posted Jul 2, 2015, 9:44 AM by William Shallum
updated Jul 5, 2015, 1:16 AM
Some notes on installing Linux (in Insecure[*] UEFI boot mode) on this Acer netbook. If you are trying to do this, you should know what you're doing, so these are just notes, not instructions.
- Secure boot settings can only be changed when a BIOS Supervisor password is set. This does not seem to require actually saving the Supervisor password, so just setting it, modifying secure boot settings, then clearing it again should work.
- If getting into BIOS is hard, Windows can be set to reboot to BIOS.
- Keys for BIOS access are F2 for Setup and F12 for boot menu (can be enabled in BIOS).
- Even with Secure Boot disabled, adding a boot entry using efibootmgr will not "take" if the .efi file is not trusted by Secure Boot (!). Adding a boot entry with an untrusted loader will result in it simply being ignored and the system still booting into Windows.
- In order to trust the loader, Secure Boot must be enabled.
- So AFTER installing Linux and setting up the loader in the ESP, the steps are:
- Get into BIOS
- Set Supervisor password
- Ensure Secure Boot is on
- Trust the loader you added to the ESP ("Select an UEFI file as trusted for execution")
- Turn off Secure Boot
- (Optionally) clear Supervisor password
- Save BIOS settings and restart
- Boot to Linux again (e.g. via external drive with EFI\Boot\bootx64.efi or an EFI bootable CD) and register the trusted loader as a boot option using efibootmgr
- NOTE: steps written from memory, not actually tested. It could be that adding the boot option needs to be done under Secure Boot. In that case (if you use rEFInd), also add the kernel as trusted (may need to be copied to ESP and renamed to have a .efi extension).
- rEFInd is Secure Boot compliant and will not load an untrusted kernel when Secure Boot is enabled.
- The hard drive ("WD5000LPVX" - WD Scorpio Blue) idle timer interacts rather poorly with Linux. Try http://idle3-tools.sourceforge.net/ (AT YOUR OWN RISK).
[*] Secure boot should also be possible, but when using a distribution that does not sign their kernels that seems to be more trouble than it's worth.