HP DM1-4341: UEFI Secure Boot, Windows8 backup and OS install?

[David]

Hi,

[Apologies if the cross-post to uk.comp.homebuilt is inappropriate, but
uk.comp.os.ms-windows seems to be less than lively, and u.c.h seems to
be by far the most healthy of the reasonably-appropriate uk.comp.*
groups..]


I have just bought a new laptop (HM DM1-4341), which is a UEFI-based
laptop with Secure Boot enabled and Window 8 [sic] pre-installed.

I am not going to use W8 and am going to install Linux (probably Debian)
on the laptop. However, I don't want to discard the W8 install media
just in case I need to re-set the laptop to return it for service, etc.
Oh, that's apart from the fact that there *isn't* any install media, of
course <sigh>; we have to make our own from the recovery partition on
the hard disk. (Why do MS make this such a faff? If it's slightly/moderately
taxing for experienced computer users to have to do this, what hope is
there for the typical "it should just work" non-technical user? And what
if the reason you need to reinstall is because the hard disk has died
and so the recovery partition is unavailable? What a shoddy 'product'..
Yes, the lack of install media has been long grumbled over, but it makes
me feel a _little_ better to also take my turn to stoke that particular
fire..)

OK, first thing is to try to find out how to actually create the install
media and even that's not easy.. You'd think you'd get prompted about
this after logging in (seeing as how losing your OS if your disk dies
might just spoil your day a tiny bit). Nope. Nothing about it that I
could find in "Control Panel" or "Change PC settings" (why on earth
are there *2* separate control panels?) either. Windows Help and the
supposedly all-knowing search box don't seem to know anything about
creating install discs either..

I finally found what I was looking for in "HP Utility Center" (an
unhelpful name automatically suggestive of useless crapware/spyware
("Are you really, really, really sure that I can't interest you in a
Genuine HP printer cartridge?")). This is where a traditional applications
menu (rather than the computer-unfriendly "start screen" - I'll grudgingly
accept that it might work OK on tablets, but not anywhere where you want
real multi-tasking work done with minimal interruption to concentration)
would have come in useful: if all else failed, you could have scoured
through every sub-menu in "All Programs" and would have eventually have
found the requisite program.. (Search is no help if you don't know the
name of what you are looking for.)


Now that I've finally found the right program, it seems that I can choose
to create install media on a USB stick or on 'optical media' (I assume
this will take several DVDs as a 16 GB USB stick is otherwise required).
The laptop doesn't have an optical disc drive, but I have a external USB
DVD drive, so that wouldn't be a problem, at least (I'm not going to
fork out for a USB stick just for a crappy Windows backup that, for
pennies in DVD costs, should come with every end-user Windows copy *by
right*).

Assuming that I can make my recovery DVDs with no problems, what next?
UEFI and Secure Boot are a whole new world of inconvenience to me. For my
Linux install, I think I will just remove W8 (rather than shrink its
partition and just not use it - assuming that even doing that doesn't
cause Secure Boot and W8 fatal conniptions because something has changed?)

I'm assuming that I'll need to turn off Secure Boot to install Linux,
and possibly may need to enable "Legacy Support" (BIOS boot mode rather
than UEFI boot mode) as well.

Just out of curiosity, what effect would these steps have on the current
W8 installation (or on re-installing W8 from the recovery DVDs later: I
realise that this would wipe my Linux install, but: 1. backups, 2. if I
actually needed to re-install W8, that would be the least of my
worries..). Would W8 still boot with Secure Boot disabled, or would it
have a panic?

Further poking around the UEFI menus seems to suggest that, as well as
the W8 partition and the recovery partition, there is also some sort of
EFI partition on the disk as well?

If I pick: F9 Boot Device Options

I then get a menu:

OS boot Manager
Boot From EFI File

(I'm guessing that "OS boot Manager" means the *W8* boot manager: I
assume that trying to set up a W8/Linux dual-boot would probably cause
me more hassle here as I suspect that their respective boot managers no
longer play nice with each other? However, as long as I have working
recovery DVDs I'm not actually bothered about keeping W8 on the disk..)

"Boot From EFI File" gets you into a text-mode file manager for this EFI
disk partition. Select the disk, and then you have:

EFI/ (see below)
boot/ (seems to be empty)

EFI/
Microsoft/Boot/ (contains various language packs,etc, and .efi files)
Boot/bootx64.efi (I'm guessing a bootloader of some kind, for what?)
HP/ (system diagnostics, BIOS manager, yet more boot files..)

These are clearly areas that I don't want to go meddling in, but just
out of curiosity (if not getting too off-topic) does anybody know (in
fairly simple/brief terms) what this stuff all does (sorry, I forgot
that we're not supposed to look behind the green curtain nowadays..)?


