[GTALUG] UEFI adventures [was Re: Advice -- Building Debian 8 PC To Replace Win XP PC; ]

D. Hugh Redelmeier hugh at mimosa.com
Mon Aug 1 13:06:25 EDT 2016 

| From: "Steve Petrie, P.Eng. via talk" <talk at gtalug.org>

| ----- Original Message ----- From: "o1bigtenor" <o1bigtenor at gmail.com>

| > I cannot speak to whether or not it is actually supported but I can tell you
| > that you can install Linux (Debian in my case) on a system with both
| > secure boot and UEFI.
| >
| 
| You are correct -- according to the debian 8 docs, there is (improved) UEFI
| support in debian 8. It is the secure boot that is not supported.

Here's my understanding.  I could be wrong about some details.

Secure boot requires a signed bootloader.  The signing can by any
private key that matches the public keys known by the UEFI firmware.
Out of the box, the only such key is owned by Microsoft.

Linux distros have gotten a signed-by-Microsoft bootloader.  I think
that there is only one such bootloader.  It is used by Suse, Ubuntu,
Fedora, and Red Hat (at least).  So all those can be used with Secure
Boot enabled.

Currently, all PCs that get Windows branding (i.e. essentially all
PCs) have to allow additional keys to be added to the firmware.  But
it must be a manual process so that malware cannot add keys.  I, as a
human, don't wish to type in a key (I imagine 256 or more hex digits).

Currently, all PCs that get Windows branding have to allow Secure Boot
to be turned off.  But it must be enabled by default.

These two rules appear to me to be promulgated by Microsoft to avoid
anti-monopoly scrutiny.  FFurther evidence for this theory: Microsoft
took the opposite approach for Windows RT which was in a market that
they did not dominate.

| > (My system was in for warranty repair and when I got it back the main
| > system disc had been replaced. As well the windows boot manager had
| > been enabled (and used), all this even though I had had Debian (testing)
| > installed previously.

Of course: warranty repair that involves replacing a disk drive will
give you back the system as it was born: a fresh install.  Anything
else is too expensive for them to accomplish.

If you bought your system from a small integrator, anything is
possible, but it is pretty labour-intensive for him to recreate your
disk.  That's what your backups are for, right?

PC warranties are essentially about the hardware.  Software is pretty
much out of anyone's control.  I've tried to get support for software
and it has almost always been hopeless UNLESS I've made a really
stupid and obvious mistake (it happens).

Googling is the best software support there is provided you are
reasonably knowledgable.  Of course "reasonable" is subjective.

| So, is it a correct presumption that, when you got the system back from
| warranty repair, the new main system disk had been configured with a PC
| seller's "standard" Microsoft Windows installation, setup to secure boot only
| windows, through the windows boot manager?

Surely.

In fact, for security reasons, I try to wipe any disk that I return
for warranty support.

| I am hoping that it will be feasible for me to specify to the PC system
| builder, both: 1. HDD partitioning configuration (there's only one HDD), and
| 2. multi-boot setup (ready for a drop-in debian 8 installation). So the debian
| installation I will do myself, requires minimal messing with the boot setup.

I think that you are overly limiting the pool of suppliers with this
requirement. And for not much of a win.

| >This were not straightforward but I was able to get
| > things to where I wanted them. Had to disable the windows boot manager
| > and use the UEFI disc configuration (gpart/gparted is your friend here!)
| > and then determine how to work through the secure boot malaise.
| > What I did I don't remember
| 
| Too bad you don't remember.

Sadly there are many variants to this.  One recipe won't work.  But
the ideas carry over.  This is where experience, not just theory, is
useful.  I have a modest number of scars in this area.

This is actually a small area.  Not that much lore.  Just no
particularly good source (as far as I know).

I don't think any of this is documented in a way you can just read
about it.  But at least you know that there must be a way through the maze.

| The "odessey" part I can relate to. I like to refer to those kinds of
| struggles as "character building".

More like Theseus (Labyrinth) than Odysseus.

| My preferred scenario has the PC system builder delivering the new PC, with
| Microsoft Windows 7 (OEM) installed to boot onto bare metal, but with a
| pre-agreed HDD partitioning and multi-boot setup, so it's a straightforward
| drop-in installation task, for me to add a debian 8 Linux, that also boots
| onto bare metal. The idea is to avoid wiping the windows installation and boot
| setup, as delivered by the PC system builder, so as to keep the system builder
| committed to my mental health 

Essentially any conventional PC can be wrangled to run Debian UNLESS
it has as-yet-unsupported hardware.  Most system integrators don't
know how.  At least some of us in this community do and are willing to help.

Unsupported hardware is rare, but I will mention exceptions that I know:

- video cards can be tricky, expecially new models

- Intel has screwed up on some bits of support for some current Atom-family
  processors (but you were not considering those)

- the latest family of intel processors ("Skylake") have some minor
  surprises that are still being worked out.

You really want to be able to do this stuff yourself so that you can
recover from system failures.  What better way to learn than before
you have anything important on your system?

| To add complication, I would like, once the new PC is booting debian Linux
| from the HDD onto bare metal, to imrove performance by providing for debian to
| boot (mostly) from a "shadow" copy on the HDD, and then do all subsequent
| dynamic loading of debian components, from the SSD.

I generally consider my OS disposable.  So I keep it on the SSD.  That
makes it much more resposive.  No backup: I can easily recreate it.

I lean towards keeping my data on the HDD.  I don't do data-intensive
things.  Backing it up is important.

SSD failures seem to be more sudden that HDD failures.

More information about the talk mailing list