[ad_1]
New Windows PCs come with UEFI firmware and Secure Boot enabled. Secure Boot prevents operating systems from starting unless they are signed by a key loaded in UEFI; out of the box, you can only boot software signed by Microsoft.
Microsoft requires PC vendors to allow users to disable Secure Boot, so you can disable Secure Boot or add your own custom key to get around this limitation.
How Secure Boot works
PCs that come with Windows 10 or Windows 11 include UEFI firmware instead of the traditional BIOS. By default, the machine’s UEFI firmware will only boot bootloaders signed by a key embedded in the UEFI firmware. This feature is known as “Secure Boot” or “Trusted Boot”. On traditional PCs without this security feature, a rootkit could install itself and become the boot loader. The computer’s BIOS would then load the rootkit at boot time, which would boot and load Windows, hiding itself from the operating system and embed itself at a deep level.
Secure Boot blocks this: the computer will only boot trusted software, so malicious boot loaders won’t be able to infect the system.
RELATED: How Secure Boot works in Windows 8 and 10, and what it means for Linux
On an Intel x86 PC (not ARM PC), you have control over Secure Boot. You can choose to disable it or even add your own signing key. Organizations could use their own keys to ensure that only approved Linux operating systems can boot, for example.
Options to install Linux
You have several options for installing Linux on a secure boot PC:
- Choose a Linux distribution that supports secure boot: Modern versions of Ubuntu, starting with Ubuntu 12.04.2 LTS and 12.10, will boot and install normally on most PCs with Secure Boot enabled. This is because the Ubuntu first stage EFI bootloader is signed by Microsoft. However, one Ubuntu developer points out that the Ubuntu bootloader is not signed with a key required by Microsoft’s certification process, but simply a key that Microsoft says is “recommended.” This means that Ubuntu may not boot on all PCs with UEFI. Users may need to disable Secure Boot to use Ubuntu on some PCs.
- Disable secure boot: Secure Boot can be disabled, which will trade your security benefits for the ability to make your PC boot anything, just like older PCs with traditional BIOS do. This is also required if you want to install an older version of Windows that was not developed with Secure Boot in mind, such as Windows 7.
- Add a signing key to the UEFI firmware: Some Linux distributions can sign their bootloaders with their own key, which you can add to your UEFI firmware. This doesn’t seem to be common right now.
You should check which process your preferred Linux distribution recommends. If you need to boot an older Linux distribution that doesn’t provide any information about it, you just need to disable secure boot.
You should be able to install current versions of Ubuntu, either the LTS version or the latest version, without a problem on most new PCs. See the last section for instructions on how to boot from a removable device.
How to disable secure boot
You can control Secure Boot from the UEFI Firmware Settings screen. To access this screen, you’ll need to access the Start Options menu in Windows 10 or Windows 11. To do this, click the power button on the Start menu and hold down Shift while clicking Restart. On Windows 11, this will look slightly different, but it’s the same operation.
Your computer will reboot to the advanced boot options screen. Click on the Troubleshoot option here.
You will then want to click on “Advanced Options” on the next screen.
And now, finally, you’re at the advanced options screen, which looks like it could have appeared on the last screen, but whatever. You can now click the UEFI Firmware Settings button here. (You may not see the UEFI Settings option on some Windows PCs, even if they came with UEFI; check your manufacturer’s documentation for information on how to get to the UEFI settings screen in this case.)
You will be taken to the UEFI setup screen, where you can choose to disable Secure Boot or add your own key. This will look different on every computer, and probably won’t be as blurry on your real-life computer.
You can boot from removable media by accessing the boot options menu in the same way: hold down the Shift key while clicking the Restart option. Insert the boot media of your choice, select Use a media, and select the media you want to boot from.
After booting from the removable device, you can either install Linux as you normally would, or just use the live environment from the removable device without installing it.
Note that Secure Boot is a useful security feature. You should leave it enabled unless you need to run operating systems that will not boot with Secure Boot enabled.
[ad_2]