There is also the boot option: F11 System Recovery

This loads up a fairly fancy recovery utility. I'm guessing this comes
from the hard disk rather than within the UEFI, in which case it seems
like I'd maybe better be careful about removing (or perhaps rather not)
the EFI disk partition?

Fancy it may look, but helpful it isn't. It's not immediately clear how
I would use this recovery utility to reinstall Windows from the DVDs, or
whether it can only use the files on the recovery partition (or on the
Windows partition, wherever they are?) to "refresh or reset your PC"?

Soooo, I guess my question here is: do I need to keep the EFI partition
and the Windows recovery partition, no matter what I do to the rest of
the hard disk? Or, once I've created the recovery DVDs, will I be able
to wipe the rest of the disk entirely? (Although, if it looks as though
the EFI partition has various HP UEFI utilities on it, probably I will
want to keep that..).


<sigh> This is all so much harder than it used to be.. :-(

Many thanks for any advice,

David.

[Bill]

In message <slrnkg7rum...@oregano.local.lan>, David
<da...@bogus.domain.dom.invalid> writes

>
>
>
>I have just bought a new laptop (HM DM1-4341), which is a UEFI-based
>laptop with Secure Boot enabled and Window 8 [sic] pre-installed.
>
>I am not going to use W8 and am going to install Linux (probably Debian)
>on the laptop. However, I don't want to discard the W8 install media
>just in case I need to re-set the laptop to return it for service, etc.
>

Is this any use? I have never heard of UEFI, so I suppose I'd better go
off and look it up.

http://arstechnica.com/information-technology/2012/12/using-windows-8s-hi
dden-backup-to-clone-and-recover-your-whole-pc/
--
Bill

[BillW50]

If you don't get any answers, I think those in the
"alt.comp.os.windows-8" newsgroup can help you with this.

--
Bill
Motion Computing LE1700 ('09 era) - Thunderbird v12
Centrino Core2 Duo L7400 1.5 GHz - 2GB RAM
Windows XP Tablet PC Edition 2005 SP2

[Richard Kettlewell]

David <da...@bogus.domain.dom.invalid> writes:
> I have just bought a new laptop (HM DM1-4341), which is a UEFI-based
> laptop with Secure Boot enabled and Window 8 [sic] pre-installed.
>
> I am not going to use W8 and am going to install Linux (probably Debian)
> on the laptop. However, I don't want to discard the W8 install media
> just in case I need to re-set the laptop to return it for service, etc.
> Oh, that's apart from the fact that there *isn't* any install media, of
> course <sigh>; we have to make our own from the recovery partition on
> the hard disk. (Why do MS make this such a faff? If it's slightly/moderately
> taxing for experienced computer users to have to do this, what hope is
> there for the typical "it should just work" non-technical user? And what
> if the reason you need to reinstall is because the hard disk has died
> and so the recovery partition is unavailable? What a shoddy 'product'..
> Yes, the lack of install media has been long grumbled over, but it makes
> me feel a _little_ better to also take my turn to stoke that particular
> fire..)

The bulk of the target audience take their computers to a shop to be
repaired when they stop working for any reason. They're not going to do
OS reinstalls or hard disk replacements themselves.

[...]

> Assuming that I can make my recovery DVDs with no problems, what next?
> UEFI and Secure Boot are a whole new world of inconvenience to me. For my
> Linux install, I think I will just remove W8 (rather than shrink its
> partition and just not use it - assuming that even doing that doesn't
> cause Secure Boot and W8 fatal conniptions because something has changed?)
>
> I'm assuming that I'll need to turn off Secure Boot to install Linux,
> and possibly may need to enable "Legacy Support" (BIOS boot mode rather
> than UEFI boot mode) as well.

Depends what distribution you want to install; some support secure boot
now and others will probably get there in the end.
http://mjg59.dreamwidth.org/20522.html is a fairly recent summary.

> Just out of curiosity, what effect would these steps have on the current
> W8 installation (or on re-installing W8 from the recovery DVDs later: I
> realise that this would wipe my Linux install, but: 1. backups, 2. if I
> actually needed to re-install W8, that would be the least of my
> worries..). Would W8 still boot with Secure Boot disabled, or would it
> have a panic?

Windows 8 certainly *can* boot off disks which use MBR partitioning and
no secure boot at all.

> Further poking around the UEFI menus seems to suggest that, as well as
> the W8 partition and the recovery partition, there is also some sort of
> EFI partition on the disk as well?

