Linux – Disable secure boot in Linux – no Windows

linuxuefi

I just made a potentially costly mistake: nuked and repaved a brand new Lenovo Yoga 500 with Linux… without booting into Windows to disable SecureBoot explicitly. User didn't want to accept the EULA; and we successfully booted into USB key (Ubuntu MATE 15.10, Ubuntu w/Unity 15.04) so we thought we would just go ahead.

I imagine I would need to go through a system that has SecureBoot signature – that is, find such a distro, install it, disable SB there, then re-install our preferred system.

Is this the correct way? Which distros would work? We tried installing and booting into Ubuntu Unity 15.04 (which is supposed to have the appropriate signature) but after install and reboot, I get a screen with just boot options, of which the HDD. If I select it, it just re-prompts me at the same screen.

boot options

Given that Windows has been obliterated at this point, what options do I have?

Best Answer

My suspicion is that your problem is not related to Secure Boot. Ubuntu, which you say you installed, supports Secure Boot. So do Fedora, OpenSUSE, ALT, and several others. That said, there are known problems, mostly with flaky EFIs; but these problems would normally prevent the installation medium from booting, so you wouldn't have gotten as far as you have if Secure Boot were the problem.

Your boot options screen doesn't show an entry for Ubuntu, which suggests another problem: Something went wrong with your boot loader installation. You should be able to launch the Ubuntu installer, but select the "try before installing" option, in order to investigate. The Linux efibootmgr command lets you set boot loader options. There are several tutorials and references on this command on the Internet, but I know of none that's really ideal for your circumstances. Still, you might want to read:

Also, keep in mind that your boot loader is probably already installed to the EFI System Partition (ESP), which is a FAT partition that's probably the first or second one on your disk. The Ubuntu boot loader should be EFI/ubuntu/grubx64.efi on that partition; however, to work with Secure Boot, GRUB must be launched by a program called Shim (shimx64.efi, normally). Thus, to create an entry for GRUB with efibootmgr, you'd refer to Shim, as in:

sudo efibootmgr -c -d /dev/sda -p 1 -l \\EFI\\ubuntu\\shimx64.efi -L "ubuntu"

This should create an entry, although you may need to adjust some details. Several things can go wrong with this, though, and one of them may explain your problem:

If the installer couldn't write the files to the ESP, the entry created by efibootmgr will be useless. Such a problem could happen because of improper partitioning (particularly if you manually partitioned and didn't know you had to create an ESP), because of a random disk error, etc. If this is the source of your problem, you'll need to use something like Boot Repair to re-install GRUB.
Some EFIs have bugs that cause them to "forget" or ignore the entries created by efibootmgr. If this happens, you may be able to create an entry, but there will be no trace of it when you reboot. This problem is best dealt with by replacing the faulty computer, but awkward workarounds involving renaming the boot loader will work if this isn't possible. Lenovos don't normally suffer from this problem, fortunately.
Removing a disk and powering on the computer sometimes causes NVRAM entries for no-longer-valid entries to disappear. This is probably intended as a helpful feature, but it's a pain if you regularly unplug your disks for any reason. This is unlikely to be a factor for your laptop, but I thought I'd mention it anyhow.

To more directly answer your question, Secure Boot is disabled in the firmware, not in Windows. (In fact, if you could disable it from Windows, that would defeat the point of it, since malware would just do it that way.) Details vary greatly from one computer to another, so it's hard to provide step-by-step instructions. Nonetheless, I provide such instructions for four systems on this page. With any luck, your system will be similar to one of them, should you actually need to do this.

Related Solutions

Windows – Dual boot Windows 8 and Ubuntu

Without more information, any answer will be guesswork. I recommend you boot from an emergency Linux disc, run Boot Info Script, and post a link to the RESULTS.txt file that it produces. This will provide information about your partition layout and boot loader configuration.

Contrary to what TheX wrote, Ubuntu most emphatically does support (U)EFI booting. TheX is confusing UEFI with one of its specific features, Secure Boot, which is intended to improve security. Ubuntu has supported (U)EFI for quite a while, and they're working on seamlessly booting on systems with Secure Boot enabled. They may even have incorporated such support in Ubuntu 12.10, but I'm not positive of that.

Edit:

Your system is definitely not booting either OS in EFI mode. Both your hard disks use the MBR partition table, and Windows ties the partition table type to the firmware type, with MBR being superglued to a BIOS-mode boot. You also have no EFI System Partition (ESP) or FAT partition, which are required to boot UEFI-based PCs. Thus, your suspicions about a mixed BIOS-mode/EFI-mode boot are misplaced.

My hunch is that you've accidentally changed a firmware setting -- perhaps you've enabled a "fast boot" option or changed the splash screen. This will affect how the BIOS goes through its initial tests and displays, and could make it harder to access its settings or activate its boot manager. I recommend you go into the BIOS settings and look for such options. I'm not familiar with your specific model so I can't give more specific advice on this score.

Once you've booted Ubuntu, you should be able to get it to detect your Windows configuration and add it to the GRUB menu by doing a grub-mkconfig -o /boot/grub/grub.cfg. If Windows still doesn't appear in the GRUB menu, you may need to create a manual entry for it in /etc/grub.d/40_custom; or you can use your BIOS options to select the boot device, as you've done in the past, if you can slow it down to the point that getting to those options can be done reliably.

Windows – How to UEFI dual boot Windows 10 and Ubuntu

Apologies for answering my own question but in case it helps someone else in future.

As suggested in the comments, I tried the following:

Disabling Hibernate in Windows
Disabling Fastboot in BIOS

but neither of these worked.

I was about to try renaming the original boot manager when I stumbled across this answer. Running the command:

bcdedit /set "{bootmgr}" path \EFI\ubuntu\grubx64.efi

has prevented Windows Boot Manager from replacing Grub. I've even successfully turned Hibernate and Fastboot back on with no loss of Grub.

NB: It is important to get the EFI path correct. After running boot-repair from a LiveUSB to get grub back, it will tell you the full path to use since it isn't always identical to what is listed above.

Best Answer

Related Solutions

Windows – Dual boot Windows 8 and Ubuntu

Windows – How to UEFI dual boot Windows 10 and Ubuntu

Related Question