Mailinglist Archive: opensuse-bugs (5243 mails)

< Previous Next >
[Bug 809038] EFI problems - cannot boot windows with secure boot

https://bugzilla.novell.com/show_bug.cgi?id=809038

https://bugzilla.novell.com/show_bug.cgi?id=809038#c36


--- Comment #36 from Neil Rickert <nrickert@xxxxxxxxxxxxx> 2013-03-23 15:50:45
UTC ---
An update.

First, thanks again to Michael for suggesting (commennt #32 ) that I use the
distributor field to change the system name. That turned out to be very
useful.

Here's what I tried:

1: I created a second EFI partition on "/dev/sda". That new partition is
"/dev/sda7"
2: I changed my second install to mount "/dev/sda7" as "/boot/efi" (in place
of sda1)
3: I used the distributor field to change the name to "openSUSE_alt 12.3"
4: I reinstalled grub2-efi for that system.

Result: The reinstalled system showed up as opensuse_alt-secure in
"efibootmgr" output.
The Windows boot entry in nvram was not erased.
The nvram entry for my original install (named
"opensuse-secure") was not erased.

However, I still cannot boot Windows in secure boot mode from the boot menu for
"opensuse_alt-secure"

These seem to be the rules that are being followed by my UEFI BIOS:

No duplicate system names allowed in nvram
Only one named system in nvram for a particular efi partition

Windows 8 seems to be following these rules:

The BCD (boot configuration data) should be in the EFI partition that the
UEFI Bios starts, and therefore booting to Windows won't work in secure mode if
the UEFI Bios first starts a system using a different UEFI partition.

There must be a Windows entry in nvram. If there isn't, then Windows will
put it back there when it next runs, even if that erases entries for other
systems.

As a result of my testing, here is my advice for installing opensuse on a UEFI
system that already has Window 8:

1: DO NOT use the EFI partition that is used by Windows. If necessary,
create a new EFI partition for this. Otherwise Windows may erase your nvram
entry.

2: Tell users to turn off secure-boot on their systems. With secure-boot
on, they won't be able to boot Windows from grub2 menu. They will be able to
boot Windows with secure boot by using "efibootmgr -n" to specify that Windows
is the next system to boot, and then rebooting. We need the workaround
suggested in comment #17, before secure-boot can be recommended. But it is
fine to specify "secure-boot" when setting up grub2-efi.

And a note of frustration. A work around for the problem of Windows erasing
the nvram entry, would be to start linux from the Windows boot manager. I have
not been able to find out how to do this in UEFI system. I have seen kludgy
work-arounds. One suggestion was to copy the linux boot efi file (typically
"shim.efi" over the Windows efi file, and modify the grub2 menu so that it
boots Windows using the other copy of the Windows booter (the one in
"/EFI/BOOT" in the efi partition).

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >
References