Presumably http://en.wikipedia.org/wiki/EFI_System_partition

> If I pick: F9 Boot Device Options
>
> I then get a menu:
>
> OS boot Manager
> Boot From EFI File
>
> (I'm guessing that "OS boot Manager" means the *W8* boot manager: I
> assume that trying to set up a W8/Linux dual-boot would probably cause
> me more hassle here as I suspect that their respective boot managers no
> longer play nice with each other? However, as long as I have working
> recovery DVDs I'm not actually bothered about keeping W8 on the disk..)

http://h30434.www3.hp.com/t5/Notebook-Operating-Systems-e-g-Windows-8-and-Software/quot-An-error-occured-with-the-boot-selection-verify-media/td-p/1630049

...sheds a little light on this point in the context of HP systems.

> "Boot From EFI File" gets you into a text-mode file manager for this EFI
> disk partition. Select the disk, and then you have:
>
> EFI/ (see below)
> boot/ (seems to be empty)
>
> EFI/
> Microsoft/Boot/ (contains various language packs,etc, and .efi files)
> Boot/bootx64.efi (I'm guessing a bootloader of some kind, for what?)

That’s the fallback bootloader path; presumably it’ll be a copy of the
Windows boot manager in this case.

--
http://www.greenend.org.uk/rjk/

[TMack]

On Sat, 26 Jan 2013 15:01:42 +0000, David wrote:

> Hi,
>
> [Apologies if the cross-post to uk.comp.homebuilt is inappropriate, but
> uk.comp.os.ms-windows seems to be less than lively, and u.c.h seems to
> be by far the most healthy of the reasonably-appropriate uk.comp.*
> groups..]
>
>
> I have just bought a new laptop (HM DM1-4341), which is a UEFI-based
> laptop with Secure Boot enabled and Window 8 [sic] pre-installed.

I think your best option would be to remove the existing hard disk, turn
off secure boot and use a replacement disk for your Linux install. That
way, if you ever need to return to the original configuration you can just
put the original disk back in.

--
Tony
'09 FJR1300, '04 Ducati ST3, '87 TW200,
'94 PC800, OMF#24

[Andrew]

"TMack" wrote in message news:ke3uf5$ajl$2...@dont-email.me...

> I think your best option would be to remove the existing hard disk, turn
> off secure boot and use a replacement disk for your Linux install. That
> way, if you ever need to return to the original configuration you can just
> put the original disk back in.

Or just image the existing disk to a file on an external USB drive and keep
the image handy in case you want to put it back.

[David]

Bill wrote in uk.comp.sys.laptops
about: Re: HP DM1-4341: UEFI Secure Boot, Windows8 backup and OS install?

> In message <slrnkg7rum...@oregano.local.lan>, David
><da...@bogus.domain.dom.invalid> writes
>>
>>I have just bought a new laptop (HM DM1-4341), which is a UEFI-based
>>laptop with Secure Boot enabled and Window 8 [sic] pre-installed.
>>
>>I am not going to use W8 and am going to install Linux (probably Debian)
>>on the laptop. However, I don't want to discard the W8 install media
>>just in case I need to re-set the laptop to return it for service, etc.
>>
>
> Is this any use? I have never heard of UEFI, so I suppose I'd better go
> off and look it up.

UEFI is essentially the replacement for BIOS. One of its features is
Secure Boot, which may or may not be a good thing in theory (my gut
feeling is "not", since it puts control over the PC in the hands of the
manufacturer, which is the antithesis of what the PC is about, or at
least was about, back in the day..), but in practice it makes installing
anything other than W8 on a W8 computer a hassle - this includes older
(ie, less horrible) versions of Windows as well.. :-( And I can see it
being a real hassle for everybody's favourite utility/rescue/anti-malware
boot CDs too..

Secure Boot being enabled (although it must be able to be disabled if
desired) is one of MS's requirements for W8 branding, so pretty much
every PC is going to have UEFI rather than BIOS from now on (possibly
that's a good thing in general, Secure Boot notwithstanding, since BIOS
dates all the way back to the origin of the IBM-PC and may well be due
rethinking..). Apple already switched to EFI (an earlier incarnation of
UEFI) on their PCs some time ago.

> http://arstechnica.com/information-technology/2012/12/using-windows-8s-hi
> dden-backup-to-clone-and-recover-your-whole-pc/

Thanks, that looks useful, but not quite what I'm after: it seems to be
about doing a full disk backup, I just want to know how to make install
media from the recovery partition so that I can resize/wipe some/all of
the partitions from the disk in order to install a different OS.


David.

[David]

Richard Kettlewell wrote in uk.comp.sys.laptops

about: Re: HP DM1-4341: UEFI Secure Boot, Windows8 backup and OS install?

