mjg59 | The current state of UEFI and Linux

Executive summary: Most things work fine.

Things we know are broken:

Some Samsung laptops. The samsung-laptop driver is a slightly weird thing. By 2010 (when it first appeared) most vendors had moved over to using some level of firmware abstraction, either using ACPI or WMI. Samsung still seemed to be stuck around a decade earlier - they were providing a region of memory at a known address, and you'd read that address to find a bunch of offsets. Then you'd write magic values based on those offsets to magic system IO ports based on those offsets and something would happen. Those writes were triggering System Management Mode, a special x86 CPU mode where the processor executes code from memory that the OS can't see, without telling the OS that it's doing so. There's nothing especially new in this (SMM first appeared in the 386sl back in 1990), but it also means that you depend on the system vendor not changing the interface without telling you. Turns out that Samsung apparently changed their platform interface when they moved to UEFI, but didn't actually do anything to prevent old drivers from breaking things - performing exactly the same series of accesses on some modern Samsung laptops gives an uncorrectable machine check exception (in the best case) or destroys your firmware (in the worst case). Given that the driver was written to Samsung's specifications, this is pretty obviously Samsung's fault, but that's probably little consolation to anyone who ended up with a dead laptop. Although, given Samsung's track record, this may not be surprising.

On the bright side, some of the machines that are affected by this predate Secure Boot, so at least it's not a Secure Boot bug.
Some Toshibas won't boot Linux. This turns out to be some staggering incompetence on the part of Toshiba (or, more likely, their third-party vendor) - they managed to leave the signing key out of the database that's used to validate binaries, and managed to leave the signature database signing key out of the database that's used to provide whitelist or blacklist updates. The good news is that this is a blatant violation of Microsoft's Windows 8 certification guidelines, and that seems to have encouraged Toshiba to actually fix their BIOS. The bad news is that any of the affected machines that are currently available are still broken, and Toshiba don't seem to be willing to actually give you the firmware update yet.
Some Lenovos will only boot Windows or Red Hat Enterprise Linux. I recommend drinking, because as far as I know they haven't actually got around to doing anything useful about this yet.

Not an amazingly positive list, but as far as I know that's about it - other than some Samsungs, one range of Toshibas and one range of Lenovo desktops, Linux should be fine. If you have any other UEFI system that's unable to install Fedora 18, let me know and we'll do our best to work out what's going on.

Flat | Top-Level Comments Only

From: (Anonymous)

This is a bit off topic, but would you by any chance have a suggestion on how to get trusted boot working on current linux systems whilst using uefi? I am pretty sure TrustedGrub will noch work on uefi and neither does tboot at the moment.
Please help :)

From:

mjg59

Trusted Grub needs to be ported to use the UEFI interface to the TPM. I don't think anyone's done that yet, but I'm in the process of porting the relevant code to grub2 and intend to add UEFI support. Probably at least 6 months until I get around to finishing it, though.

From: (Anonymous)

Does that mean that TrustedGrub won't work at all with UEFI platforms? Any idea how much work is involved/when it'll be fixed?

From:

mjg59

Correct. There's no real chance of porting TrustedGrub either - you'd need to add UEFI support to it. Easier to add TPM and measurement support to grub 2, which is still on my list of things to do but has fallen down it a little.

From: (Anonymous)

About two months ago i also bricked my Lenovo D30 when i started some Fedora 18 Beta netinstall media from USB thumb in UEFI mode.

Basically the Kernel "oopsed" and when i rebooted the motherboard turned out fried. At the time i did not report it because i did not have much information about the event and i was, and i am, still not sure what happened. Now that i read about the Samsung issue i find that very familiar. Anyway, fortunately my D30 was still under warranty and i was not able to reproduce after it was repaired.

I also was not able to boot Fedora 18 UEFI installation on both my D30 as well as my X220. I use to have Fedora 16 installed in UEFI mode and it worked fine. In Fedora 18 i was not able to make that work. When i press the Fedora item from the UEFI menu nothing happens (Nothing bootable found). It might just be me but even if so, i guess it is not as intuitive as it could be.

