Is it possible to boot a live Linux USB drive with fast boot and secure enabled?

Discussion in 'Linux' started by TrustMe, Mar 26, 2018.

  1. TrustMe

    TrustMe MDL Member

    May 2, 2013
    161
    49
    10
    I recently had an unusual situation with a relative’s computer. All the USB ports were disabled and the keyboard and mouse did not work. It booted to the splash screen and I could not get any further. It was because of Windows Update KB4074588.

    I tried to boot from a live Linux Mint USB drive to save all her personal files but it would not show in the boot menu. I later found out it was because of fast boot or secure boot. The flash drive was made for UEFI mode. I got around it by creating a live Windows 10 USB drive. The keyboard and mouse did work with the live Windows 10. I also used it to uninstall the update.

    This is what brought me to my question. Is it possible to just plug in a live Linux flash drive and have it boot when in UEFI mode? With no keyboard or mouse it was not possible to turn off fast boot. Does fast boot and secure boot always have to be disabled?
     
  2. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,167
    10,919
    340
    #2 Yen, Mar 26, 2018
    Last edited: Mar 26, 2018
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. TrustMe

    TrustMe MDL Member

    May 2, 2013
    161
    49
    10
    Thank you Yen for the detailed explanation. It sounds like secure boot and fast boot does need to be disabled. I wish I had her computer here to test this more. I don’t have one with UEFI.
     
  4. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    592
    837
    30
    Hello @TrustMe - I think a lot of problems associated with UEFI and Secure Boot originate with the OEM's themselves. Different OEM's have different ways of how to implement UEFI and Secure Boot settings within their BIOS settings, and not all are good. I'll give you two examples so you can judge for yourself.

    1.) I bought an HP Envy DV7-7333CL laptop back in the spring of 2013. It came with Windows 8 pre-installed. If you go into the BIOS settings, you find that there are two separate settings involved: one to enable or disable Legacy/CSM boot, and another to enable or disable Secure Boot. They are independent of each other with one exception: If you choose to enable Legacy/CSM boot, then by default Secure Boot is automatically disabled. And so you end up with three different boot configurations available: a.) UEFI mode enabled + Secure Boot enabled. b.) UEFI mode enabled + Secure Boot disabled. c.) Legacy/CSM mode enabled + Secure Boot disabled.

    2.) I'm a member of the Linux Mint forum, and about a year and a half ago, I tried to help a member who had just purchased a brand new Acer laptop with Windows 10 pre-installed. He hated Windows 10 and was desperately trying to install Linux Mint, but found himself in the same situation you described above, he could not boot the machine using a USB flash drive with Linux Mint. After a lot of back and forth discussion involving whether he verified the .iso and exactly how he created the USB flash drive, and after he tested the media on another laptop, we decided it was not the USB flash drive, it was something in his BIOS settings or the machine's hardware itself that was causing the problem. When I asked him what BIOS settings he had used, he replied that there was no setting available to enable/disable Secure Boot, there was only the option to enable or disable Legacy/CSM boot.

    After much head scratching, some Google searches, and some advice from another forum member, we figured out that unlike me, he only had two boot configurations available to him: UEFI with Secure Boot enabled, and Legacy/CSM with Secure Boot disabled. So the solution was to re-create the USB flash drive to use Legacy/CSM instead of UEFI, and after setting his BIOS accordingly, the machine booted into a live CD session. After that, it was only a matter of using Gparted to change the disk's partition table from GPT to MBR, and he was able to install Linux Mint with no problems at all.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. sml156

    sml156 MDL Member

    Sep 8, 2009
    128
    68
    10
    If she has Remote Desktop enabled or Team Viewer installed you could log on and reenable the USB, I had to do this for my Mum with the exact same problem
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,167
    10,919
    340
    #7 Yen, Mar 27, 2018
    Last edited: Mar 27, 2018
    Thanks John for those 2 practical examples.

    They both make perfect sense from the view of technical specifications.
    Secure boot is not specified on a MBR partition scheme and a CSR is mandatory to let an UEFI boot from a MBR.

    The difference of both examples is that the second one does not allow to boot a GPT without secure boot, means no other OS than windows can be booted from GPT without adding custom secure boot keys.
    This is a OEM political matter and pro windows OS and against freedom of choices.

