[personal profile] mjg59
Executive summary: Most things work fine.

Things we know are broken:
  • Some Samsung laptops. The samsung-laptop driver is a slightly weird thing. By 2010 (when it first appeared) most vendors had moved over to using some level of firmware abstraction, either using ACPI or WMI. Samsung still seemed to be stuck around a decade earlier - they were providing a region of memory at a known address, and you'd read that address to find a bunch of offsets. Then you'd write magic values based on those offsets to magic system IO ports based on those offsets and something would happen. Those writes were triggering System Management Mode, a special x86 CPU mode where the processor executes code from memory that the OS can't see, without telling the OS that it's doing so. There's nothing especially new in this (SMM first appeared in the 386sl back in 1990), but it also means that you depend on the system vendor not changing the interface without telling you. Turns out that Samsung apparently changed their platform interface when they moved to UEFI, but didn't actually do anything to prevent old drivers from breaking things - performing exactly the same series of accesses on some modern Samsung laptops gives an uncorrectable machine check exception (in the best case) or destroys your firmware (in the worst case). Given that the driver was written to Samsung's specifications, this is pretty obviously Samsung's fault, but that's probably little consolation to anyone who ended up with a dead laptop. Although, given Samsung's track record, this may not be surprising.

    On the bright side, some of the machines that are affected by this predate Secure Boot, so at least it's not a Secure Boot bug.
  • Some Toshibas won't boot Linux. This turns out to be some staggering incompetence on the part of Toshiba (or, more likely, their third-party vendor) - they managed to leave the signing key out of the database that's used to validate binaries, and managed to leave the signature database signing key out of the database that's used to provide whitelist or blacklist updates. The good news is that this is a blatant violation of Microsoft's Windows 8 certification guidelines, and that seems to have encouraged Toshiba to actually fix their BIOS. The bad news is that any of the affected machines that are currently available are still broken, and Toshiba don't seem to be willing to actually give you the firmware update yet.
  • Some Lenovos will only boot Windows or Red Hat Enterprise Linux. I recommend drinking, because as far as I know they haven't actually got around to doing anything useful about this yet.

Not an amazingly positive list, but as far as I know that's about it - other than some Samsungs, one range of Toshibas and one range of Lenovo desktops, Linux should be fine. If you have any other UEFI system that's unable to install Fedora 18, let me know and we'll do our best to work out what's going on.

Trusted Boot

Date: 2013-02-01 07:09 am (UTC)
From: (Anonymous)
This is a bit off topic, but would you by any chance have a suggestion on how to get trusted boot working on current linux systems whilst using uefi? I am pretty sure TrustedGrub will noch work on uefi and neither does tboot at the moment.
Please help :)

Re: Trusted Boot

Date: 2013-06-28 02:18 pm (UTC)
From: (Anonymous)
Does that mean that TrustedGrub won't work at all with UEFI platforms? Any idea how much work is involved/when it'll be fixed?

Date: 2013-02-01 09:42 am (UTC)
From: (Anonymous)
About two months ago i also bricked my Lenovo D30 when i started some Fedora 18 Beta netinstall media from USB thumb in UEFI mode.

Basically the Kernel "oopsed" and when i rebooted the motherboard turned out fried. At the time i did not report it because i did not have much information about the event and i was, and i am, still not sure what happened. Now that i read about the Samsung issue i find that very familiar. Anyway, fortunately my D30 was still under warranty and i was not able to reproduce after it was repaired.

I also was not able to boot Fedora 18 UEFI installation on both my D30 as well as my X220. I use to have Fedora 16 installed in UEFI mode and it worked fine. In Fedora 18 i was not able to make that work. When i press the Fedora item from the UEFI menu nothing happens (Nothing bootable found). It might just be me but even if so, i guess it is not as intuitive as it could be.
From: (Anonymous)
I don't think that is fully correct. I guess what you really want to say is that non MS or Red Hat file names are discarded on reboot after set by efibootmgr. That's not Lenovo only, i know at least one other system that does that when you enable

Remove Invalid Boot Options

In case you have it enabled remove it. The "funny" thing with a firmware like this is that it autodetects all known positions of efi binaries. Like when you use the name:

EFI/Microsoft/Boot/bootmgfw.efi

it will detect Windows Boot Manager. Nice to convert normal to UEFI installs...

