2
I am attempting to install Kali Linux alongside a preinstalled Windows 10. Secure boot restricts me from booting from USB, so what happens if I delete its variables?
potatoman
Posted 2015-12-12T17:15:56.017
Reputation: 121
What happens if you delete all secure boot variables?
Answers
7
Secure Boot should not prevent booting from a USB drive per se, although it should prevent booting an unsigned boot loader from any disk. I don't happen to know offhand if Kali provides a signed or unsigned boot loader, so this might or might not be your problem.
You should be able to disable Secure Boot from the firmware setup utility. If you can't do so, return the computer to the store for a refund and tell the manufacturer why you did so. You do NOT want a computer you can't control, which is what you've got if you can't shut off Secure Boot. (In the past, Microsoft required that users be able to disable Secure Boot on x86 and x86-64 computers bearing a Windows 8 logo. They made this optional for Windows 10, but most manufacturers are continuing to provide the option.)
If you want to take full control of your computer's Secure Boot functionality, you can replace the keys with your own. The process to do so is difficult to describe because the tools to do this are not very user-friendly and some critical details vary from one computer to another. I wrote this page on the subject, if you care to look into it. It's definitely easier to simply disable Secure Boot, but of course if you want the benefits of Secure Boot without using Microsoft's (or your computer manufacturer's) keys, replacing those keys is the way to go.
Rod Smith
Posted 2015-12-12T17:15:56.017
Reputation: 18 427
I see, but that delete all boot variables button just below my disabled secure boot switch is very tempting. What happens if you do use it? The switch also said "will restart to setup mode". What is this and will it damage my files? – potatoman – 2015-12-13T01:33:39.237
Setup mode enables you to enter new Secure Boot variables. Read the page to which I linked for details. You shouldn't run perpetually in Setup mode. You might be able to get away with it, but it's not what you're supposed to do, so running that way in the long term is poorly-tested at best. Setup mode is intended to be used only while setting new Secure Boot variables. Ordinarily, Secure Boot is either on (with default or customized keys) or off (in which case the keys are irrelevant). – Rod Smith – 2015-12-13T03:18:44.147
Rod, do you know how to enable a secure boot switch in an American Megatrends Aptio Setup FB04 UEFI? For my Gigabyte P34V3, the switch is there, but cannot be changed, as it is just plain black text. – potatoman – 2015-12-13T08:33:55.273
Sorry, I can't help on that specific model. I suggest looking for a manual, doing a Web search, or just plain messing around with the options until you find a way. (Options sometimes appear and disappear, or become changeable or not, depending on other settings.) – Rod Smith – 2015-12-13T19:01:12.520
Thank you Rod, I'm planning to get a $35 Raspberry Pi 2 B instead, as I use this laptop as a school computer, and I don't want to risk it. – potatoman – 2015-12-14T06:35:57.663
Never mind about that...I discovered that if you add a admin password to the uefi, more options can be unlocked. Is this true? – potatoman – 2015-12-23T06:57:17.180
See my above comment: "I can't help on that specific model. I suggest looking for a manual, doing a Web search, or just plain messing around with the options until you find a way." There is essentially no standardization in what options are available or how you access them in firmware user interfaces. Some options are very common, and a few are dictated by outside forces (like Microsoft requiring that Secure Boot can be disabled by users on systems that ship with Windows 8). For the most part, though, your best bet is to consult your manual or just poke around. – Rod Smith – 2015-12-23T17:50:36.023
1
Clearing the Secure Boot database would technically make you unable to boot anything, since nothing to boot would have corresponded to the Secure Boot's database of signatures/checksums allowed to boot. If you don't want to mess with this and install an OS not compatible with Secure Boot, the easiest option is to disable it by accessing the UEFI Firmware Settings (Hold Shift while rebooting -> Advanced Options -> UEFI Firmware Setttings), or you can add your own keys.
Charles Milette
Posted 2015-12-12T17:15:56.017
Reputation: 93
Are you just making an educate guess or what? Because I had found reports about a cleared database being equal to SecureBoot=0 on the other hand
– mirh – 2017-06-09T13:02:12.7971My wrong, you're correct. This puts the machine in the Setup Mode, where Secure Boot effectively is turned off. However I wouldn't recommend it as programs running as admin within Windows would be able to use SetFirmwareEnvironmentVariableEx and in Linux efivars to put back the machine in User Mode and enforcing SB with custom malicious keys. Then you unknowingly could be forced running a rootkit until you put the machine back into Setup Mode and configure User Mode yourself. I would recommend simply turning off SB from the firmware if possible. (Still vulnerable but already better) – Charles Milette – 2017-06-11T19:16:23.307
Key enrolling requires boot service SetVariable. Afaiu it should still be possible to take [exclusive] control of the platform by putting a dedicated uefi image (that contrarily to the OS doesn't trigger ExitBootServices()) to do the dirty work.. But it doesn't feel (significantly?) worse than SB-off. I mean.. a noob user still wouldn't know wherever to look, while 'one that knows' would just have to enter bios, wipe malicious keys and call it a day. – mirh – 2017-06-19T07:22:22.603
For what it's worth, I used legacy boot to install Ubuntu alongside pre-installed Windows 8, and I could not reboot Windows after that: it would not boot in legacy mode, and UEFI mode gave BIOS errors on both normal and recovery boot. Windows didn't work again until I re-installed it. So you tamper with UEFI at your peril, unless you are not that bothered about retaining Windows, as I wasn't. I am very surprised that you cannot boot from USB in UEFI mode: where can you boot from? – AFH – 2015-12-12T17:55:00.377
I don't have a cd drive so I can't install from there and my american megatrends fb04 uefi (aptio setup utility) has no option to disable. However, I can load the iso and find a install.exe, but the kali installer just gives errors. – potatoman – 2015-12-13T01:28:48.447