disabling secure boot

6 Antworten [Letzter Beitrag]
chaosmonk

I am a member!

I am a translator!

Offline
Beigetreten: 07/07/2017

Yesterday I tried booting Trisquel 8 on a friend's Acer Aspire running Windows 10. I was unable to do so, due to Secure Boot. I tried disabling Secure Boot using guides like these,

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/disabling-secure-boot
https://www.appgeeker.com/recovery/disable-uefi-secure-boot-in-windows-10.html

all of which advise booting into recovery boot and disabling Secure Boot in the BIOS settings. However, all security settings, including Secure Boot, were greyed out. I found one source that suggested switching from UEFI to Legacy mode, but after doing so she was unable to boot into Windows. I promptly switched back to UEFI mode, afraid of screwing up her system.

I completely agree with the decision described here

https://trisquel.info/en/forum/trisquel-8-codename-flidas-release-candidate-ready-testing#comment-130639

not to have T8 signed by Micro$oft, because f*ck them. However, this makes it challenging to install Trisquel on newer computers. Ideally we'd have our own documentation page on disabling Secure Boot, but this would take the contributions of many users, as it would have to be tested on a variety of PCs by every manufacturer. Does anyone know of a resource that has already started compiling this information?

vita_cell
Offline
Beigetreten: 07/19/2015

UEFI crap is handcuffs for any user, it really doesn't protect user from anything, it just f**k it up. And Windows 10 is the worst Windows for far. Windows 10 it is an adware, and virus inside, also you can get easily infected by third patry malware. And remember, using Windows 10 you are working as betatester for Microsoft.

Worst option: try to downgrade the Windows version, if you really need Microsoft's crap

better option: remove Microsoft OS (way better), and learn to use Wine if you really need to use some Windows program

best option: computer with Coreboot or Libreboot, if you really need the powerful optiond, buy some Ivy or Sandy based notebook or board listed on Coreboot compatible list, but remember Sandy and Ivy bridge work only with non-free software which is Intel's ME. If you don't need powerful computer, Librebooted computer is the most libre and way better option. With Libreboot computer you will run your hardware without Intel's ME. Also with Coreboot or Libreboot you avoid the crappiest crap which is UEFI.

If we want to change the world, stop using non-free software (like Windows10). It's the first big step.

chaosmonk

I am a member!

I am a translator!

Offline
Beigetreten: 07/07/2017

> UEFI crap is handcuffs for any user, it really doesn't protect user
> from anything, it just f**k it up. And Windows 10 is the worst
> Windows for far. Windows 10 it is an adware, and virus inside, also
> you can get easily infected by third patry malware. And remember,
> using Windows 10 you are working as betatester for Microsoft.

You're preaching to the choir.

> Worst option: try to downgrade the Windows version, if you really
> need Microsoft's crap

I have found guides on reverting to Windows 7 from 10 or 8 if the PC had 7 installed previously. However, Secure Boot is a problem for PCs that came with 10 or 8 installed. Ironically, it seems that in this case Windows 7 cannot be installed without first disabling Secure Boot[1], so this isn't a solution.

> better option: remove Microsoft OS (way better), and learn to use
> Wine if you really need to use some Windows program

Typically I would do this by booting into a live Trisquel USB, wiping the disc and installing Trisquel, but this is exactly what Secure Boot is preventing me from doing, so this is not a solution either unless (1) it is possible to uninstall Windows completely without disabling Secure Boot and (2) doing so will disable Secure Boot. I can't find confirmation of either. Even if it can work, this is not ideal for users who would prefer to temporarily leave their Windows system intact while they get used to their new system.

> best option: computer with Coreboot or Libreboot, if you really
> need the powerful optiond, buy some Ivy or Sandy based notebook or
> board listed on Coreboot compatible list, but remember Sandy and
> Ivy bridge work only with non-free software which is Intel's ME. If
> you don't need powerful computer, Librebooted computer is the most
> libre and way better option. With Libreboot computer you will run
> your hardware without Intel's ME. Also with Coreboor or Libreboot
> you avoid the crappiest crap which is UEFI.

I think you have misunderstood my question. I'm running Trisquel on a librebooted X60 and have no desire to touch Windows. My goal is to be able to help others migrate from Windows to GNU/Linux. Not all of them will have the money or willingess to purchase a new computer, in which case I cannot help them install GNU/Linux if Secure Boot is enabled. This is why I would like to know how to disable Secure Boot.

[1] http://www.blogtechtips.com/2015/04/29/how-to-downgrade-to-windows-7-from-windows-8-1disable-secure-boot/

ADFENO
Offline
Beigetreten: 12/31/2012

2018-04-26T20:58:29-0700 name at domain wrote:
> all of which advise booting into recovery boot and disabling Secure
> Boot in the BIOS settings. However, all security settings, including
> Secure Boot, were greyed out. I found one source that suggested

I recently found out that some computers will accept only UEFI ("Secure
Boot" or "Restricted Boot"? I don't know, UEFI can be any of these two,
that is it can be either good or bad for software freedom,
respectively).

These computers are called "UEFI-only", you can make a UEFI-only live
media (or install media) by following Trisquel's documentation section
with similar name ([1]). Note however what jxself said about needing to
manage the trust keys in the UEFI.

[1] https://trisquel.info/en/wiki/how-create-liveusb#toc3 . For those
reading this years later: if the anchor identity target ever changes,
the section title is "UEFI-only USB (7zip in GNU/Linux)".

--
- Formas de contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Ativista do /software/ livre (não confundir com gratuito). Avaliador
da liberdade de /software/ e de /sites/.
- Arquivos que aceito: https://libreplanet.org/wiki/User:Adfeno#Arquivos
- Contribuições à sociedade:
https://libreplanet.org/wiki/User:Adfeno#Contributions
- Gosta do meu trabalho? Contrate-me ou doe algo para mim!
https://libreplanet.org/wiki/User:Adfeno#Suporte
- Use comunicações sociais federadas padronizadas, onde o "social"
permanece independente do fornecedor. #DeleteWhatsApp. Use #XMPP
(https://libreplanet.org/wiki/XMPP.pt), #DeleteFacebook
#DeleteInstagram #DeleteTwitter #DeleteYouTube. Use #ActivityPub via
#Mastodon (https://joinmastodon.org/).
- #DeleteNetflix #CancelNetflix. Evite #DRM:
https://www.defectivebydesign.org/

chaosmonk

I am a member!

I am a translator!

Offline
Beigetreten: 07/07/2017

> I recently found out that some computers will accept only UEFI ("Secure
> Boot" or "Restricted Boot"? I don't know, UEFI can be any of these two,
> that is it can be either good or bad for software freedom,
> respectively).

Secure Boot, which makes installing free systems difficult, is certainly better than Restricted Boot, which makes it impossible, but both seem bad for software freedom.
>
> These computers are called "UEFI-only", you can make a UEFI-only live
> media (or install media) by following Trisquel's documentation section
> with similar name ([1]). Note however what jxself said about needing to
> manage the trust keys in the UEFI.

If this is the recommended method for installing Trisquel on a computer with Secure Boot, then this page[1] or a subpage should explain how to manage the trust keys. I figure it out I'll add a subpage to the documentation, but if anyone already has knowledge of how to manage UEFI keys I'd appreciate guidance. I think this page[2] might contain the information I need, but it's a little over my head and will take me a while to work through.

[1] https://trisquel.info/en/wiki/how-create-liveusb
[2] https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance

nadebula.1984
Offline
Beigetreten: 05/01/2018

Once I had an Acer notebook. I had to first setup a supervisor password before I could change other security settings including Secure (Restricted) Boot.

For more information, see the "Secure Boot vs. Restricted Boot" campaign at FSF:

https://www.fsf.org/campaigns/campaigns/secure-boot-vs-restricted-boot

john.rook
Offline
Beigetreten: 04/08/2018

Yes, I very recently had to disable restricted boot on a new low end Acer Aspire 1 (32gig memory, small processor & very basic construction).

I too had to set up a supervisor password to change the security settings so the USB would boot. Its not enough to just get the USB to boot, you have to go into the security panel to disable secure boot which requires setting up a password.

For the Acer Aspire 1 was just a matter of presing down F2 & then switching it on, which took me into the place I needed to go.

USB was pendrive linux & I tried Etcher, both worked.