    I myself would stay on MBR scheme either way (CSM/legacy mode enabled). There is no advance except to boot partitions which can be larger than 2 TB....secure boot from M$ does actually mean to make sure one stays at windows....from the aspect of security there is no real reason to use it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. TrustMe

    TrustMe MDL Member

    May 2, 2013
    161
    49
    10
    My friend asked me to look at his computer which supports UEFI. I read that Ubuntu, openSUSE, and Fedora will boot with Secure Boot and Fast Boot enabled. I made a live USB of all three. Only Fedora was able to boot with them enabled. Now I have something to use in case Windows will not boot.
     
  8. fabre gastro

    fabre gastro MDL Junior Member

    May 29, 2018
    72
    23
    0
    yen you need to update your info. greg showed us how its done. if you can compile your own kernel.... Whats stopping you?
     
  9. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,167
    10,919
    340
    #11 Yen, May 31, 2018
    Last edited: May 31, 2018
    You're right. Nothing would stop me myself if I would have no other choice. With 'actually' I referred to the majority of people who either don't have the skills to do so or no interest to get familiar with it. The majority sticks to that what runs with the fewest of efforts.

    When I have the choice to let run another OS (Linux) without valid signature I would go for that before I'd tinker with signing and making efforts, though.

    ATM there are lots of kernel updates due to spectre/meltdown patches.

    We frequently do forget that that what we could manage the majority cannot. The MDL people are mostly more skilled that the average.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. TrustMe

    TrustMe MDL Member

    May 2, 2013
    161
    49
    10
    @fabre gastro
    Thank you for the link and the information. I’m going to try this.
     
  11. fabre gastro

    fabre gastro MDL Junior Member

    May 29, 2018
    72
    23
    0
    @TrustMe
    good luck!
    no issue mate, and i am glad i was of some help..... but this info is way old. the modern kernels are already presigned except in debian kernels.
    i will not ask in debian irc channels to speed up, whoever asks this gets to hear one line.
    "Stop being a prick, stop being a sucker, donate your effort as you are one of those many old timer debian user, and lastly stop being a gentoo ricer."
    its the last line which pisses me off, i am not a gentoo ricer, but i respect gentoo, so with other presigned kernel try your luck. if you need help feel free to ask.

    @Yen
    right on what more can i say, your bowl of dish your taste, i can not speak for others, they need to move their jaw. xD

    its not valid/invalid signature, its about you signing your own kernel. i think you misunderstood me or where i am pointing my finger.

    nawwwwwwwwwwwwwwwwwwwwww the never ending saga, kernel updates, i have given up on kernel updates, i like to roll my own kernel these days. One Size Fits All == Configuration/Customization/Fine-Tune Pain. but then again your plate of food your chopsticks and forks your hunger your choice.
    only if you could roll your own bios/firmware you will have much more peace of mind i assume.....

    Sometime its not the "skilled me" or "unskilled me" attitude, its the patience and love and attention which you only can provide to your device.
    Patience is the virtue..... and its "patience" which is lacking in almost all of us.
    sometime where skill and talent fails a little bit of patience works like a charm.
     
  12. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,167
    10,919
    340
    #14 Yen, Jun 4, 2018
    Last edited: Jun 4, 2018
    Nope. I've got you right... :)
    Yeah, you're right. Nobody is born 'skilled' but rather 'talented'.....I'd say before one comes with the needed patience motivation and interest have to be first.
    Nobody can be patient when there is no real interest....and for me something has to be reasonable or associated to joy before I get interested. And signing a boot.img (kernel) in order to have secure boot enabled only is NOT reasonable. It's just a bunch of efforts with no extra benefits. (Except the fun to do and to learn it). Secure boot is useless per se.


    Linux became popular (i.a.) even because one does not need to compile stuff from sources anymore.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. taviruni

    taviruni MDL Member

    May 8, 2010
    193
    112
    10
    #15 taviruni, Jun 4, 2018
    Last edited: Jun 4, 2018
    Totally agree, a new user of Linux is not usually capable of compile stuff, as he(she) is usually a Windows user, even if he(she) is an advanced user of Windows.
    Also totally agree that secure boot is only another way to force users to run Windows OS's and make things more difficult to install other OSs, secure boot is not usefull for nothing else, I always disable it, and enable CSM and use MBR partitions not GPT on OS HD. This allow me to use grub4dos to multiboot many Isos (Linux live and WinPE) from HD to make backups or repair the OS without need of external USB tools.
     