AMI/Asrock UEFI Secure Boot Bugs

Date: 2013-02-01 12:07 pm (UTC)
From: (Anonymous)
I personally find it much more annoying when you can add a new key/hash with shim and it is available till the end of time. That means when i reset all Secure Boot databases my binaries are still whitelisted. One of the boards i used for testing this was: Asrock B75 Pro3 - Firmware 1.60. Asrock is extra funny as well as there the CSM settings are the ACPI menu (i would put it into boot menu) and it is NOT required to disable the CSM in order to use Secure Boot.

Does the samsung issue also exist in CSM mode?

Date: 2013-02-01 06:29 pm (UTC)
From: [personal profile] 6tr6tr
performing exactly the same series of accesses on some modern Samsung laptops gives an uncorrectable machine check exception (in the best case) or destroys your firmware (in the worst case).

Does this mean the issue is only with samsung-laptop or are there other parts of the kernel that will also cause these issues?

Does turning off UEFI (and switching to CSM/legacy mode) stop this problem?
From: (Anonymous)
As this report indicates, it may not be limited to samsung-laptop. Booting in UEFI may also prevent you from entering setup later:

http://www.jakobheinemann.de/en/blog.html

Fedora 28 does not work with Sony VAIO

Date: 2013-02-02 03:39 am (UTC)
From: (Anonymous)
Not only Toshiba and Samsung laptops. I got Sony VAIO model SVS151290X and am having problem with it. I can install Fedora 18 in UEFI but it still boots to Linux.

Re: Fedora 28 does not work with Sony VAIO

Date: 2013-02-02 04:09 am (UTC)
From: (Anonymous)
I resize Windows 8 ntfs partition.
Boot from Fedora 18 full DVD and install it with secure boot and UEFI mode enabled.
Installs without a problem.
Reboot and goes to Windows 8 without asking anything.

I installed Fedora 18 in legacy mode with windows 8, boots fine to fedora but Windows does not boot in legacy mode. I then change legacy to UEFI and Windows 8 is not there. There is message OS not found.
Changing back to legacy and booting to Fedora still works fine.

Ubuntu works fine with Windows 8.

Re: Fedora 28 does not work with Sony VAIO

Date: 2013-02-02 04:40 am (UTC)
From: (Anonymous)
I did, but was ignored.

The reason for closing the bug was: it is a boot loader problem.

Please see the bug description.

https://bugzilla.redhat.com/show_bug.cgi?id=906074

Re: Fedora 28 does not work with Sony VAIO

Date: 2013-02-04 09:54 am (UTC)
From: [identity profile] http://apebox.org/wordpress/
"Fast boot" support is likely enabled by default, and skips showing you the OS list.

Hold Shift when clicking "Restart" from within Windows 8, to get the Windows Boot Manager to show up - it should let you get into the UEFI settings screen, as a bare minimum.

Macbook 4,1

Date: 2013-02-02 04:14 am (UTC)
From: (Anonymous)
Would a MacBook count? I was unable to boot a MacBook 4,1 using UEFI.

The boot option shows four items, regular (Mac OS), Fedora 18, UEFI, UEFI (yep, shows it twice). I've tried all three and it never finishes booting. If you want more info let me know.

Re: Macbook 4,1

Date: 2013-02-02 04:54 am (UTC)
From: [personal profile] cybertimber2013
Let me know if you want to chat in IRC. I'm trying this from a USB drive created from dd if I remember correctly.

When I choose the "Fedora Media" option, it then goes to "Welcome to GRUB,
Then Grub menu (2.00) with "Fedora-18-x86_64-Live-Desktop.is" and "Verify and Boot Fedora-18-x86_64-Live-Desktop.is" options. I choose the first and then it said Booting 'Fedora-18-x86_64-Live-Desktop.is'. I see a steady cursor, and then after that, I just get a black screen.

I rebooted and tried verify instead, and it did the same thing.

Re: Macbook 4,1

Date: 2013-02-02 05:11 am (UTC)
From: [personal profile] cybertimber2013
Just add it before rhgb right?

Tried and after I hit F10 to boot, it says "Booting a command list" with a steady cursor, and then after a period of time, just a black screen.

