I'm trying to set up dual/multiboot on an UEFI laptop that came with Windows 8 installed. I'd like to operate with Secure Boot enabled. I can install/configure OS'es with SecureBoot disabled (but I won't operate in CSM mode). I'm OK with blowing out Windows 8, but eventually the laptop will need Windows 8 Pro (x64) installed to support my Windows Phone development gear.
I've read through Microsoft's documentation on UEFI and partitioning at Windows and GPT FAQ. I'm not clear on how many EFI System Partitions (ESP) can be present on a disk. Since the UEFI can authorize access to a particular partition, I think the following holds:
- Microsoft's platform key (PK) is loaded in UEFI
- MS PK allows to access to Microsoft partitions
- MS uses 4 partitions: ESP, MSR, Data, Recovery
- Boot to MS when the Boot Option is selected (enforced by UEFI)
Above, ESP is UEFI System Partition; MSR is Microsoft System Reserved for additional non-preboot files and OEM files; Data is for customary OS files loaded by the loader; and Recovery is just value added OS stuff.
If I add a Linux operating system's platform key to the Platform Key (PK) database, then I believe I would need (at minimum):
- Another ESP partition for booting/loading the Linux OS
- Another Data partition for the customary Linux OS files
The additional ESP would be required because UEFI will need boot/loader files signed under the PK for the particular Boot Option; and UEFI will not allow access to Microsoft's partitions when booting Linux's OS.
How many EFI System Partitions (ESP) can a computer have? Is multi-ESP correct?
Best Answer
You're operating under the misapprehension that PKs are tied to ESPs; they aren't. The Secure Boot cryptographic features require that individual boot loader files be signed, but those files are stored on ordinary FAT filesystems that are themselves not signed, encrypted, or otherwise cryptographically interesting. A signed boot loader file can be moved from one partition to another and continue to work just fine, at least from a Secure Boot perspective. (Moving such a file may cause it to fail because it's been separated from critical configuration files or the like, of course, but that's another matter.)
To more directly answer the question, the EFI specification imposes no limit on the number of ESPs that may be present on a computer or on a hard disk; you could have dozens of them if you wanted to, and that would be fine from the EFI's perspective. Unfortunately, Microsoft is not so flexible; Windows officially supports just one ESP per disk (maybe per computer; I'm a bit foggy on that detail). I don't know about Windows 8, but the Windows 7 installer will flake out if it sees more than one ESP on a disk; the installation will proceed part of the way and then fail. (At least, that's what it's done in my tests.) That said, if you create a second ESP after installing Windows, Windows will continue to boot and operate correctly, at least as far as I've seen. (I can't promise that it won't misbehave if you use some particular feature, though.)
Overall, then, in a multi-boot environment, I recommend restricting yourself to one ESP. I also recommend making it rather large -- 550MiB is my usual recommendation, for assorted technical reasons having to do with rare bugs and FAT sizes. That said, if you've got an existing installation with a smaller ESP, it's probably fine to just stick with it. In either case, Linux and Windows can share a single ESP just fine. I do, however, recommend backing it up early and often -- definitely back it up before installing a new OS. Because the ESP holds your boot loaders, an accidental erasure of it will render your computer unbootable.