> David <da...@bogus.domain.dom.invalid> writes:
[..]

>> Yes, the lack of install media has been long grumbled over, but it makes
>> me feel a _little_ better to also take my turn to stoke that particular
>> fire..)
>
> The bulk of the target audience take their computers to a shop to be
> repaired when they stop working for any reason. They're not going to do
> OS reinstalls or hard disk replacements themselves.

That's true, I suppose. It's easy to forget that computers are complete
'black boxes' to most people! But they should still provide recovery
discs, even if all the user does is loan them to the repair shop when
the shop does a reinstall. As it is: "Oh, your hard disk has died..? You
don't have the install discs? I'm afraid you'll have to buy a new
full-price copy of Windows..[1] " - I genuinely can't believe that
Microshit (I think I can justify that description here) thinks that's an
acceptable level of service for their customers. Anyway, this is a rant
that has been done many times, I just felt better for doing it myself
too.. ;-)

[1] ..or possibly, "Let me see what I can find underneath the
counter..", depending on the repair shop.. ]]

> [...]
>> Assuming that I can make my recovery DVDs with no problems, what next?
>> UEFI and Secure Boot are a whole new world of inconvenience to me. For my
>> Linux install, I think I will just remove W8 (rather than shrink its
>> partition and just not use it - assuming that even doing that doesn't
>> cause Secure Boot and W8 fatal conniptions because something has changed?)

Do you happen to know what W8's reaction to switching off Secure Boot
would be? Would it still boot, or would it throw a panic? Would it have
to be re-installed to work with Secure Boot disabled? (Not that the
recovery DVDs would allow that sort of installation configuration, I
expect!). As I said, I'm not bothered at all about keeping W8 on the
computer (I'm half-inclined to install W7 for the few occasions I might
want to use it (my workplace Windows licensing allows home use), but I'm
not sure I could be bothered with the driver hunt that I'm sure would be
required, let alone everything else..)

>> I'm assuming that I'll need to turn off Secure Boot to install Linux,
>> and possibly may need to enable "Legacy Support" (BIOS boot mode rather
>> than UEFI boot mode) as well.
>
> Depends what distribution you want to install; some support secure boot
> now and others will probably get there in the end.
> http://mjg59.dreamwidth.org/20522.html is a fairly recent summary.

Thanks, I realise that there are some distros supporting Secure Boot
(from that page, more than I'd realised, actually), but it sounds like
even installing one of those would be a bit of hassle. As far as Linux
is concerned (when I get to that stage!), I think I'd just disable
Secure Boot and set the UEFI to legacy/BIOS boot mode (if necessary),
"for an easy life".

>> Just out of curiosity, what effect would these steps have on the current
>> W8 installation (or on re-installing W8 from the recovery DVDs later: I
>> realise that this would wipe my Linux install, but: 1. backups, 2. if I
>> actually needed to re-install W8, that would be the least of my
>> worries..). Would W8 still boot with Secure Boot disabled, or would it
>> have a panic?
>
> Windows 8 certainly *can* boot off disks which use MBR partitioning and
> no secure boot at all.

Thanks, that's useful to know. Does it need to be installed *after* the
UEFI has been reconfigured appropriately, or would the existing install,
which is presumably expecting a Secure Boot environment, continue to
work? (Given that Secure Boot presumably affects, err, things, at a,
err, very low level, I can't help but think it would cause it some
problems?)

>> Further poking around the UEFI menus seems to suggest that, as well as
>> the W8 partition and the recovery partition, there is also some sort of
>> EFI partition on the disk as well?
>
> Presumably http://en.wikipedia.org/wiki/EFI_System_partition

Ahh.. oops, usually I *always* look up unknown things in Wikipedia first
of all, I guess here there is just too much new and unknown for me to
cope with (genuinely: for the first time in a *long* time, I'm feeling
distinctly uneasy about trying to use a new computer - you can easily
see how non-techie types get uncomfortable!), and I didn't even think to
look on this occasion..

OK, so it sounds like it might not be the best idea to delete the EFI
System partition (when I get to the re-partition stage). I'm guessing
that it would be ignored if the computer is booting in legacy/BIOS mode,
though?

>> If I pick: F9 Boot Device Options
>>
>> I then get a menu:
>>
>> OS boot Manager
>> Boot From EFI File
>>
>> (I'm guessing that "OS boot Manager" means the *W8* boot manager: I
>> assume that trying to set up a W8/Linux dual-boot would probably cause
>> me more hassle here as I suspect that their respective boot managers no
>> longer play nice with each other? However, as long as I have working
>> recovery DVDs I'm not actually bothered about keeping W8 on the disk..)
>
> http://h30434.www3.hp.com/t5/Notebook-Operating-Systems-e-g-Windows-8-and-Software/quot-An-error-occured-with-the-boot-selection-verify-media/td-p/1630049
>
> ...sheds a little light on this point in the context of HP systems.