From: (Anonymous)

I don't think that is fully correct. I guess what you really want to say is that non MS or Red Hat file names are discarded on reboot after set by efibootmgr. That's not Lenovo only, i know at least one other system that does that when you enable

Remove Invalid Boot Options

In case you have it enabled remove it. The "funny" thing with a firmware like this is that it autodetects all known positions of efi binaries. Like when you use the name:

EFI/Microsoft/Boot/bootmgfw.efi

it will detect Windows Boot Manager. Nice to convert normal to UEFI installs...

From:

mjg59

No, nothing to do with filenames. It's explained in the post I linked.

From: (Anonymous)

I personally find it much more annoying when you can add a new key/hash with shim and it is available till the end of time. That means when i reset all Secure Boot databases my binaries are still whitelisted. One of the boards i used for testing this was: Asrock B75 Pro3 - Firmware 1.60. Asrock is extra funny as well as there the CSM settings are the ACPI menu (i would put it into boot menu) and it is NOT required to disable the CSM in order to use Secure Boot.

From:

mjg59

You can remove the hashes using mokutil.

From:

6tr6tr

performing exactly the same series of accesses on some modern Samsung laptops gives an uncorrectable machine check exception (in the best case) or destroys your firmware (in the worst case).

Does this mean the issue is only with samsung-laptop or are there other parts of the kernel that will also cause these issues?

Does turning off UEFI (and switching to CSM/legacy mode) stop this problem?

From:

mjg59

It's only with samsung-laptop. Supposedly booting via the CSM is fine.

From: (Anonymous)

As this report indicates, it may not be limited to samsung-laptop. Booting in UEFI may also prevent you from entering setup later:

http://www.jakobheinemann.de/en/blog.html

From: (Anonymous)

Not only Toshiba and Samsung laptops. I got Sony VAIO model SVS151290X and am having problem with it. I can install Fedora 18 in UEFI but it still boots to Linux.

From:

mjg59

Can you describe exactly what you're doing and what behaviour you see?

From: (Anonymous)

I resize Windows 8 ntfs partition.
Boot from Fedora 18 full DVD and install it with secure boot and UEFI mode enabled.
Installs without a problem.
Reboot and goes to Windows 8 without asking anything.

I installed Fedora 18 in legacy mode with windows 8, boots fine to fedora but Windows does not boot in legacy mode. I then change legacy to UEFI and Windows 8 is not there. There is message OS not found.
Changing back to legacy and booting to Fedora still works fine.

Ubuntu works fine with Windows 8.

From:

mjg59

Ok. Could you please file a bug at bugzilla.redhat.com?

From: (Anonymous)

I did, but was ignored.

The reason for closing the bug was: it is a boot loader problem.

Please see the bug description.

https://bugzilla.redhat.com/show_bug.cgi?id=906074

From:

http://apebox.org/wordpress/

"Fast boot" support is likely enabled by default, and skips showing you the OS list.

Hold Shift when clicking "Restart" from within Windows 8, to get the Windows Boot Manager to show up - it should let you get into the UEFI settings screen, as a bare minimum.

From: (Anonymous)

Would a MacBook count? I was unable to boot a MacBook 4,1 using UEFI.

The boot option shows four items, regular (Mac OS), Fedora 18, UEFI, UEFI (yep, shows it twice). I've tried all three and it never finishes booting. If you want more info let me know.

From:

mjg59

What happens when you select the Fedora 18 option?

From:

cybertimber2013

Let me know if you want to chat in IRC. I'm trying this from a USB drive created from dd if I remember correctly.

When I choose the "Fedora Media" option, it then goes to "Welcome to GRUB,
Then Grub menu (2.00) with "Fedora-18-x86_64-Live-Desktop.is" and "Verify and Boot Fedora-18-x86_64-Live-Desktop.is" options. I choose the first and then it said Booting 'Fedora-18-x86_64-Live-Desktop.is'. I see a steady cursor, and then after that, I just get a black screen.

I rebooted and tried verify instead, and it did the same thing.

From:

mjg59

Can you try with the nomodeset argument?

