will this clear my secure boot simulation issue?  I have not changed the partitions or removed any O/S's.   What's the best way
  to proceed?

  Hi,
  I want to explain that, Secure Boot is indepent with system, you can disable it in UEFI interface.
  To disable Secure Boot, you can follow the steps below:
  1.Before disabling Secure Boot, consider whether it is necessary. From time to time, your manufacturer may update the list of trusted hardware, drivers, and operating systems for your PC. To check for updates, go to Windows Update, or check your manufacturer's
  website.
  2.Open the PC BIOS menu. You can often access this menu by pressing a key during the bootup sequence, such as F1, F2, F12, or Esc.
  Or, from Windows, hold the Shift key while selecting Restart. Go to Troubleshoot > Advanced Options: UEFI Firmware Settings.
  3.Find the Secure Boot setting, and if possible, set it to Disabled. This option is usually in either the Security tab, the Boot tab, or the Authentication tab.
  4.Save changes and exit. The PC reboots.
  I found an aticle that teach how to install dual-boot Windows 7 and Ubuntu 12.04 on a PC with UEFI hardware:
  http://www.linuxbsdos.com/2012/10/11/dual-boot-windows-7-and-ubuntu-12-04-on-a-pc-with-uefi-hardware/
  Hope this helps.
  Roger Lu
  TechNet Community Support

• Upcoming issues for secure boot and arch installs

  I came across this rather worrying article indicating that when Microsoft starts approving hardware for Window 10 machines they may not allow secure boot to be turned off, and thereby make it very difficult for users to install arch on such a machine unless it can be booted using secure boot:
  http://arstechnica.com/information-tech … a-reality/
  I suppose at some point there will need to be a method of getting the appropriate certificates for arch to allow booting on machines using secure boot.

  mcloaked wrote:
  mychris wrote:
  I've heard the systemd guys are working on integrating secure boot with systemd and gummiboot. So you might be able to sign everything yourself and secureboot your GNU/Linux/Systemd machine.
  But currently I don't know anything about it and don't care about it. Like trilby said, if I'm not able to use a specific hardware I will not use it.
  Sure I won't buy hardware that I can't install Arch on - but what is a potential problem is if OEMs are forced into only selling locked hardware if they wish to sell it with Windows on it in the future - that would give MS a monopoly position - and for laptops it is not so easy to find hardware that is free of MS apart from a limited range of laptops that have Ubuntu installed when supplied (and of course IOS and chromeos based machines). For desktops it is not too difficult to buy components or barebones systems that you can customise and install whatever you like on - but laptops don't generally fall into that option range.  I do have to keep Windows for some tasks that it is close to impossible to do without Windows (like satnav updates for example) though it principle a VM could be used with Windows on it. It is a shame that for this kind of task there isn't a linux alternative that avoids Windows altogether! It would be nice to find barebones laptops that you can install any OS of choice on with none on the machine at the time of purchase.
  I know this argument was discussed at length before Secure Boot appeared in the machines that are on the market now - and at the time I thought that the basic principle of not having one O/S manufacturer monopolising the market and excluding other O/Ses had been established and expected to continue along this path - but the news item indicates that a significant departure from that policy may now take place over the next year or two. Giving users the option to disable Secure Boot has no impact on the security of the Windows O/S on a particular machine unless the user actively disables it but that should remain the user's choice. The only reason to lock down the BIOS in this way is to attempt to close off competition to Windows. In a true free market there should be hardware that is not so locked - or at least have as much choice of hardware that is not incumbent on control from MS. There are worries that the BIOS is vulnerable to firmware hacking but that could in principle happen even if the Secure Boot option is designed to have no user control to turn it off.  Maybe devices that will re-flash the BIOS with one that does allow Secure Boot will be developed - I seem to remember that some machines are "operated on" during delivery to customers in that kind of way to install firmware components that are not in place at manufacture - so that kind of technology already exists.
  It will no doubt be interesting to see how this plays out over the next couple of years.
  Edit:  I guess if it comes to the crunch that people will start to play with the information such as at https://wiki.archlinux.org/index.php/Un … ecure_Boot
  I've tried using VB as a PXE client for Arch, and VB keeps blowing up.  It's better if you just run it straight.

