Why Qubes won't UEFI boot on Macbook Air and why it isn't fixed?
Guerlan
This is just a question to learn more about booting, I'm interested :)
carlos.mas...@gmail.com
> I've just found how to install Qubes on my Macbook Air 2011. It requires me to activate BIOS booting. Why Qubes won't UEFI boot on my mac? Why it wasn't fixed in the update?
>
> This is just a question to learn more about booting, I'm interested :)
Hi, I just installed 3.2 on a MacBook Pro 2014. UEFI won't work but you can always install it without EFI in legacy mode. For me (with a 2014 model) I just had to use a USB 2.0 flash drive and it allowed me to boot legacy using rEFInd
Guerlan
cez...@gmail.com
> but why it won't work? I was intersted in the reason behind this, and why it wasn't fixed. Also, did you install rEFInd before?
UEFI and booting up through EFI should work just fine on most systems, however without secure boot enabled. If your motherboard allow it, disable your secure boot, or delete your secure boot keys. Some systems want you to do both to actually disable it fully, simply disabling it might not be enough without removing your keys also.
Notice however, if you delete your secure boot keys, you will break any currently installed OS's relying on the secure boot keys. For example typical windows installations, but even other Linux systems using the keys will break. I have no idea about MacOS, but be sure to check before you delete your keys.
Some motherboards allow you to backup your keys too, which might be an option if you just want to test it. But do your research and make backups before you take such risks.
Once secure boot is disabled, you should be able to install with UEFI and load the EFI boot files.
It's likely secure boot causing the problem, not UEFI/EFI.
So in conclusion, legacy boot is definitely not the only option to install Qubes.
I believe the reason is Qubes is still not supported in the secure boot keys, rather than a bug. There are UEFI bugs too, but it's supposed to be on few systems, unless you have Lenovo where UEFI bugs apparently happens frequently.
Guerlan
cez...@gmail.com
> Its a macbook air 2011. So old it doesn't have secure boot :(
True, it might not work since it's that old, irregardless of secure boot.
Found this too, https://forums.macrumors.com/threads/macbook-air-2013-is-the-first-mac-that-supports-efi-booting-on-windows-natively.1600147/
It's EFI Windows on Mac 2013, so it might be the same issue with Linux EFI support too on older Mac's.
I don't follow MacOS development much, but it does indeed seem like it is lack of UEFI support in older Macbook versions, or at the very least a likely hunch/guess.
I guess you could say that the reason it won't work on older models is the lack of support, while in contrast on modern models it is a question of having the right matching secure boot keys between hardware and the OS to boot/install. Beyond that, there are a few UEFI machines that are bugged and doesn't work properly.
Guerlan
cez...@gmail.com
> But it does support UEFI, as I already installed arch linux in uefi mode. So if it supports, why it won't boot qubes?
Unfortunately knowledge is limited on that, the first I would guess would be wrong secure boot keys, but as you said you have no secure boot on your system.
However as memory serves, secure boot isn't always possible to disable or even detect. Perhaps this is the case with your machine? As such, Arch might have a secure key that works with your 2011 UEFI with force enabled secure boot. While Qubes isn't using a key, which will be allowed to be install.
As far as I know, secure boot is as old as UEFI, or at least older than 2011.
I don't know for sure, but if I had to guess, it's probably that secure boot might be there without realizing it. Even if there are no settings available for it, therefore it won't be obvious if secure boot is running in the background during boot.
Basically it comes down to tracking if secure boot is really there (hidden) or not, before you can eliminate it as a source to the problem.
cez...@gmail.com
> But it does support UEFI, as I already installed arch linux in uefi mode. So if it supports, why it won't boot qubes?
https://en.wikipedia.org/wiki/Secure_boot
Apparently Apple uses something else, which apparently even predates secure boot.
This however might also give a clue as to why Linux Arch/Windows works, while Qubes isn't, at at least on a 2011 version of Apple's, unless Qubes uses an old key.
cez...@gmail.com
> But it does support UEFI, as I already installed arch linux in uefi mode. So if it supports, why it won't boot qubes?
So to be clear, if your Apple machine only boots operating systems which has the correct key, and you cannot disable this on this system, then you are forced to only boot systems which has this specific encryption key.
If I understood it right, the systems holds the public keys, while the installation medium is signed with an encrypted private key. If the public key cannot open it, then you cannot boot.
Apple is pretty known for "locking down" user choice, it wouldn't surprise me if all this is hidden and you can't see it, especially if they had something in place even before Microsoft and 'Secure Boot' was a thing.