  14. fabre gastro

    fabre gastro MDL Junior Member

    May 29, 2018
    72
    23
    0
    I would partially agree and disagree and i do not know if i can be an example.
    I started using debian way back in 1998ish i was still a teenager back then. and in those days the main reason i opted linux because it was free (postal service was 1000 times cheaper than dial-up internet, forget broadband, it was a wet dream unless you got 128kbps ISDN), all i had to do was go to uni and download the OS from high speed lan lab and then the grueling fight with floppies and the installation.
    Plus i was more into full total hardware control. and lastly cheap freebie bastard attitude (i want the best but i will never spend a penny for it) kind of attitude got me to the linux world and till date ...... going strong.
    so its not motivation alone, finance and how miser you are, what kind of a control freak/wh0re you are and lastly GREED.
    basically it boils down to finance than anything else.
    and having an old 486 do what p2 can do at that money is PRICELESS.
    so motivation and interest is like some spiritual guru talking about rainbow universe high on heroin. i hate that part alone. if you had said finance i would have agreed without saying a word. after all its always MOHNEYYY!!

    agreed 100%. with one little add on. "Feed your own Greed." --- greed man(wo) best friend and bonus "laziness".
    why laziness, you f**king kidding me that i will run the same program again and again and again? horse s**t! why should i do all the work, let computer do it for me, i will only poke in if there is an error.
    so to sum it up, your 100% plus mine greedy laziness, combo plan.

    again 100% right and agreed.
    excellent marketing from canonical/redhat and suse, especially canonical, because we debian guys had no money for marketing. forget marketing we dont even spend a penny on advertisement. wink!
    and canonical/ubuntu made what we debian couldn't brainwash the public, that linux is good and like windows it also has the mouse click click option and the cli if you are either high on any narcotic or a university graduate or the debian version "yo man he installed ubuntu, coz he can't debootstrap..... hehe ... lulz (i dont meant to insult but this is the most interesting definition of ubuntu)"
    i personally doesn't like anything in ubuntu except its online nicely formatted online documentation.
    we debian guys are still stuck to RTFM!

    i agree totally.

    i do not fully/100% agree. but i do agree mostly around 95%. its not microsoft alone, poor bastard regular offender gets all the blame at times for not being the sole culprit.
    its more or less the hardware vendors who literally rape the firmware so that it gets mount everest difficult do install other OS or custom firmware like coreboot? forget coreboot its a fungal wet dream, period.
    because to the best of my knowledge MS has one major pki key rest are OEM/ODM. best example HP. simple plain mofo of the first order. but mainly "intel" and its hand in hand in bed partnering policy with many multi three lettered agencies around the world. more people commit suicide and die of malnutrition, allergies like pollen and peanut butter than terrorism, so horses**t to intels policy of tag teaming with three lettered agencies thus making life more difficult.
    if i remember correctly, i wanted to buy a minnowboard, before i did order my 3 rd raspberry pi, but seeing its complication and the mandatory step of sending my pki to intel, so that they can resign it and resend me a signed ME so i can install my custom coreboot..... intel really, you f**king kidding me intel? i am paying from my pocket to buy this hardware and i need to lick your shoes to use it. serious really real chocolate salted balls to intel, screw intel and its latest bootguard policy. "A-S-S-H-O-L-E-S".
    hope i made sense here.
    as its more or less government and politics and corporate policies plus the invisible ghost of FUD and WARRANTY VOID, which makes any improvement impossible.
    at times even reinstalling windows is difficult, forget linux.
    so @Yen and @taviruni its way more than motivation and inclination and interest and time, its more or less financial nudge and the corporate policy which prohibits growth. you are being told by microsoft to shove and lollypop in mouth for eternity and lick it and suck it.
    and lastly, its my device, i paid from my wallet, why on earth do i need to get dictated by a software vendor or a hardware OEM/ODM to tell me what i should do or what i shouldn't. f**k them......... screw yea!
    its like you have your own house and you need to pay rent to your tenant for staying in your house while you live outside your own house most of them time beating harsh weather being it summer or winter.
    so thats the problem, not interest or yada yada.
    even if you do require skills and motivation and interest and et all. it will be the RSA 4096, PKI in the Platform controller hub aka pch and the fuse inside the cpu and the poor f**ked up coding by oem/odm and microsoft adding icing sugar. this its back to mission impossible.
    any one else other than me thinks like this or agrees to it?
    i am not against yen or his view. its beyond that....
    thats my 0.02 cents (which is 0.0002 US$ period).....