• Computer has no option to dissable the Secure Boot

  I have tried, and tried, and searched, and searched, but I have found no option to dissable the secure boot on my computer. The only option I have found is in my BIOS, which is to dissable the boot sources. That does nothing though, because the computer still does not boot with the graphics card installed. The BIOS appears to be outdated, with a 2011 version as compared to the 2012 versions i have seen in the walkthroughs, but there is not update for the BIOS avalible. I have also gone into the advanced startup in Windows 8.1 and found nothing pertaining to UEFI. I am frustrated beyond belief, and would apreciate any help out there.
  This question was solved.
  View Solution.

  Ryan, welcome to the forum.
  According to the specs for the computer it came with Win 7 Home Premium 64-bit installed.  This means that it didn't have Secure Boot or UEFI.  HP didn't begin using UEFI until mid-October, 2012.  Your computer was released in December, 2011.  Simply installing Win 8.1 does not change the BIOS.
  There is a BIOS update for the motherboard, but it is for Win 7.  This means that you would have to do a System Recovery to take the computer back to its original configuration with Win 7 to install it.  However, it doesn't correct the problem that you are experiencing.
  If you are trying to install a 700 series card, they require UEFI.
  Please click the "Thumbs up + button" if I have helped you and click "Accept as Solution" if your problem is solved.
  Signature:
  HP TouchPad - 1.2 GHz; 1 GB memory; 32 GB storage; WebOS/CyanogenMod 11(Kit Kat)
  HP 10 Plus; Android-Kit Kat; 1.0 GHz Allwinner A31 ARM Cortex A7 Quad Core Processor ; 2GB RAM Memory Long: 2 GB DDR3L SDRAM (1600MHz); 16GB disable eMMC 16GB v4.51
  HP Omen; i7-4710QH; 8 GB memory; 256 GB San Disk SSD; Win 8.1
  HP Photosmart 7520 AIO
  ++++++++++++++++++
  **Click the Thumbs Up+ to say 'Thanks' and the 'Accept as Solution' if I have solved your problem.**
  Intelligence is God given; Wisdom is the sum of our mistakes!
  I am not an HP employee.

• Secure boot Software Reset

  Hi All
  Is it posible in any way to allow a system reset when booted in secure boot mode?
  Our setup on Zynq 7020
  1) eFuse AES key set
  2) eFuse AES only set
  3) encrypted FSBL in QSPI flash
  4) Fully encrypted boot.bin including linux ramdisk loaded
  We need a method to reboot the system from linux once running, any attempt made results in a secure lockdown.
  What I would like to happen is basicaly a software triggered Power On Reset.
  Is this posible from within the Zynq?
  I haven't managed to find anything in the Technical Reference Manual
  Regards
  Alex
   

  I want to re-trigger the FSBL on a Zynq7020 after booting into a secure image using only software. Writing a 1 to register (PSS_RST_CTRL) results in a secure lockdown.
  My FSBL is:
  the_ROM_image:
    [aeskeyfile] aes.nky
    [encryption=aes, bootloader]FSBL.elf
  using the efuse AES key
  After booting the FSBL shows this:
  "User not allowed to do any system resets"
  This is from Xilinx's default FSBL
  Now once I have fully booted into linux, I want to reboot the device all the testing I have done results in secure lockdown. Now this may be the intended operation for a secure boot and it is imposible to do what I want without externaly triggering a Power On Reset.
  If anyone knows if this is possible please let me know.

• MJG's signed Shim for UEFI Secure Boot now available

  There have been a number of posts about EFI and Secure Boot recently, so I thought some people might be interested in this:
  http://mjg59.dreamwidth.org/20303.html
  That's Matthew Garrett's announcement of a signed binary version of his Shim boot loader. Basically, this program will boot on a computer with Secure Boot active in its default mode (with Microsoft's keys in the firmware) and then launch another boot loader (called grubx64.efi, although it could be something other than GRUB in that filename) that you sign with your keys. The end result is something that's more secure than disabling Secure Boot entirely and easier than installing your own Secure Boot keys. I haven't yet tried this version of the binary, so I can't provide help beyond pointing you to MJG's own blog, but I thought some people might want to know about it.
  FWIW, although you could sign and launch my rEFInd boot manager with this version of Shim, the current version (0.4.7) won't be very useful when signed in this way, since it doesn't yet "talk" to Shim. I'm working on changing that, so that rEFInd will launch binaries signed in a way that Shim supports.