Thanks, that's useful/interesting ..but scarey! :-(

I'm hoping I won't have to go meddling with the EFI partition at all
(or that the Linux installer will do what it needs to do (if it needs
to do..) when I get to that stage). This is all well over my head!

>> "Boot From EFI File" gets you into a text-mode file manager for this EFI
>> disk partition. Select the disk, and then you have:
>>
>> EFI/ (see below)
>> boot/ (seems to be empty)
>>
>> EFI/
>> Microsoft/Boot/ (contains various language packs,etc, and .efi files)
>> Boot/bootx64.efi (I'm guessing a bootloader of some kind, for what?)
>
> That’s the fallback bootloader path; presumably it’ll be a copy of the
> Windows boot manager in this case.

I see (I think.. ;-)).

Mind if I ask some more questions about this (since you seem to know
about this!)? I was just asking out of sheer curiosity - it's always
useful to try to get an understanding (even if limited!) of how things
work..

So... am I right in thinking that when a computer is booting in UEFI
mode, it uses the EFI partition for the initial stages of the desired OS
boot (sort of like an updated version of how the MBR starts off the boot
into the computer's OS (eg, Windows loader, or GRUB (etc) for booting
Linux (etc)))?

Again, just out of curiosity, what's the "fallback bootloader path" that
you mentioned? Would that be the default place that the UEFI looks to
boot from if somewhere else isn't already specified in the firmware
settings (I presume that W8 PCs ship with the path to the W8 bootloader
set by default)?

And (if it's not a Hard Question), so where does Secure Boot come into
this? Does it basically just check that the .efi file that it has been
told to boot(?) from has been signed with the key, or is there rather
more to it than that?


Thanks for your advice and useful explanations!


David.

[David]

Andrew wrote in uk.comp.sys.laptops

about: Re: HP DM1-4341: UEFI Secure Boot, Windows8 backup and OS install?

> "TMack" wrote in message news:ke3uf5$ajl$2...@dont-email.me...
>
>> I think your best option would be to remove the existing hard disk, turn
>> off secure boot and use a replacement disk for your Linux install. That
>> way, if you ever need to return to the original configuration you can just
>> put the original disk back in.

Yeah, I guess I could, but that would involve having to spend money on a
spare disk, which I wouldn't be keen on.. ;-(

> Or just image the existing disk to a file on an external USB drive and keep
> the image handy in case you want to put it back.

Ah, maybe (I'd still rather just create the recovery DVDs, though..). I do
have a spare USB drive not currently in use.

This raises a question, though. With all the joys of Secure Boot, how am
I able to boot the boot media for the imaging software in the first
place (and, if necessary, restore the image again appropriately working)..?
(I'm assuming that I can't install some imaging software in Windows and
attempt to image the disk while it is actually in use!)

I guess I'd have to disable Secure Boot first, than then boot the
imaging software (any (free) recommendations? The only imaging software
I have ever used (some time ago) was Clonezilla, and I found it a bit
confusing/unfriendly..). But I'm still wondering whether disabling (and
then subsequently re-enabling? (would I need to?)) Secure Boot would make
the W8 installation have a tantrum.. (Sorry if I'm asking stupid questions,
but this is still all new to me)


Thanks,


David.

[Richard Kettlewell]

David <da...@bogus.domain.dom.invalid> writes:
> Richard Kettlewell wrote in uk.comp.sys.laptops
> about: Re: HP DM1-4341: UEFI Secure Boot, Windows8 backup and OS install?

>> Depends what distribution you want to install; some support secure boot
>> now and others will probably get there in the end.
>> http://mjg59.dreamwidth.org/20522.html is a fairly recent summary.
>
> Thanks, I realise that there are some distros supporting Secure Boot
> (from that page, more than I'd realised, actually), but it sounds like
> even installing one of those would be a bit of hassle. As far as Linux
> is concerned (when I get to that stage!), I think I'd just disable
> Secure Boot and set the UEFI to legacy/BIOS boot mode (if necessary),
> "for an easy life".

I think it’s fair to say you’d be an early adopter, at the moment.