I also tried removing "silent" to see if I could get any output, but nothing. I don't want to turn this into an unrelated support thread on you Matthew, so let me know if I need to take this elsewhere.

Re: Macbook 4,1

Date: 2013-02-02 03:23 pm (UTC)
From: [personal profile] cybertimber2013
Would you like a bugzilla?

Re: Macbook 4,1

Date: 2013-02-02 05:59 pm (UTC)
From: [personal profile] cybertimber2013
Understood and no worries. https://bugzilla.redhat.com/show_bug.cgi?id=907021

BTW, thanks for the help and UEFI work :)

Re: Macbook 4,1

Date: 2013-02-02 04:59 am (UTC)
From: [personal profile] cybertimber2013
For what it's worth, when I try the EFI Boot option:
I get "secure boot not enabled, welcome to GRUB!"
Then "GNU Grub Version 2.00" with two options (Fedora-18-x86_64-Live-Desktop.is and Verify and Boot Fedora-18-x86_64-Live-Desktop.is)
Choosing the first, I briefly see a solid cursor, then "Secure boot not enabled" with a solid cursor, then black screen.

I wonder with it saying ".is" instead of ".iso" is causing any problems?

Re: Macbook 4,1

Date: 2013-02-07 09:39 am (UTC)
From: (Anonymous)
I have exactly the same problem with a Macbook Air purchased new in June 2008.

Colin Adams

Date: 2013-02-02 11:56 am (UTC)
From: (Anonymous)
I'm about to buy a new Thinkpad. If I can't disable the thing in the computer itself via bios (I don't care what it's really called..) then I won't use Linux on it. And that's very, very bad for me. But it's better than the alternative.

Samsung laptop issue

Date: 2013-02-02 01:20 pm (UTC)
From: (Anonymous)
The Samsung laptop issue does not appear to have anything to do with secure boot. It is to do with UEFI.

recommended vendors?

Date: 2013-02-03 03:33 am (UTC)
From: (Anonymous)
OK, so it's probably impossible, but I was wondering if you could provide a list of vendors who have generally _not_ driven you to drink yourself into a stupor with respect to UEFI or ACPI bugs.

Do ASUS, Gigabyte, SuperMicro, MSI motherboards raise your blood-alcohol levels at most to "jolly" or "slightly tipsy", or are they all more or less equally ravaging your liver?

Any trends at all in motherboard manufacturers' firmware quality?

PXE

Date: 2013-02-04 02:09 am (UTC)
From: (Anonymous)
On Dell XPS 8500, you can boot any unsigned binary through PXE under Secure Boot standard mode.

Toshiba's have a BIOS setting you can change

Date: 2013-02-05 01:41 am (UTC)
From: (Anonymous)
Go into the BIOS and change the Boot Mode from UEFI to CSM. Linux (at least for me Linux Mint 14 32 bit MATE) booted just fine. I blew away the Windows 8 install using the Erase Disc utility on my trusty Parted Magic CD then installed Mint. With Boot Mode in UEFI the laptop would not recognize any of my Linux CDs.

Lenovo

Date: 2013-02-07 08:32 pm (UTC)
From: (Anonymous)
I was trying to install Mint from USB over an Ubuntu install on a Lenovo V570

I was stuck on the "secure boot" loop and came to this page for a solution.

I went into BIOS (F2) and rearranged my boot order and chose the USB stick as the first choice. It displayed the "secure boot" message, but then it went into the menu, and I was able to load Mint up.

Hope this helps.

Lenovo W520 was destroyed

Date: 2013-02-19 11:00 am (UTC)
From: (Anonymous)
Hi,

last year in march i boughta Lenovo W520.
When it arrived, i equiped it with 2 OCZ Vertex and one mSATA SSD insteat of the UMTS modem.
I wanted t olearn about the new UEFI world so i decided to do a Dual boot installation, Windows7 and opensuse 12.2 Tumbleweed.
I did the last updates for the hardware and set the notebook to UEFI boot.
Everythink went well, but after one week working with the noteboot i had the first boot problems, the kernel hang during boot.
One week later the W520 was not able to boot any more :NVRAM corrupted, and it wnt into a boot loop
I sent it back to Lenovo and 4 weeks later i got a new one.
But: Same procedure, after a good week: NVRAM corrupted.
The mainboard was changed then 3 times, every time after one week: NVRAM corrupted.
Last but not least i decided to give it a try with BIOS boot.
and, guess what: since 7 month the notebook runs smoothly.
I won't touch UEFI any more!

