Booting into Linux on Windows 8 Secure Boot-equipped hardware

Category: Linux

When news about Secure Boot came out and fears of Linux users being kicked out as an alternate OS started, I wasn't apprehensive. I had full faith that the Linux community would quickly resolve the issue quickly and with panache. At any rate, if you've purchased hardware preinstalled with Windows 8 and can't seem to boot using your beloved LiveCD or LiveUSB, you can try a work around via the BIOS. You won't reap the purported benefits of Secure Boot, but you'll be running openSUSE and Knoppix in no time.

Disclaimer: The steps outlined here do not apply to all hardware. It really depends on how the hardware manufacturer implemented Secure Boot on the firmware. For more information about Secure Boot and its relationship with open-source operating systems, visit this article for a brief overview.




I tested the procedure below with an openSUSE 12.2 LiveCD and a Knoppix 6.5 LiveUSB. The two motherboards were running an American Megatrends non-GUI Aptio BIOS and the more common GUI UEFI BIOS.



  1. Boot to the BIOS and click the Boot tab. Access the item Secure Boot.
  2. In most cases, the BIOS will not provide an option to disable it. Look for an item related to OS Type.
  3. The option for OS Type is normally on Windows 8 UEFI by default or Windows UEFI if the hardware came with Windows 8 or was designed for Windows.
  4. Change OS Type to Other OS or Legacy OS.
  5. Save the BIOS settings and reboot the system with the Linux LiveCD inserted or the LiveUSB connected.
If the process fails, the motherboard or system will bring up the BIOS on boot until you switch back to Windows UEFI or default to Windows if Windows is available. On the rare occasion Secure Boot was implemented poorly, the system won't boot to either the OS or the BIOS. The system will just freeze on the manufacturer's logo. In that case, clear the RTC of the motherboard using the recommended process from the manufacturer to reset your BIOS.




If you haven't purchased your new Windows 8 machine I recommend bringing along a Linux LiveUSB or LiveCD (preferably loaded with the most updated Linux kernel) when you go to the store. Check the BIOS and boot into Linux. Test your favorite Linux distribution on your selected machine even if you're not buying a desktop/laptop without a preinstalled operating system.

Comments

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. I think that Secure Boot is extremely good technology that being poorly implememted. It should be disabled by default on all systems, and the owner of the computer should have full control. I believe that the way Secure Boot is being used on new Windows 8 machines is anti-competitive and contrary to the DOJ ruling against Microsoft from 2001. I have started a petition on WhiteHouse.gov to have a new investigation started. The petition is here: http://wh.gov/Rt33

    ReplyDelete
  3. hi...Im student from Informatics engineering nice article,
    thanks for sharing :)

    ReplyDelete
  4. The Asus 1015E BIOS provides no way to disable RESTRICTED BOOT. So you can only use it with the originally installed OS it came with. You can never upgrade it. You can never put another OS on it.

    I bought the -DS3 model, which came with Ubuntu, to avoid paying the Windows tax.

    I installed OpenBSD on mine, and it won't boot from the hard drive. It will boot from other devices, such as PXE, CD-Rom. I booted OpenBSD 5.3 via PXE, and I could boot a Linux rescue CD from a USB CD-Rom. But it WON'T boot from the hard drive.

    So this machine is now a fscking BRICK!!!

    It is truly RESTRICTED BOOT, and not secure boot. Our worst fears about the Microsoft Monopoly are indeed coming true. They are clearly denying the ability to install and use alternate OSes.

    It was fairly easy to use a Linux version of gdisk to wipe out the GPT partition tables (use the x option), and fdisk to re-install a traditional Master Boot Record (MBR) and MBR partitions. It was easy to install OpenBSD 5.3. OpenBSD was happy at the end of install, but it wouldn't boot. (This is NOT the fault of OpenBSD! It is the fault of RESTRICTED BOOT (secure boot).)

    OpenBSD 5.3 would not recognize either the Atheros wired ethernet, nor the Broadcom wireless 802.11 -- but I was OK with that, as I intended to use the machine for secure crypto only, air-gapped, and never connected to the internet. Recent Linux versions would not recognize the Atheros wired ethernet, but the Broadcom wireless did work with them. I booted OpenBSD 5.3 with PXE (the BIOS made the Atheros wired ethernet work), and installed it with an old USB-to-Ethernet adapter (axe0 in OpenBSD). However, after installing, it would never boot, due to the RESTRICTED BOOT (secure boot) in the Aptio (AMD) BIOS. It was not possible to disable secure (restricted) boot. There was no Compatibility Support Module (CSM) option in the BIOS, nor was there a method to disable RESTRICTED BOOT (secure boot), nor to enable legacy boot. So the laptop is bricked (unless I restore the entire disk image I previously saved before I started). In any case, it is useless for my purposes.

    keywords: Asus 1015E 1015E-DS3 Ubuntu "AMD Bios" "Aptio BIOS" UEFI EFI GPT MBR "secure boot" "restricted boot" "won't boot" "can't disable secure booting" "can't disable restricted booting" "Compatibility Support Module (CSM)" "legacy boot"

    ReplyDelete
  5. does this work with installing windows 7 on windows 8? after i format the HDD of course.

    ReplyDelete

Post a Comment

Popular posts from this blog

Quick Fix: MS Office Click to Run and CPU usage

Where are my WeChat for Android downloads?

MS Project 2016 Basics: PERT diagram and Slack/Float Part 1