>>> Just out of curiosity, what effect would these steps have on the current
>>> W8 installation (or on re-installing W8 from the recovery DVDs later: I
>>> realise that this would wipe my Linux install, but: 1. backups, 2. if I
>>> actually needed to re-install W8, that would be the least of my
>>> worries..). Would W8 still boot with Secure Boot disabled, or would it
>>> have a panic?
>>
>> Windows 8 certainly *can* boot off disks which use MBR partitioning and
>> no secure boot at all.
>
> Thanks, that's useful to know. Does it need to be installed *after* the
> UEFI has been reconfigured appropriately, or would the existing install,
> which is presumably expecting a Secure Boot environment, continue to
> work? (Given that Secure Boot presumably affects, err, things, at a,
> err, very low level, I can't help but think it would cause it some
> problems?)

I expect it would just work but I’ve no idea. My Windows 8 PC came
configured to use BIOS partitioning and I haven’t checked whether its
firmware even supports anything else (neither disk is large enough to
require GPT).

>> http://h30434.www3.hp.com/t5/Notebook-Operating-Systems-e-g-Windows-8-and-Software/quot-An-error-occured-with-the-boot-selection-verify-media/td-p/1630049
>>
>> ...sheds a little light on this point in the context of HP systems.
>
> Thanks, that's useful/interesting ..but scarey! :-(
>
> I'm hoping I won't have to go meddling with the EFI partition at all
> (or that the Linux installer will do what it needs to do (if it needs
> to do..) when I get to that stage). This is all well over my head!

I would expect an EFI-aware Linux installer to sort this out without
much pain for the user.

>>> "Boot From EFI File" gets you into a text-mode file manager for this EFI
>>> disk partition. Select the disk, and then you have:
>>>
>>> EFI/ (see below)
>>> boot/ (seems to be empty)
>>>
>>> EFI/
>>> Microsoft/Boot/ (contains various language packs,etc, and .efi files)
>>> Boot/bootx64.efi (I'm guessing a bootloader of some kind, for what?)
>>
>> That’s the fallback bootloader path; presumably it’ll be a copy of the
>> Windows boot manager in this case.
>
> I see (I think.. ;-)).
>
> Mind if I ask some more questions about this (since you seem to know
> about this!)? I was just asking out of sheer curiosity - it's always
> useful to try to get an understanding (even if limited!) of how things
> work..

Sure, but keep in mind that my knowledge of this is still fairly
superficial.

> So... am I right in thinking that when a computer is booting in UEFI
> mode, it uses the EFI partition for the initial stages of the desired OS
> boot (sort of like an updated version of how the MBR starts off the boot
> into the computer's OS (eg, Windows loader, or GRUB (etc) for booting
> Linux (etc)))?

Yes. It seems like an overdue innovation, given the nasty hacks that
(for instance) Linux bootloaders have used.

> Again, just out of curiosity, what's the "fallback bootloader path" that
> you mentioned? Would that be the default place that the UEFI looks to
> boot from if somewhere else isn't already specified in the firmware
> settings (I presume that W8 PCs ship with the path to the W8 bootloader
> set by default)?

I think that’s correct.

> And (if it's not a Hard Question), so where does Secure Boot come into
> this? Does it basically just check that the .efi file that it has been
> told to boot(?) from has been signed with the key, or is there rather
> more to it than that?

AFAIK that’s about it - it protects one link in the chain and nothing
else. Any further integrity protection is up to the boot loader it
loads, the OS kernel which that loads, etc etc etc.

--
http://www.greenend.org.uk/rjk/

[Daniel James]

In article <slrnkge2k6...@oregano.local.lan>, David wrote:
> UEFI is essentially the replacement for BIOS. One of its features is
> Secure Boot, which may or may not be a good thing in theory (my gut
> feeling is "not", since it puts control over the PC in the hands of the
> manufacturer, which is the antithesis of what the PC is about, or at
> least was about, back in the day..), but in practice it makes installing
> anything other than W8 on a W8 computer a hassle - this includes older
> (ie, less horrible) versions of Windows as well.. :-(

I think Secure Boot (but not necessarily in its current form) is more a
good thing than a bad one ... but the keys should be under the control of
the PC's owner, not of the manufacturer.

That is: The UEFI firmware should contain utilities that allow the user
(after supplying a superuser BIOS-type password) to install new keys to be
used for secure boot, and (if necessary) to delete any installed at the
factory. Ideally the keys would be stored in non-volatile memory on the
motherboards and there would be a physical switch that needed to be set to
allow updating of the key store, so that malware would never be able to
write there. Booting an OS would not be allowed while that switch was set,
so you'd *have* to reset it after managing the keys.

To install an OS you'd have to provide the key for that OS on physical
media (a USB drive or an optical disk, say) with the PC running the UEFI
utility in authorized mode. You would (of course) check that the key
material was from a trusted source before installing it. Having done that
you'd reset the write-enable switch and boot from your installation disk,
whose signature would be seen as valid using the new key.

