Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to install Linux on a PC with Secure Boot enabled

Chris Hoffman | July 23, 2015
Eradicating Windows and slapping Linux on your computer sure isn't as easy as it used to be.


Eradicating Windows and slapping Linux on your computer sure isn't as easy as it used to be.

Modern Windows PCs produced after Windows 8's release have UEFI firmware with "Secure Boot" enabled. This helps protect against rootkits and other malware infecting the Windows boot loader, but it can also prevent Linux and other non-Windows operating systems from booting.

Some Linux distributions have had their boot loaders signed by Microsoft so they'll boot with no problems. But for many Linux distributions you'll have to disable Secure Boot before you can even boot a Linux distro from a USB drive.

Linux distros compatible with Secure Boot

PCs with Secure Boot check that the system's boot loader is signed by an approved key before booting from it. These PCs ship with Microsoft's keys preinstalled, so they're effectively checking Microsoft has signed the boot loader before allowing it to boot. Microsoft provides a signing service Linux distros can take advantage of, allowing them to boot on most Secure Boot-enabled PCs with no further configuration. The handful of Linux distributions that take advantage of this should boot with no problems and no further configuration on a PC with Secure Boot enabled.

There is one catch here. While Microsoft does sign Linux boot loaders with a Microsoft key, these boot loaders are signed with a separate key from the one Microsoft uses to sign Windows. PC manufacturers aren't required to include the Microsoft key for third-party UEFI applications as part of the Secure Boot specification, which means that these Linux distributions may not actually work on all Secure Boot PCs. But, in practice, most PC manufacturers do install this Microsoft key.

Modern versions of Ubuntu, FedoraopenSUSE, and Red Hat Enterprise Linux all "just work" without disabling or configuring Secure Boot. They use a small "shim" boot loader signed by Microsoft, which in turn confirms the main boot loader was signed by the Linux distribution before loading it. Some other smaller Linux distributions also use shim.

The Linux Foundation has released its own Secure Boot solution, which other Linux distributions would be free to use instead of shim. Matthew Garrett pledged to work on combining the Linux Foundation's solution and shim to create one standard boot loader all Linux distributions can take advantage of. Work is ongoing on making this easier for Linux distributions, and all Linux distributions can support Secure Boot-enabled PCs with a bit of work already.

How to disable Secure Boot

Microsoft requires all PCs shipped with Windows 8 and 8.1 let you disable Secure Boot. However, Microsoft changed its rules with Windows 10. Windows 10 PCs may or may not provide you with a way to turn off Secure Boot--that's up to each PC's manufacturer.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.