Secure boot, not secure boot, help !

[PDifolco]

Kinda lost here

Want to install Win11, been told that Secure boot must be enabled

Win10 tells me Secure boot isn't activated/effective/whatever

But then BIOS tells me it's on, and I can't change the options below...

WTF ?

 

 

 

[RONOTHAN##]

Try restoring Factory Keys that can sometimes help enable it. 

[GoodBytes]

In your screenshot, it says "Not Active".

So, you have a problem there. You probably have CSM enabled. If that is the case, then keep in mind that your drive needs to be converted from MBR to GPT. When you have CSM enabled, your UEFI emulates the old BIOS model. And so, it can only work with MBR formatted drive (which your OS of choice, installer will use, else your motherboard BIOS won't be able to read your SSD/HDD to load the OS). UEFI based system changed to a new format called GPT and dropped MBR.

 

Windows 10 and 11 have a tool called mbr2gpt.exe built-in to do this conversion. This forum has multiple guides on this. CSM should only be enabled if you are using an age-old hardware that doesn't support UEFI. Typically, pre-2012)

 

[PDifolco]

2 hours ago, GoodBytes said:

In your screenshot, it says "Not Active".

So, you have a problem there. You probably have CSM enabled. If that is the case, then keep in mind that your drive needs to be converted from MBR to GPT. When you have CSM enabled, your UEFI emulates the old BIOS model. And so, it can only work with MBR formatted drive (which your OS of choice, installer will use, else your motherboard BIOS won't be able to read your SSD/HDD to load the OS). UEFI based system changed to a new format called GPT and dropped MBR.

 

Windows 10 and 11 have a tool called mbr2gpt.exe built-in to do this conversion. This forum has multiple guides on this. CSM should only be enabled if you are using an age-old hardware that doesn't support UEFI. Typically, pre-2012)

 

I don't have CSM enabled and I've converted to MBR when installing windows 10, so it's not that

But I didn't have CSM and secure boot on at that time, maybe that's the issue?

[GoodBytes]

4 hours ago, PDifolco said:

I don't have CSM enabled and I've converted to MBR when installing windows 10, so it's not that

But I didn't have CSM and secure boot on at that time, maybe that's the issue?

GPT, not MBR.

So your UEFI fails to boot, and restart the boot process as legacy BIOS mode each time.

[PDifolco]

Just now, GoodBytes said:

GPT, not MBR.

So your UEFI fails to boot, and restart the boot process as legacy BIOS mode each time.

Sorry I meant "I've converted to GPT", UEFI boot is good (and BIOS mode is UEFI as per System Info)

 

16 hours ago, RONOTHAN## said:

Try restoring Factory Keys that can sometimes help enable it. 

Sounds the correct option, but what does this "reset" exactly ??

Does it reset BIOS parameters or such as well ??

[RONOTHAN##]

3 hours ago, PDifolco said:

Sounds the correct option, but what does this "reset" exactly ??

Does it reset BIOS parameters or such as well ??

No, it just uses the stock Secure boot keys. In order to disable secure boot on some boards you need to delete those keys, for instance. No other BIOS parameters should be wiped by this

[PDifolco]

2 minutes ago, RONOTHAN## said:

No, it just uses the stock Secure boot keys. In order to disable secure boot on some boards you need to delete those keys, for instance. No other BIOS parameters should be wiped by this

Cool

I was still fiddling with that EFI Key stuff, trying to "enroll keys", I eventually  found some (on the UEFI partition, 3rd on the garbage looking list) but don't know which one I should select (or all of them) ?

 

It's a friggin cryptic feature  

 

[RONOTHAN##]

1 minute ago, PDifolco said:

I was still fiddling with that EFI Key stuff, trying to "enroll keys", I eventually  found some (on the UEFI partition, 3rd on the garbage looking list) but don't know which one I should select (or all of them) ?

That part I'm not that great with, I don't know which one Microsoft uses by default. I just know restoring the factory keys will import the Microsoft keys that you want to use. 

[PDifolco]

2 minutes ago, RONOTHAN## said:

That part I'm not that great with, I don't know which one Microsoft uses by default. I just know restoring the factory keys will import the Microsoft keys that you want to use. 

Ok sounds the reasonable answer, I'm still pretty hesitating to pull the trigger, fearing my PC won't ever boot anymore due to some "security" feature preventing me to access anything !!

I'm however usually not that paranoid  ...

[RONOTHAN##]

Just now, PDifolco said:

Ok sounds the reasonable answer, I'm still pretty hesitating to pull the trigger, fearing my PC won't ever boot anymore due to some "security" feature preventing me to access anything !!

I'm however usually not that paranoid  ...