  kristof wrote:A signed bootloader is nice, but unless the Arch developers start distributing a version of the kernel that's also signed with a MOK, secure boot isn't being fully utilized.
  Largely true, but:
  Secure Boot is here, and seems likely to stay. Given this fact, all Linux distributions (including Arch) need a way to cope with it. There are basically two choices: Provide instructions on how to deal with it (difficult because of system-to-system differences) or provide signed binaries (a boot loader at a minimum, or preferably a boot loader and kernel).
  It's possible to "provide" a signed binary by generating the key locally and signing it locally. This could be done by scripts in the installation process, for example. Of course, that still leaves a need to get the installer booted on a Secure Boot system, but that could be handled with the Linux Foundation's pre-bootloader.
  To be truly effective, Secure Boot really requires support all the way up the software chain. Signing a kernel does no good if the kernel can load unsigned modules, for instance. Fedora's taking steps to provide such security, but Ubuntu seems to be going with a more relaxed approach. In truth, Linux isn't as bothered by malware as is Linux, so it's unclear that going with a Fedora-esque approach is really helpful; but OTOH, it's conceivable that malware authors will start using Linux as a vector to install boot-time malware if Windows becomes sufficiently locked down, so maybe some paranoia is in order.
  At the moment and as a practical matter, technical Linux users (including most Arch users) will find it quicker and easier to disable Secure Boot than to use shim. As shim and various support tools (signing utilities, boot managers, etc.) mature, though, this may not be the case. It may also be desirable or even necessary to leave Secure Boot enabled, in which case adopting shim now may make sense. Likewise if you want to learn about it now so that you can use it in the future.

• MS-7325 Secure Boot an option?

  I am trying to upgrade to Win 8.1. Cant find Secure Boot as an option in the bios and install requires that it be enabled. I upgraded to the latest bios using live update. Still cant find it. Motherboard:  MS-7325 (Southbridge Edition).

  MS-7325 is K9N4 SLI. This ancient board neither uses a UEFI nor offers any Win8 features. Of course it doesn't support secure boot.

• [Request] UEFI Secure boot Bios for: GTX660

  My old motherboard died so i have replaced my computer, I now have:
  4690K
  32gig ram
  Asus Maximus hero Vii mobo.
  All set to using secure boot / UEFI.
  Have installed windows on a fresh GPT partition with secure boot and Im currently using the On Chip HD4600 graphics.
  My GTX660 is sat beside me on the desk. (It's *waving* , currently feeling neglected)   
  Im unable to boot to Win 8.1 with the card plugged in as the computer complains about a non UEFI device.
  Info from GFX card box:
  912-V287-001
  N660 TF 2GD5/OC
  PCI - E,N660,2G,GDDR5,Twin Frozr,OC,
  DL - DVI - I,DL - DVI - D,HDMI,DP,
  Power Cable,SLI
  S/N:602 - V287 - 04SB120902****
  I do not know the current BIOS on the card.
  1) As im currently unable to boot to windows with the card installed can the entire flash procedure be done from a DOS enviro?
  techpowerup.com/downloads/2257/nvflash-5-136 - I think it can.
  2) Can somone provide me with a suitable bios file please?
  3) Once I perform this flash will I be able to use this GTX660 an old non UEFI system? (I plan to sell this card on , and get a MSI GTX970 next paycheck)

  Use the attached.
  Decompress the provided .rar archive with Winrar: http://www.rarlab.com/download.htm
  Then flash the included file with Nvflash for dos: http://www.guru3d.com/files_details/nvflash_download.html
  To do so rename the included file to .rom and create a dos bootstick (https://forum-en.msi.com/index.php?topic=165175.0)
  Put nvflash and the vbios file on it and boot from the stick. Then type nvflash -4 -5 -6 gop.rom (if renamed vbios that way) and hit enter. Confirm the questions and let the tool flash
  Quote from: farrantcj on 06-June-15, 15:52:09
  3) Once I perform this flash will I be able to use this GTX660 an old non UEFI system? (I plan to sell this card on , and get a MSI GTX970 next paycheck)
  Old boards with a legacy bios will have no problem as the vbios is hybrid and can work in UEFI and legacy mode. Only older boards with a UEFI bios that is not GOP compliant might run into issues.