Enterprises would be able to load only their own keys into their machines,
so that users would be unable to boot anything other than an enterprise-
approved image. The IT department would be able to test a new version of
$OS as much (or as little) as they wanted, customize it (remove solitaire),
and re-sign it with the enterprise key so that it could be run.

If Secure Boot were actually implemented in this way there would be no
problem. Motherboards would be shipped with just the signing keys of a few
common public CA's (VeriSign, etc) loaded, and shrink-wrapped OSes would be
supplied signed by one or more of those keys. Everything would just work,
and the user would have some confidence that the OS he was installing and
running had not been infected with malware.

> And I can see it being a real hassle for everybody's favourite
> utility/rescue/anti-malware boot CDs too..

As it stands, yes. Done properly the CD would be signed by its author using
a key signed by one of the standard CA keys known to the UEFI software. The
UEFI boot system would pop up a message saying "You seem to be trying to
boot from a CD containing "everybody's favourite rescue tools", signed by
"Everybody's Favourite Corp", the signature is valid ... do you wish to
continue?

[In an enterprise you'd have to get IT Support to resign the CD using the
Enterprise's own key ... you can't have lusers running unauthorized
utilities on their PCs ...]

> Secure Boot being enabled (although it must be able to be disabled if
> desired) is one of MS's requirements for W8 branding, so pretty much

> every PC is going to have UEFI rather than BIOS from now on ...

I'm not sure about that ... W8 certainly boots just fine on machines that
don't have UEFI at all, and so can't have Secure Boot at all. Do Microsoft
allow W8 branding for PCs with a normal BIOS at all?

The main reason for wanting to have UEFI is because it supports GPT disk
partitioning, which allows disks larger than 2.1TB ... though I think it
will still be a few years before disks that large become commonplace in
bog-standard home or office PCs.

Cheers,
Daniel.

[Daniel James]

In article <slrnkge71d...@oregano.local.lan>, David wrote:
>>> I think your best option would be to remove the existing hard disk,
>>> turn off secure boot and use a replacement disk for your Linux
>>> install. That way, if you ever need to return to the original
>>> configuration you can just put the original disk back in.
>
> Yeah, I guess I could, but that would involve having to spend money
> on a spare disk, which I wouldn't be keen on.. ;-(

It's exactly what I did when I got this laptop ... but I was upgrading the
disk anyway because the one it came with was a low-capacity 5400rpm drive.

Cheers,
Daniel.

[David]

Daniel James wrote in uk.comp.sys.laptops

>
> That is: The UEFI firmware should contain utilities that allow the user
> (after supplying a superuser BIOS-type password) to install new keys to be
> used for secure boot, and (if necessary) to delete any installed at the
> factory. Ideally the keys would be stored in non-volatile memory on the
> motherboards and there would be a physical switch that needed to be set to
> allow updating of the key store, so that malware would never be able to
> write there. Booting an OS would not be allowed while that switch was set,
> so you'd *have* to reset it after managing the keys.

[snip, just for brevity..]

Yes, the implementation you suggest seems pretty reasonable and
sensible, in fact! Unfortunately, we are where we are now, and I suspect
there are too many vested interests (well, at least one) and too much
money spent to change things "going forward" (ugh, I hate that
phrase..). :-(

>> Secure Boot being enabled (although it must be able to be disabled if
>> desired) is one of MS's requirements for W8 branding, so pretty much
>> every PC is going to have UEFI rather than BIOS from now on ...
>
> I'm not sure about that ... W8 certainly boots just fine on machines that
> don't have UEFI at all, and so can't have Secure Boot at all.

Indeed.

> Do Microsoft allow W8 branding for PCs with a normal BIOS at all?

I believe not. I read somewhere (well, various places, because it's come
up a lot as regards the switch-offable-ness of Secure Boot) that one of the
conditions for a (new) computer getting the special Window 8 sticker of
sparkliness is that it must ship with Secure Boot enabled (hence being a
UEFI-based system is implicit) but able to be disabled (unless it's an
ARM device, bah..).

So, indeed, people can "upgrade" [sic] to W8 an existing older computer (that
may not be UEFI-based and even if it was (UEFI computers have been
becoming increasingly common over the past year or so), wouldn't have
had Secure Boot enabled (or possibly even present?)), but they wouldn't
get the sticker(!). (I'm assuming that you never got a sticker (that's
the "Compatible with Windows [version]" sticker, not the licence
sticker), if you bought a retail version of Windows in the past anyway,
rather than it coming with the computer?)