No, the only reason resetting the factory keys won't let the system boot is if you have a Linux partition on a secondary drive. Otherwise it'll boot up just fine.

 

Secure Boot is one of the most confusing features in a motherboard's BIOS, because of the rigmarole that you have to go through to get it to turn off and on. On a few of my boards, for instance, the way to get Secure Boot disabled was to delete the factory keys, even though there was a setting called "Disable Secure Boot" in them. Wouldn't blame you for being paranoid about it, the way it's implemented in most situations is just kinda dumb. 

[PDifolco]

4 minutes ago, RONOTHAN## said:

No, the only reason resetting the factory keys won't let the system boot is if you have a Linux partition on a secondary drive. Otherwise it'll boot up just fine.

 

Secure Boot is one of the most confusing features in a motherboard's BIOS, because of the rigmarole that you have to go through to get it to turn off and on. On a few of my boards, for instance, the way to get Secure Boot disabled was to delete the factory keys, even though there was a setting called "Disable Secure Boot" in them. Wouldn't blame you for being paranoid about it, the way it's implemented in most situations is just kinda dumb. 

Urggggg, I *DO* have a secondary Linux partition (Linux Mint) and a dual boot !!!

 

[RONOTHAN##]

3 minutes ago, PDifolco said:

Urggggg, I *DO* have a secondary Linux partition (Linux Mint) and a dual boot !!!

 

Oh, then enabling Secure Boot at all will break the Linux Mint partition. There are ways to get around this by setting up Linux Mint to support Secure Boot, though, so you might want to follow one of those tutorials before enabling Secure boot. 

 

Do note that the fix to it being broken is to just disable Secure Boot again. 

[GoodBytes]

11 minutes ago, PDifolco said:

Urggggg, I *DO* have a secondary Linux partition (Linux Mint) and a dual boot !!!

 

So then why is it set to "Standard". "Standard" or "Windows" is for Windows only.

You can only use that if you are using Windows bootloader.

It should be set to "Other" or whatever your motherboard wants to call it. And now it will support Linux distros which support SecureBoot, such as Ubuntu.

Your bootloader of choice should also support SecureBoot.

 

That said, some motherboards, like MSI, has "Others" who just accepts everything valid key or not, which defeats the purpose of SecureBoot. So, just something to be aware of. You are open to rootkits in those boards. I am not sure if MSI fixed this or not.

[PDifolco]

4 minutes ago, RONOTHAN## said:

Oh, then enabling Secure Boot at all will break the Linux Mint partition. There are ways to get around this by setting up Linux Mint to support Secure Boot, though, so you might want to follow one of those tutorials before enabling Secure boot. 

 

Do note that the fix to it being broken is to just disable Secure Boot again. 

Sheesh, the whole point of all of this was to update to Win11 that requires secure boot...

Seems I first need to fix my Linux setup, then enable Secure boot, finally update.. or succumb to laziness and keep things as they are, not broken  

 

 

1 minute ago, GoodBytes said:

So then why is it set to "Standard". "Standard" or "Windows" is for Windows only.

You can only use that if you are using Windows bootloader.

It should be set to "Other" or whatever your motherboard wants to call it. And now it will support Linux distros which support SecureBoot, such as Ubuntu.

Your bootloader of choice should also support SecureBoot.

So what shoud I do ? I never touched to all of that previously and it worked just fine...

Now if I want to enable Secure boot I understand it'll break Linux, I use GRUB bootloader

I'm confused...

[RONOTHAN##]

1 minute ago, PDifolco said:

Sheesh, the whole point of all of this was to update to Win11 that requires secure boot...

Seems I first need to fix my Linux setup, then enable Secure boot, finally update.. or succumb to laziness and keep things as they are, not broken  

There is also the 4th option, do a clean install of Windows 11 using a Rufus made installer, that way it disables the Secure Boot requirement. I'd probably go for the laziness route though. 

[GoodBytes]

3 minutes ago, PDifolco said:

Sheesh, the whole point of all of this was to update to Win11 that requires secure boot...

Seems I first need to fix my Linux setup, then enable Secure boot, finally update.. or succumb to laziness and keep things as they are, not broken  

Not your fault, it is Linux distros that drag their feet. Ubuntu has no problem jumping in. Other distros were having fun with excuses, complaining, and then realized how important it was, then then decided to join in.

 

The laziest approach is just to use WSLg under Windows 11. 

[GoodBytes]

36 minutes ago, PDifolco said:

So what shoud I do ? I never touched to all of that previously and it worked just fine...

Now if I want to enable Secure boot I understand it'll break Linux, I use GRUB bootloader

I'm confused...

I am not sure to be honest for Linux side of things. I am sure they are guides online. Problem is finding modern ones.

