The current state of UEFI and Linux

[mjg59]

Executive summary: Most things work fine.

Things we know are broken:

• Some Samsung laptops. The samsung-laptop driver is a slightly weird thing. By 2010 (when it first appeared) most vendors had moved over to using some level of firmware abstraction, either using ACPI or WMI. Samsung still seemed to be stuck around a decade earlier - they were providing a region of memory at a known address, and you'd read that address to find a bunch of offsets. Then you'd write magic values based on those offsets to magic system IO ports based on those offsets and something would happen. Those writes were triggering System Management Mode, a special x86 CPU mode where the processor executes code from memory that the OS can't see, without telling the OS that it's doing so. There's nothing especially new in this (SMM first appeared in the 386sl back in 1990), but it also means that you depend on the system vendor not changing the interface without telling you. Turns out that Samsung apparently changed their platform interface when they moved to UEFI, but didn't actually do anything to prevent old drivers from breaking things - performing exactly the same series of accesses on some modern Samsung laptops gives an uncorrectable machine check exception (in the best case) or destroys your firmware (in the worst case). Given that the driver was written to Samsung's specifications, this is pretty obviously Samsung's fault, but that's probably little consolation to anyone who ended up with a dead laptop. Although, given Samsung's track record, this may not be surprising.
  
  On the bright side, some of the machines that are affected by this predate Secure Boot, so at least it's not a Secure Boot bug.
  
• Some Toshibas won't boot Linux. This turns out to be some staggering incompetence on the part of Toshiba (or, more likely, their third-party vendor) - they managed to leave the signing key out of the database that's used to validate binaries, and managed to leave the signature database signing key out of the database that's used to provide whitelist or blacklist updates. The good news is that this is a blatant violation of Microsoft's Windows 8 certification guidelines, and that seems to have encouraged Toshiba to actually fix their BIOS. The bad news is that any of the affected machines that are currently available are still broken, and Toshiba don't seem to be willing to actually give you the firmware update yet.
  
• Some Lenovos will only boot Windows or Red Hat Enterprise Linux. I recommend drinking, because as far as I know they haven't actually got around to doing anything useful about this yet.

Not an amazingly positive list, but as far as I know that's about it - other than some Samsungs, one range of Toshibas and one range of Lenovo desktops, Linux should be fine. If you have any other UEFI system that's unable to install Fedora 18, let me know and we'll do our best to work out what's going on.

Comments

Trusted Boot

[(Anonymous)]

This is a bit off topic, but would you by any chance have a suggestion on how to get trusted boot working on current linux systems whilst using uefi? I am pretty sure TrustedGrub will noch work on uefi and neither does tboot at the moment.
Please help :)

[(Anonymous)]

About two months ago i also bricked my Lenovo D30 when i started some Fedora 18 Beta netinstall media from USB thumb in UEFI mode.

Basically the Kernel "oopsed" and when i rebooted the motherboard turned out fried. At the time i did not report it because i did not have much information about the event and i was, and i am, still not sure what happened. Now that i read about the Samsung issue i find that very familiar. Anyway, fortunately my D30 was still under warranty and i was not able to reproduce after it was repaired.

I also was not able to boot Fedora 18 UEFI installation on both my D30 as well as my X220. I use to have Fedora 16 installed in UEFI mode and it worked fine. In Fedora 18 i was not able to make that work. When i press the Fedora item from the UEFI menu nothing happens (Nothing bootable found). It might just be me but even if so, i guess it is not as intuitive as it could be.

Some Lenovos will only boot Windows or Red Hat Enterprise Linux.

[(Anonymous)]

I don't think that is fully correct. I guess what you really want to say is that non MS or Red Hat file names are discarded on reboot after set by efibootmgr. That's not Lenovo only, i know at least one other system that does that when you enable

Remove Invalid Boot Options

In case you have it enabled remove it. The "funny" thing with a firmware like this is that it autodetects all known positions of efi binaries. Like when you use the name:

EFI/Microsoft/Boot/bootmgfw.efi

it will detect Windows Boot Manager. Nice to convert normal to UEFI installs...

AMI/Asrock UEFI Secure Boot Bugs

[(Anonymous)]

I personally find it much more annoying when you can add a new key/hash with shim and it is available till the end of time. That means when i reset all Secure Boot databases my binaries are still whitelisted. One of the boards i used for testing this was: Asrock B75 Pro3 - Firmware 1.60. Asrock is extra funny as well as there the CSM settings are the ACPI menu (i would put it into boot menu) and it is NOT required to disable the CSM in order to use Secure Boot.

Does the samsung issue also exist in CSM mode?

[6tr6tr]

performing exactly the same series of accesses on some modern Samsung laptops gives an uncorrectable machine check exception (in the best case) or destroys your firmware (in the worst case).