Re: Lenovo W520 was destroyed

Date: 2013-03-28 05:33 pm (UTC)
From: (Anonymous)
I can't be sure, but the consistent week or so until major problems develop looks extremely suspicious.

It reminds me of a problem back when WordPerfect was king and Microsnot did ANYTHING to unseat it, in favor of their up-and-coming Word. If you installed WP first and Word afterward, WP could be counted on to fail because its code had been corrupted when Word installed or ran.

There have been other examples, evidenced on numerous forums.

Would MS deliberately sabotage other manufacturers' software, like introducing code that would trigger after a certain time? Has a cat got an ass?

What is needed is someone who can bust their balls to slap them with a meaningful fine - something like $1B/day until they correct the problem instead of the attaboy sized few hundred $M they got after years of wrangling in the courts.

Asus K55N won't boot anything in EFI mode...

Date: 2013-02-24 11:06 pm (UTC)
From: (Anonymous)
To include win7. Win8, from usb or dvd, will install and boot in efi mode with secure boot and fast boot enabled/disabled. Win7 will install in "efi-ish" mode but needs launch csm enabled. I only list the win7 issue to show that it is not isolated to linux. Ubuntu, fedora, linuxmint, basically any linux distro I found (x64) that supports efi will not boot even in live mode efi. The same media for the linux distros will boot in efi on my wife's asus x501a. I suspect it is related to the ami aptio efi/bios implementation.

Dual boot Windows 7 and Linux Mint

Date: 2013-03-29 03:33 pm (UTC)
From: (Anonymous)
I have been installing computers with dual-boot Windows, Linux and a data partition since W2K/Suse10.

I recently installed both W7 and Mint 14 on a new Lenovo G580 laptop, it went straight through and Mint is a pleasure to use. The BIOS seems to have no UEFI or secure boot options.

Now I am trying to install Windows 7 on a Lenovo ThinkCentre Edge72 and have already wasted two days and exchanged it once.
I have paid good money for the thing and they have installed some new technology that makes it useless to me without any reference to it in the data sheet. I will return it.

Can anyone recommend a workstation/business type computer that I can still buy with a good old simple BIOS? According to technet, Windows 7 will install on that without problems.

Re: Dual boot Windows 7 and Linux Mint

Date: 2013-03-29 03:36 pm (UTC)
From: (Anonymous)
sorry, that should read:

Now I am trying to install Windows 7 and Mint 13 on a Lenovo ThinkCentre Edge72

Re: Dual boot Windows 7 and Linux Mint

Date: 2013-03-29 06:21 pm (UTC)
From: (Anonymous)
A miracle, it worked!
I thought I would try once more.
Windows 7 and Mint 13 on a Lenovo ThinkCentre Edge72
Changed following in BIOS
startup bootmode --> legacy only
startup bootpriority --> legacy first
security secureboot --> disabled
and the installation of Win7 and Mint with a data partition in the middle went through and are selected in the grub menu.
Win7 gave a start error the first time but then started and didn't repeat the error

Re: Dual boot Windows 7 and Linux Mint

Date: 2014-07-10 03:32 am (UTC)
From: (Anonymous)
Hi, I am trying to install Linux Mint on my Lenovo G580 to dual boot with Windows 7, but I am unable to do so. When I boot Linux Mint from the bootable USB drive, and select "Something else" in the istallation, it does not show partitions on my Hard disk (there are 3), it just shows the hard disk as a single partition. Please help.
Thanks and regards.

Re: Dual boot Windows 7 and Linux Mint

Date: 2014-09-25 02:22 pm (UTC)
From: (Anonymous)
Never mind I used g-parted and got it working

Violation of W8 Certification Guidelines

Date: 2013-09-17 10:53 am (UTC)
From: (Anonymous)
Hi! Are you able to tell me what the specific guidelines Toshiba violates are?

Re: Violation of W8 Certification Guidelines

Date: 2013-09-18 08:35 am (UTC)
From: (Anonymous)
Thank you!

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Nebula. Member of the Linux Foundation Technical Advisory Board. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags