You are not logged in.
- Topics: Active | Unanswered
#1 2013-11-27 19:12:33
- ! RT
- Member
- Registered: 2013-11-27
- Posts: 8
Boot from USB without disabling Secure/Fast Boot (Windows 8)
I have got a laptop with Windows 8 and I want to be able to boot from USB to use Arch Linux, but I DO NOT want to disable Secure Boot or Fast Boot.
Is there anything I need to change while installing Arch Linux on my USB flash drive to make it bootable on this laptop and keep everything else as it is?
Offline
#2 2013-11-27 19:14:36
- WonderWoofy
- Member
- From: Los Gatos, CA
- Registered: 2012-05-19
- Posts: 8,414
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
You need to read up on how to use either the FSF prebootloader or shim. The prebootloader is in the official repos.
Last edited by WonderWoofy (2013-11-27 19:14:45)
Offline
#3 2013-11-27 19:25:37
- ! RT
- Member
- Registered: 2013-11-27
- Posts: 8
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
Booting Via UEFI Can Brick Samsung Notebooks
Unfortunately, I can not find any up-to-date information on this matter. Is it now safe to use it?
Offline
#4 2013-11-27 19:38:24
- WonderWoofy
- Member
- From: Los Gatos, CA
- Registered: 2012-05-19
- Posts: 8,414
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
Did you look for more information on that matter? I assure you, there is plenty of it if you look for it.
Offline
#5 2013-11-27 19:44:13
- ! RT
- Member
- Registered: 2013-11-27
- Posts: 8
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
Did you look for more information on that matter? I assure you, there is plenty of it if you look for it.
Considering the fact that I told I wasn't able to find anything, I suppose it should be clear that I did actually try to.
All I want to know is whether I am 100% secure to use it now, because this laptop is under a 2 year warranty and I can not mess it up.
Offline
#6 2013-11-27 19:46:29
- j-lap
- Member
- From: United States
- Registered: 2013-11-25
- Posts: 8
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
WonderWoofy wrote:Did you look for more information on that matter? I assure you, there is plenty of it if you look for it.
Considering the fact that I told I wasn't able to find anything, I suppose it should be clear that I did actually try to.
All I want to know is whether I am 100% secure to use it now, because this laptop is under a 2 year warranty and I can not mess it up.
I don't think anybody can guarantee you 100% security.
“I don't like work--no man does--but I like what is in the work--the chance to find yourself. Your own reality--for yourself not for others--what no other man can ever know. They can only see the mere show, and never can tell what it really means.”
― Joseph Conrad, Heart of Darkness
Offline
#7 2013-11-27 19:54:16
- WonderWoofy
- Member
- From: Los Gatos, CA
- Registered: 2012-05-19
- Posts: 8,414
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
First of all, I would just like to point out that there is no possible way to ever be 100% sure that shit won't go awry.
Second, I was able to find a number of articles about this at the very top of my search result for this topic.
The Samsung UEFI bricking was a result of the protected storage in NVRAM becoming too full while not being able to properly handle garbage collection. Kernel panics were being written to the pstore in order to get debugging info. This can be cleared out manually, but Samsung has helped by providing the proper level at which it is safe to actually continue storing things there. In any case, pstore is not mounted by default anymore.
So is there less risk than before? Yes. Are you "100% secure"? Never.
Offline
#8 2013-11-27 20:56:12
- srs5694
- Member
- From: Woonsocket, RI
- Registered: 2012-11-06
- Posts: 719
- Website
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
I have got a laptop with Windows 8 and I want to be able to boot from USB to use Arch Linux, but I DO NOT want to disable Secure Boot or Fast Boot.
For Secure Boot, you need to install either the Linux Foundation's PreLoader (it's not from the FSF) or the shim program. For details, see my generic page on Secure Boot or my rEFInd Secure Boot documentation.
For the Windows Fast Startup feature, there's really nothing special to be done to boot with that feature left enabled except, of course, to back up all the data on any shared partition before each reboot. Fast Startup is a dangerous feature because it turns a shutdown operation into a suspend-to-disk operation, which means that filesystems aren't properly unmounted. Thus, all partitions that Windows can access are left in an unstable state, and trying to mount them in Linux can cause filesystem corruption. Likewise, when you get around to rebooting Windows, these partitions are once again at risk of filesystem corruption. Note that the EFI System Partition (ESP) is often quietly mounted by Windows, and so is in danger of damage. (I've seen some online discussions in which it's appeared that Fast Startup has trashed the ESP and prevented boot loaders from working correctly.) If you must leave this feature enabled, at the very least you should take steps to ensure that you don't mount any Windows filesystems in Linux, perhaps even including the ESP.
If you mean the "fast start" feature in the firmware, matters aren't quite so dire, but you may need to disable it to boot from a USB drive. This feature typically takes shortcuts on system initialization by the EFI, often including bypassing the USB initialization procedure, at least for USB disk devices. Thus, you might not be able to boot from a USB device if the EFI's "fast start" feature is enabled. AFAIK, though, if you can boot from a USB disk with the EFI's "fast start" feature active, there are no extra risks or special steps that need to be taken. The feature will either block the boot process or it won't.
re: Samsung "bricking" problems:
All I want to know is whether I am 100% secure to use it now, because this laptop is under a 2 year warranty and I can not mess it up.
As others have said, there's no 100% guarantee of safety. That said, if you use a recent kernel, you should be OK. I don't recall when the workarounds were added in, though, so I can't say precisely what kernels are safer than others. I'd also recommend upgrading the firmware on the computer; it's conceivable that this will fix the underlying bug, which is in the firmware, not in Linux.
Offline
#9 2013-11-27 22:19:00
- ! RT
- Member
- Registered: 2013-11-27
- Posts: 8
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
Thank you all for your answers!
Those (the link I posted previously and a few more I found afterwards) comments about Samsung laptops getting bricked scared me enough to stick with Secure/Fast Boot disabled for now. I do not feel comfortable having a setup like that, but I guess that will pay off in the long run (explicitly, not running into any problems related to features mentioned earlier).
Offline
#10 2013-11-27 22:40:02
- WonderWoofy
- Member
- From: Los Gatos, CA
- Registered: 2012-05-19
- Posts: 8,414
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
Sooooo... I think you don't quite have a grasp of what is at play here. Simply disabling secureboot and fastboot is doing nothing to try to prevent the issues that were taking place with those Samsung machines.
Offline
#11 2013-11-27 22:56:08
- srs5694
- Member
- From: Woonsocket, RI
- Registered: 2012-11-06
- Posts: 719
- Website
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
Sooooo... I think you don't quite have a grasp of what is at play here. Simply disabling secureboot and fastboot is doing nothing to try to prevent the issues that were taking place with those Samsung machines.
You're absolutely right. The bricking was caused by the firmware's NVRAM variable storage area filling up and the firmware not liking this. Neither Secure Boot nor any type of Fast Startup/Fast Boot feature would have any impact on that. Well, I suppose that shim and PreLoader would store data in the NVRAM, and so might speed up the appearance of problems, but disabling Secure Boot will not significantly reduce the risk.
In the past, the recommendation was to boot Linux in BIOS/CSM/legacy mode on affected computers because Linux didn't write to the NVRAM in this mode. That measure does prevent this problem from occurring.
Offline
#12 2013-11-28 05:45:11
- djgera
- Developer
- From: Buenos Aires - Argentina
- Registered: 2008-12-24
- Posts: 723
- Website
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
Official Arch Linux ISO support booting from Secure UEFI boot. I made this how-to video [#1], when I implemented in archiso 
Offline
#13 2013-11-28 21:59:53
- teateawhy
- Member
- From: GER
- Registered: 2012-03-05
- Posts: 1,138
- Website
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
@djgera A quick search showed that there is a lack of documentation about Secure Boot at the moment. The beginner's guide even says: "Arch Linux currently does not support Secure Boot [...]". A new section about it could be added to the UEFI page, or maybe a completely new article. Is there a documentation page about it in the archiso scripts repo, that can be used for reference?
Offline
#14 2013-11-28 23:39:26
- djgera
- Developer
- From: Buenos Aires - Argentina
- Registered: 2008-12-24
- Posts: 723
- Website
Re: Boot from USB without disabling Secure/Fast Boot (Windows 8)
Oh, wiki is outdated. Yes is suported and the steps are quite trivial: boot medium, enroll the hash of the loader.efi and vmlinuz.efi then exit or reboot. Enjoy
Of course, you need to enroll vmlinuz.efi in each update, so you need the preloader in your ESP
Offline