From:

cybertimber2013

Just add it before rhgb right?

Tried and after I hit F10 to boot, it says "Booting a command list" with a steady cursor, and then after a period of time, just a black screen.

I also tried removing "silent" to see if I could get any output, but nothing. I don't want to turn this into an unrelated support thread on you Matthew, so let me know if I need to take this elsewhere.

From:

mjg59

Sounds like the kernel is crashing very early in startup. There's not really a good way to figure this out remotely, I'm afraid - I'll see if I can find one of these machines.

From:

cybertimber2013

Would you like a bugzilla?

From:

mjg59

No harm in it, but it's not likely to make things faster.

From:

cybertimber2013

Understood and no worries. https://bugzilla.redhat.com/show_bug.cgi?id=907021

BTW, thanks for the help and UEFI work :)

From:

cybertimber2013

For what it's worth, when I try the EFI Boot option:
I get "secure boot not enabled, welcome to GRUB!"
Then "GNU Grub Version 2.00" with two options (Fedora-18-x86_64-Live-Desktop.is and Verify and Boot Fedora-18-x86_64-Live-Desktop.is)
Choosing the first, I briefly see a solid cursor, then "Secure boot not enabled" with a solid cursor, then black screen.

I wonder with it saying ".is" instead of ".iso" is causing any problems?

From: (Anonymous)

I have exactly the same problem with a Macbook Air purchased new in June 2008.

Colin Adams

From: (Anonymous)

I'm about to buy a new Thinkpad. If I can't disable the thing in the computer itself via bios (I don't care what it's really called..) then I won't use Linux on it. And that's very, very bad for me. But it's better than the alternative.

From: (Anonymous)

The Samsung laptop issue does not appear to have anything to do with secure boot. It is to do with UEFI.

From: (Anonymous)

OK, so it's probably impossible, but I was wondering if you could provide a list of vendors who have generally _not_ driven you to drink yourself into a stupor with respect to UEFI or ACPI bugs.

Do ASUS, Gigabyte, SuperMicro, MSI motherboards raise your blood-alcohol levels at most to "jolly" or "slightly tipsy", or are they all more or less equally ravaging your liver?

Any trends at all in motherboard manufacturers' firmware quality?

From: (Anonymous)

On Dell XPS 8500, you can boot any unsigned binary through PXE under Secure Boot standard mode.

From: (Anonymous)

Go into the BIOS and change the Boot Mode from UEFI to CSM. Linux (at least for me Linux Mint 14 32 bit MATE) booted just fine. I blew away the Windows 8 install using the Erase Disc utility on my trusty Parted Magic CD then installed Mint. With Boot Mode in UEFI the laptop would not recognize any of my Linux CDs.

From: (Anonymous)

I was trying to install Mint from USB over an Ubuntu install on a Lenovo V570

I was stuck on the "secure boot" loop and came to this page for a solution.

I went into BIOS (F2) and rearranged my boot order and chose the USB stick as the first choice. It displayed the "secure boot" message, but then it went into the menu, and I was able to load Mint up.

Hope this helps.

From: (Anonymous)

Hi,

last year in march i boughta Lenovo W520.
When it arrived, i equiped it with 2 OCZ Vertex and one mSATA SSD insteat of the UMTS modem.
I wanted t olearn about the new UEFI world so i decided to do a Dual boot installation, Windows7 and opensuse 12.2 Tumbleweed.
I did the last updates for the hardware and set the notebook to UEFI boot.
Everythink went well, but after one week working with the noteboot i had the first boot problems, the kernel hang during boot.
One week later the W520 was not able to boot any more :NVRAM corrupted, and it wnt into a boot loop
I sent it back to Lenovo and 4 weeks later i got a new one.
But: Same procedure, after a good week: NVRAM corrupted.
The mainboard was changed then 3 times, every time after one week: NVRAM corrupted.
Last but not least i decided to give it a try with BIOS boot.
and, guess what: since 7 month the notebook runs smoothly.
I won't touch UEFI any more!

From: (Anonymous)

I can't be sure, but the consistent week or so until major problems develop looks extremely suspicious.