> The main reason for wanting to have UEFI is because it supports GPT disk
> partitioning, which allows disks larger than 2.1TB ... though I think it
> will still be a few years before disks that large become commonplace in
> bog-standard home or office PCs.

I suspect that either "a few years" will be <2 years (I've seen computers
on sale with 1 TB disks already) for all but lower-end models (although
the shift to SSD may slow the size growth, with SSDs gradually catching
up (in capacity/affordability) with _current_ disk drive sizes first),
or that the "your data is our data" Borg collective will have convinced
enough mugs to put their data in teh cloudz by then, that computer hard
disks (except for servers) stop getting significantly larger.. :-(


David.

[Daniel James]

In article <slrnkh3cde...@oregano.local.lan>, David wrote:
> Yes, the implementation you suggest seems pretty reasonable and
> sensible, in fact! Unfortunately, we are where we are now, and I suspect

> there are too many vested interests ...

True enough.

> I read somewhere (well, various places, because it's come up a lot as
> regards the switch-offable-ness of Secure Boot) that one of the
> conditions for a (new) computer getting the special Window 8 sticker
> of sparkliness is that it must ship with Secure Boot enabled (hence
> being a UEFI-based system is implicit) but able to be disabled (unless
> it's an ARM device, bah..).

I like "sticker of sparkliness"!

Wouldn't it be nice to see manufacturers proudly proclaiming that their
new shiny is NOT certified for Windows 8? It'd still run W8, but wouldn't
be sparkly enough for Microsoft's lock-in criteria.

That'd be particularly interesting on an ARM device, because then the
manufacturers would be able to sell a tablet with Win8 (if they thought
that was sensible) but not preclude the possibility of the purchaser
reflashing it with something else after purchase.

Yes, I want to see a "Better than Microsoft-Certified" sticker!

> So, indeed, people can "upgrade" [sic] to W8 an existing older

> computer (that may not be UEFI-based ...

Indeed. I have used one of my MSDN "development only" W8 licences to carry
out a fresh W8 install on a spare drive installed /pro tem/ in an Athlon
X2 box (which more often runs XP64 or Debian) ... I have now done the
little bit of compatibility testing that I needed to do -- and experienced
the $DEITY-awful GUI first hand -- and I'm wondering whether I now need to
boil the HDD (or, indeed, the whole PC) in Dettol and consign it to a
skip, or whether reformatting will be sufficient to excise the demons ...

>> The main reason for wanting to have UEFI is because it supports GPT
>> disk partitioning, which allows disks larger than 2.1TB ... though I
>> think it will still be a few years before disks that large become
>> commonplace in bog-standard home or office PCs.
>
> I suspect that either "a few years" will be <2 years (I've seen

> computers on sale with 1 TB disks already) ...

So have I ... but disks larger than 1TB are still disproportionately
expensive, which makes them unlikely choices for box-assemblers with an
eye on the bottom line. Still, 2 years is a long time in computing.

> ... the shift to SSD may slow the size growth, with SSDs gradually
> catching up (in capacity/affordability) ...

That shift is price-driven, too ... though I think more people would be
prepared to pay more to get a faster disk than will be prepared to pay
more to get a disk that is larger than they will (possibly) ever use, so
SSDs (of current sizes) will probably sell in big numbers before very
large hard drives do.

That's not to say that there isn't demand for large amounts of storage,
just that I think a relatively small number of people care about having
more than (say) 1TB (and most of those that do want MANY TB).

> ... the "your data is our data" Borg collective will have convinced
> enough mugs to put their data in teh cloudz ...

The trouble with the cloud -- apart from the obvious issues of loss of
control -- is that it costs too much; in particular the data bandwidth to
access it is too slow, too unreliable (especially cellular data), and too
expensive. Fortunately most people don't seem to try to use it for more
than small amounts of data.

Cheers,
Daniel.

[Richard Kettlewell]

David <da...@bogus.domain.dom.invalid> writes:
> Daniel James wrote in uk.comp.sys.laptops

>> Do Microsoft allow W8 branding for PCs with a normal BIOS at all?
>
> I believe not. I read somewhere (well, various places, because it's
> come up a lot as regards the switch-offable-ness of Secure Boot) that
> one of the conditions for a (new) computer getting the special Window
> 8 sticker of sparkliness is that it must ship with Secure Boot enabled
> (hence being a UEFI-based system is implicit) but able to be disabled
> (unless it's an ARM device, bah..).

Read it here:
http://msdn.microsoft.com/en-us/library/windows/hardware/jj128256.aspx

Specifically, search for System.Fundamentals.Firmware.UEFISecureBoot.

--
http://www.greenend.org.uk/rjk/