I read here that it is essential to have Secure Boot enabled:
However I find that when I enable Secure Boot, it changes it so that systems can boot with UEFI boot, but not Legacy, it also disables CMS. However, when I then try to boot my system, I get 3 different start things that I can boot from:
- ATAPI CD1: PLDS DVD-RW DS8A8SH
- ATA HDD0: TOSHIBA MK5065GSX
> PCI LAN
- LAN(3C970E7102F6) -IPv4
- LAN(3C970E7102F6) -IPv6
But no matter which of them I choose, I just get back to that screen and cannot boot, then the only way is to go to the other tab and select Setup, go back into BIOS, and disable Secure Boot, and then say that both Legacy and UEFI are supported in the Setup options (as just disabling Secure Boot does not work).
So I am assuming that my current and only OS, Ubuntu GNOME 15.04 (64-bit), does not support UEFI boot, and only Legacy. So is there anything that I can do about this so that I can enable Secure Boot? And why does it only support Legacy anyway? And just as a quick note, this didn't work when I had Windows 7 (a long long time ago in a galaxy far far away…) either.
Best Answer
Boot loaders are written for the computer's firmware. This is analogous to software, which is written for a particular OS. Thus, you don't "convert... the bootloader to UEFI"; that would be like "converting the mail client to Windows" or "converting the photo editor to Linux." Instead, you install a new program for the desired environment. In some cases, the new program may have the same name as the old one (as in Thunderbird or GIMP, which are available for both Windows and Linux; or GRUB 2, which is available for both BIOS and EFI). In other cases, there are OS- or firmware-specific programs, such as
efibootmgr
(a Linux-specific tool) or rEFInd (an EFI-specific boot manager).If your computer is currently booting in BIOS/CSM/legacy mode, then to boot in EFI mode, you must do several things:
EFI/BOOT/bootx64.efi
), which most tools won't do by default. Thus, an MBR-to-GPT conversion is desirable. This can be done fairly painlessly with mygdisk
program (which is installed in Ubuntu by default), as described here.Note that in a Linux installation, the only truly critical software difference between a BIOS-mode and an EFI-mode installation is the boot loader. Thus, switching from BIOS-mode to EFI-mode booting doesn't require additional software changes. (In practice, installing an EFI-mode GRUB is likely to pull in some other related packages, like
efibootmgr
. These are indeed helpful, but not critical for booting.) There are no changes to the kernel, C libraries, shells, GUI, or other core tools required under EFI compared to BIOS. As I've written above, partitioning will need to be adjusted, but that doesn't require any software changes. Secure Boot requires Shim, PreLoader, or special custom setups; and depending on the boot loader, a signed kernel may be required.As you might gather from this, Ubuntu should work fine with Secure Boot. (There are occasional exceptions because of finicky EFIs, though. Also, using Secure Boot makes it easier to misconfigure something so that it breaks.) When doing a fresh install with Secure Boot active, it should all be pretty transparent. When you do a conversion from an existing BIOS-mode installation, you're more likely to run into problems, since conversion tools don't really exist (unless you count Boot Repair, which does only part of the job). Thus, you'll end up doing more manually, which means there's more room to miss a step or make a mistake.
For more information on Linux and Secure Boot, read my main Web page on the subject, which covers basic principles and typical configurations. If you want to go really hard-core with a custom Secure Boot configuration, read my page on taking complete control of Secure Boot. This describes how to configure the system to boot with Secure Boot active but without Shim or PreLoader, and in a way that enables you to lock Microsoft tools out, if you so desire.