It reminds me of a problem back when WordPerfect was king and Microsnot did ANYTHING to unseat it, in favor of their up-and-coming Word. If you installed WP first and Word afterward, WP could be counted on to fail because its code had been corrupted when Word installed or ran.

There have been other examples, evidenced on numerous forums.

Would MS deliberately sabotage other manufacturers' software, like introducing code that would trigger after a certain time? Has a cat got an ass?

What is needed is someone who can bust their balls to slap them with a meaningful fine - something like $1B/day until they correct the problem instead of the attaboy sized few hundred $M they got after years of wrangling in the courts.

From: (Anonymous)

To include win7. Win8, from usb or dvd, will install and boot in efi mode with secure boot and fast boot enabled/disabled. Win7 will install in "efi-ish" mode but needs launch csm enabled. I only list the win7 issue to show that it is not isolated to linux. Ubuntu, fedora, linuxmint, basically any linux distro I found (x64) that supports efi will not boot even in live mode efi. The same media for the linux distros will boot in efi on my wife's asus x501a. I suspect it is related to the ami aptio efi/bios implementation.

From: (Anonymous)

I have been installing computers with dual-boot Windows, Linux and a data partition since W2K/Suse10.

I recently installed both W7 and Mint 14 on a new Lenovo G580 laptop, it went straight through and Mint is a pleasure to use. The BIOS seems to have no UEFI or secure boot options.

Now I am trying to install Windows 7 on a Lenovo ThinkCentre Edge72 and have already wasted two days and exchanged it once.
I have paid good money for the thing and they have installed some new technology that makes it useless to me without any reference to it in the data sheet. I will return it.

Can anyone recommend a workstation/business type computer that I can still buy with a good old simple BIOS? According to technet, Windows 7 will install on that without problems.

From: (Anonymous)

sorry, that should read:

Now I am trying to install Windows 7 and Mint 13 on a Lenovo ThinkCentre Edge72

From: (Anonymous)

A miracle, it worked!
I thought I would try once more.
Windows 7 and Mint 13 on a Lenovo ThinkCentre Edge72
Changed following in BIOS
startup bootmode --> legacy only
startup bootpriority --> legacy first
security secureboot --> disabled
and the installation of Win7 and Mint with a data partition in the middle went through and are selected in the grub menu.
Win7 gave a start error the first time but then started and didn't repeat the error

From: (Anonymous)

Hi, I am trying to install Linux Mint on my Lenovo G580 to dual boot with Windows 7, but I am unable to do so. When I boot Linux Mint from the bootable USB drive, and select "Something else" in the istallation, it does not show partitions on my Hard disk (there are 3), it just shows the hard disk as a single partition. Please help.
Thanks and regards.

From: (Anonymous)

Never mind I used g-parted and got it working

From: (Anonymous)

Hi! Are you able to tell me what the specific guidelines Toshiba violates are?

From:

mjg59

The Microsoft KEK was in the db database, not the kek one.

From: (Anonymous)

Thank you!

Flat | Top-Level Comments Only

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist.

mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.

Page Summary

(Anonymous) - Trusted Boot
(Anonymous) - (no subject)
(Anonymous) - Some Lenovos will only boot Windows or Red Hat Enterprise Linux.
(Anonymous) - AMI/Asrock UEFI Secure Boot Bugs
6tr6tr - Does the samsung issue also exist in CSM mode?
(Anonymous) - Fedora 28 does not work with Sony VAIO
(Anonymous) - Macbook 4,1
(Anonymous) - (no subject)
(Anonymous) - Samsung laptop issue
(Anonymous) - recommended vendors?
(Anonymous) - PXE
(Anonymous) - Toshiba's have a BIOS setting you can change
(Anonymous) - Lenovo
(Anonymous) - Lenovo W520 was destroyed
(Anonymous) - Asus K55N won't boot anything in EFI mode...
(Anonymous) - Dual boot Windows 7 and Linux Mint
(Anonymous) - Violation of W8 Certification Guidelines

Expand Cut Tags

No cut tags