Categories

All Things Dev

UEFI, SecureBoot, and dual booting Windows 8 and Linux

In this post I will explain UEFI (Unified Extensible Firmware Interface) and its predecessor, the BIOS/MBR, as well as the challenges to get a dual boot environment with an alternative operating system, such as Linux.

The Master Boot Record

To really understand what the whole fuss is about, you have to realize that until UEFI was proposed, computers relied on a rather archaic system called “MBR”, that stands for Master Boot Record, working in tandem with the BIOS to achieve the bootstrap process, that is the initialization of a computer.

old_way

A bios and MBR bootstrap process.

The Master Boot Record contains information on how the disk is partitioned, it is located at the very beginning of the disk, and the MBR isn’t typically accessible by the operating system. It is the one of the first thing accessed, making it ideal for malicious stuff to hide in.

In the early days of MSDOS, the Master Boot Record was plagued with virii. Infected MBR’s of floppies disks were one of the original way computers were infected.

As a result, restrictions to accessing the MBR were implemented. Some of these were through the BIOS, some through advances in Antivirus software, and some through more stringent Operating System controls. All of these mitigations had appeared to have relegated MBR threats to the dustbin.

But old threat vectors die hard, and a few years ago we saw a resurgence of MBR threats. Rootkits were taking advantage of the MBR and placing themselves ahead of the operating system. By subverting the MBR, these threats made themselves essentially invisible. (If the Rootkit is loaded before the Operating System, It has a definite advantage.)

Add to this some legacy limitations inherent to the BIOS/MBR system, users complaining of sluggish boot times, and you can see why it was time to find some other way.

Enter UEFI, the Unified Extensible Firmware Interface

UEFI, the evolution of EFI, replaces both the BIOS and does away with the MBR all together, with the GPT (Guid Partition Table).  It introduces a wealth of new features, better support for large disks, the possibility of having a mini operating system to troubleshoot a broken main one, and dramatically improved bootup speeds.

new_way

A UEFI bootstrap process.

While this method has many benefits, it made Dual Boot configurations very difficult, essentially making running any other Operating System a complicated proposition. It also made many diagnostic tools, such as the ones based on live CD’s ineffective.

And so for a period, dual booting in UEFI just was so esoterically complex, that running in legacy mode, by disabling features of UEFI was the easier way to dual boot. This was provided you could even disable these settings, as some more “budget minded” hardware manufacturers did not include this option.

Enter Secure Boot.

Later versions of UEFI introduced a concept called “Secure Boot

“Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.”

This additional feature, introduced by members of the PC industry, and more widely adopted by Microsoft for Windows 8 PC’s, threatened to make running anything other than an “authorized” Operating system impossible! While in the PC world this would be an anathema, if you look at tablets and mobiles, it’s not that uncommon of a practice. iPhones are locked, most android handsets are locked also, tablets as well, as are most game consoles…

Microsoft elaborated on this new feature here.

So where does this leave the enthusiast and tinkerers at?

Luckily for us, the dust settled. The linux foundation announced efforts to address UEFI and Secure Boot issues, Live cd’s started offering the option to boot in UEFI mode, major Linux Distributions, such as Suse, Fedora, Ubuntu, and the Unix like FreeBSD operating system as well followed suite. Most of the hardware manufacturers started including the option to disable Secure Boot, and howto’s sprung on many forums explaining what needed to be done in a step by step manner.

Many enthusiasts still think that Secure Boot was an underhanded attempt at locking out older Microsoft Operating Systems, or alternatives, such as Linux.

While this new way of doing things has certainly added a layer of complexity to Dual booting, UEFI is still a worthy and long overdue upgrade.


  • samanthas

    First of all, You CAN Dualboot without disabling UEFI. ANY modern bootloader (GRUB, the FreeBSD Loader, and even the windows bootloader) can boot any OS sitting on a partition.
    Second of all, UEFI is not the replacement for MBR. UEFI replaced EFI which replaced the BIOS. The replacement for the MBR and its associated parition table is GPT.
    Third of all, SECURE BOOT IS ONLY MANDATED FOR WINDOWS RT TABLETS. WIndows 8 running on ANY x86 machine (be it an atom tablet or your average PC) does NOT require secureboot.
    My god, if you can’t even manage dualbooting with Ubuntu (aka Babby’s First Linux) what the heck are you doing writing for a tech blog let alone working for a malware company?

    And seriously, anyone who thinks Linux is the beallendall of Open Source Operating Systems has clearly never tried the glory of FreeBSD :|

  • Jean Taggart

    Hello Samanthas,

    Thank you for pointing out the inaccuracies in this blog post. Hopefully I have corrected them to your liking. Feel free to comment further if not all were addressed in a manner that you feel is satisfactory.

    Jean Taggart

  • samanthas

    Wow o.o
    I genuinely appreciate you taking the time to double check stuff rather than just treat me like some annoying troll.
    My apologies if my first comment seemed rather harsh. I deal with all manner of “tech illiterate” folks all day (being the sysadmin who has to deal with all their trouble tickets) and I’ve come to expect a high standard from the few blogs I keep up to date on, yours being one I check on a daily basis.
    While you’ve corrected most everything else, there still is a problem with the line “While this method has many benefits, it broke Dual Boot configurations”.
    However, I DO understand that for the layman (which may very well be your target demographic), dualbooting without understanding how bootloaders work would be too complex for most before the switch to GPT and darn near impossible after. Even with my indepth understanding of the workings of both Windows and Linux, UNIX, etc, I even find it mildly annoying to have to set up those configurations myself.

  • Pingback: Window 7 Tech | UEFI, SecureBoot, and dual booting Windows 8 and Linux …

  • Jean Taggart

    Hello Samanthas,

    No problem, I added further edits, as per your suggestion. I was looking at the article in a historical manner, and indeed approaching it from the layman point of view. The easiest install I experienced, (that is popping in a cd and pushing a few buttons), was with 13.04. My goal was to not have to turn Secure Boot off in UEFI, use GPT (w00t! goodbye MBR!), no annoying watermark, the simplest install as possible. I did dual boot to a different disk, which I have always done in the past anyways. I was merely celebrating having it “just work”.

    Cheers,

    Jean Taggart

Subscribe to our YouTube Channel