If WSL isn't option for you or Ubuntu, it seems that Linux Mint doesn't have an out of the box Secure Boot support, so it seems to be a week-end project. There is a 25-page documentation on how add support for Secure Boot on Linux Mint OS, which I found under Linux Mint website: https://community.linuxmint.com/tutorial/view/2496
PDF doc:  https://drive.google.com/file/d/1PI0GAK0cDFN-xYvQ_yfL9RsFkS82fPcL/view

 

[PDifolco]

4 minutes ago, GoodBytes said:

I am not sure to be honest for Linux side of things. I am sure they are guides online. Problem is finding modern ones.

If WSL isn't option for you or Ubuntu, it seems that Linux Mint doesn't have an out of the box Secure Boot support, so it seems to be a week-end project. There is a 25-page documentation on how add support for Secure Boot on Linux Mint OS, which I found under Linux Mint website: https://community.linuxmint.com/tutorial/view/2496
PDF doc:  https://drive.google.com/file/d/1PI0GAK0cDFN-xYvQ_yfL9RsFkS82fPcL/view

 

You're killing me

Why the hell has this to be so complicated ?? I'm no tech noob but it's baffling...

I may try the no fuss Rufus W11 install as suggested by  @RONOTHAN##, looks good, yet I'd hate having to reinstall all my (ton of) stuff, so wanna keep my files and programs, not sure it's possible ?

[GoodBytes]

15 minutes ago, PDifolco said:

You're killing me

Why the hell has this to be so complicated ?? I'm no tech noob but it's baffling...

I may try the no fuss Rufus W11 install as suggested by  @RONOTHAN##, looks good, yet I'd hate having to reinstall all my (ton of) stuff, so wanna keep my files and programs, not sure it's possible ?

Well, I don't know what to tell you. Some distros have no problem (Fedora, RedHat, Zorin, SUSE, Manjaro). So, I don't get why others requires a PhD degree to have it setup. Well, that is Linux world for you.

 

That is why for work, as a developer, I use WSL and call it a day. Bring both worlds together. No more fighting, tweaking all day. It works, just install/update distro/apps and you are ready to go.

[PDifolco]

1 minute ago, GoodBytes said:

Well, I don't know what to tell you. Some distros have no problem (Fedora, RedHat, Zorin, SUSE). So, I don't get why either other requires a PhD degree to have it setup.

 

Yeah, wanted to support the nice Mint distro made by a French compatriot, maybe he didn't really care about the MS sh#t with that TPM Secure f*ckfest (as if it's like plausible some hacker guy was coming at night in my office to dabble with my PC BIOS lol)

Apart from that it's pretty straightforward and cool  

[GoodBytes]

24 minutes ago, PDifolco said:

Yeah, wanted to support the nice Mint distro made by a French compatriot, maybe he didn't really care about the MS sh#t with that TPM Secure f*ckfest (as if it's like plausible some hacker guy was coming at night in my office to dabble with my PC BIOS lol)

Apart from that it's pretty straightforward and cool  

No... not at all. Rootkits was a problem before. Sony even made a DRM on its music CDs which were really a rootkit. No real fix was ever made, just a "disable DRM" tool was made, only after it was discovered and hit the mass media. A system wipe and re-install is the only real fix to remove it.

 

All you need is to run a software that needs admin/root or finds a flow to by-pass permission and becomes admin/root. Then that program can replace/modify your bootloader, and now your OS is nothing more than a puppet. That rootkit has real control and visibility of everything. It is the real OS. No security software can detect it either, as it can memory manipulate the security software, with great ease too. The CPU sees the rootkit as a valid OS and gives it full rights. Your OS installed loses all its rights, as the CPU only supports 1 OS, the first program it executes. It is the rootkit act as a middleman so that it looks like everything is fine on your side, performance and all. But it is the one that monitors what it wants, does what it wants with your data and system, and hide itself from the truth (say: network activity) by modifying data as it pleases.

 

So yes, it is very scary, yes it was done... even legit DRM solution was made with questionable security (another issue it opens) as a mass distribution. So, we are not even taking about "I only run legit stuff"... legit can be a rootkit. SecureBoot ends the commercialization of such solution, and secure systems. With work from home and state sponsored attacks, this is become even more important to have some level of security. Sure, it will be broken, and a reworked improved solution would need to be designed. Like any security solution, nothing is full proof. But it is something, for now.

 

 

TPM is just a encryption chip (or firmware on the CPU). It is just a to allow a strong full disk encryption to be used or allow other security software to use it for the purpose of encryption. For example, a Password Manager could use it, or the OS to encrypt passwords. In Microsoft case, it is used for anything using Windows Hello suit of technologies.