Does this mean the issue is only with samsung-laptop or are there other parts of the kernel that will also cause these issues?

Does turning off UEFI (and switching to CSM/legacy mode) stop this problem?

Fedora 28 does not work with Sony VAIO

[(Anonymous)]

Not only Toshiba and Samsung laptops. I got Sony VAIO model SVS151290X and am having problem with it. I can install Fedora 18 in UEFI but it still boots to Linux.

Macbook 4,1

[(Anonymous)]

Would a MacBook count? I was unable to boot a MacBook 4,1 using UEFI.

The boot option shows four items, regular (Mac OS), Fedora 18, UEFI, UEFI (yep, shows it twice). I've tried all three and it never finishes booting. If you want more info let me know.

[(Anonymous)]

I'm about to buy a new Thinkpad. If I can't disable the thing in the computer itself via bios (I don't care what it's really called..) then I won't use Linux on it. And that's very, very bad for me. But it's better than the alternative.

Samsung laptop issue

[(Anonymous)]

The Samsung laptop issue does not appear to have anything to do with secure boot. It is to do with UEFI.

recommended vendors?

[(Anonymous)]

OK, so it's probably impossible, but I was wondering if you could provide a list of vendors who have generally _not_ driven you to drink yourself into a stupor with respect to UEFI or ACPI bugs.

Do ASUS, Gigabyte, SuperMicro, MSI motherboards raise your blood-alcohol levels at most to "jolly" or "slightly tipsy", or are they all more or less equally ravaging your liver?

Any trends at all in motherboard manufacturers' firmware quality?

PXE

[(Anonymous)]

On Dell XPS 8500, you can boot any unsigned binary through PXE under Secure Boot standard mode.

Toshiba's have a BIOS setting you can change

[(Anonymous)]

Go into the BIOS and change the Boot Mode from UEFI to CSM. Linux (at least for me Linux Mint 14 32 bit MATE) booted just fine. I blew away the Windows 8 install using the Erase Disc utility on my trusty Parted Magic CD then installed Mint. With Boot Mode in UEFI the laptop would not recognize any of my Linux CDs.

Lenovo

[(Anonymous)]

I was trying to install Mint from USB over an Ubuntu install on a Lenovo V570

I was stuck on the "secure boot" loop and came to this page for a solution.

I went into BIOS (F2) and rearranged my boot order and chose the USB stick as the first choice. It displayed the "secure boot" message, but then it went into the menu, and I was able to load Mint up.

Hope this helps.

Lenovo W520 was destroyed

[(Anonymous)]

Hi,

last year in march i boughta Lenovo W520.
When it arrived, i equiped it with 2 OCZ Vertex and one mSATA SSD insteat of the UMTS modem.
I wanted t olearn about the new UEFI world so i decided to do a Dual boot installation, Windows7 and opensuse 12.2 Tumbleweed.
I did the last updates for the hardware and set the notebook to UEFI boot.
Everythink went well, but after one week working with the noteboot i had the first boot problems, the kernel hang during boot.
One week later the W520 was not able to boot any more :NVRAM corrupted, and it wnt into a boot loop
I sent it back to Lenovo and 4 weeks later i got a new one.
But: Same procedure, after a good week: NVRAM corrupted.
The mainboard was changed then 3 times, every time after one week: NVRAM corrupted.
Last but not least i decided to give it a try with BIOS boot.
and, guess what: since 7 month the notebook runs smoothly.
I won't touch UEFI any more!

Asus K55N won't boot anything in EFI mode...

[(Anonymous)]

To include win7. Win8, from usb or dvd, will install and boot in efi mode with secure boot and fast boot enabled/disabled. Win7 will install in "efi-ish" mode but needs launch csm enabled. I only list the win7 issue to show that it is not isolated to linux. Ubuntu, fedora, linuxmint, basically any linux distro I found (x64) that supports efi will not boot even in live mode efi. The same media for the linux distros will boot in efi on my wife's asus x501a. I suspect it is related to the ami aptio efi/bios implementation.

Dual boot Windows 7 and Linux Mint

[(Anonymous)]

I have been installing computers with dual-boot Windows, Linux and a data partition since W2K/Suse10.

I recently installed both W7 and Mint 14 on a new Lenovo G580 laptop, it went straight through and Mint is a pleasure to use. The BIOS seems to have no UEFI or secure boot options.

Now I am trying to install Windows 7 on a Lenovo ThinkCentre Edge72 and have already wasted two days and exchanged it once.
I have paid good money for the thing and they have installed some new technology that makes it useless to me without any reference to it in the data sheet. I will return it.

Can anyone recommend a workstation/business type computer that I can still buy with a good old simple BIOS? According to technet, Windows 7 will install on that without problems.

Violation of W8 Certification Guidelines

[(Anonymous)]

Hi! Are you able to tell me what the specific guidelines Toshiba violates are?