6

I am attempting to install Kali Linux alongside a preinstalled Windows 10. Secure boot restricts me from booting from USB, so what happens if I delete its variables?

Arjan
  • 30,974
  • 14
  • 75
  • 112
potatoman
  • 313
  • 1
  • 2
  • 14
  • For what it's worth, I used legacy boot to install Ubuntu alongside pre-installed Windows 8, and I could not reboot Windows after that: it would not boot in legacy mode, and UEFI mode gave BIOS errors on both normal and recovery boot. Windows didn't work again until I re-installed it. So you tamper with UEFI at your peril, unless you are not that bothered about retaining Windows, as I wasn't. I am very surprised that you cannot boot from USB in UEFI mode: where can you boot from? – AFH Dec 12 '15 at 17:55
  • I don't have a cd drive so I can't install from there and my american megatrends fb04 uefi (aptio setup utility) has no option to disable. However, I can load the iso and find a install.exe, but the kali installer just gives errors. – potatoman Dec 13 '15 at 01:28

3 Answers3

11

Secure Boot should not prevent booting from a USB drive per se, although it should prevent booting an unsigned boot loader from any disk. I don't happen to know offhand if Kali provides a signed or unsigned boot loader, so this might or might not be your problem.

You should be able to disable Secure Boot from the firmware setup utility. If you can't do so, return the computer to the store for a refund and tell the manufacturer why you did so. You do NOT want a computer you can't control, which is what you've got if you can't shut off Secure Boot. (In the past, Microsoft required that users be able to disable Secure Boot on x86 and x86-64 computers bearing a Windows 8 logo. They made this optional for Windows 10, but most manufacturers are continuing to provide the option.)

If you want to take full control of your computer's Secure Boot functionality, you can replace the keys with your own. The process to do so is difficult to describe because the tools to do this are not very user-friendly and some critical details vary from one computer to another. I wrote this page on the subject, if you care to look into it. It's definitely easier to simply disable Secure Boot, but of course if you want the benefits of Secure Boot without using Microsoft's (or your computer manufacturer's) keys, replacing those keys is the way to go.

Rod Smith
  • 21,455
  • 3
  • 43
  • 55
  • I see, but that delete all boot variables button just below my disabled secure boot switch is very tempting. What happens if you do use it? The switch also said "will restart to setup mode". What is this and will it damage my files? – potatoman Dec 13 '15 at 01:33
  • 1
    Setup mode enables you to enter new Secure Boot variables. Read the page to which I linked for details. You shouldn't run perpetually in Setup mode. You might be able to get away with it, but it's not what you're *supposed* to do, so running that way in the long term is poorly-tested at best. Setup mode is intended to be used only while setting new Secure Boot variables. Ordinarily, Secure Boot is either on (with default or customized keys) or off (in which case the keys are irrelevant). – Rod Smith Dec 13 '15 at 03:18
  • Rod, do you know how to enable a secure boot switch in an American Megatrends Aptio Setup FB04 UEFI? For my Gigabyte P34V3, the switch is there, but cannot be changed, as it is just plain black text. – potatoman Dec 13 '15 at 08:33
  • Sorry, I can't help on that specific model. I suggest looking for a manual, doing a Web search, or just plain messing around with the options until you find a way. (Options sometimes appear and disappear, or become changeable or not, depending on other settings.) – Rod Smith Dec 13 '15 at 19:01
  • Thank you Rod, I'm planning to get a $35 Raspberry Pi 2 B instead, as I use this laptop as a school computer, and I don't want to risk it. – potatoman Dec 14 '15 at 06:35
  • Never mind about that...I discovered that if you add a admin password to the uefi, more options can be unlocked. Is this true? – potatoman Dec 23 '15 at 06:57
  • See my above comment: "I can't help on that specific model. I suggest looking for a manual, doing a Web search, or just plain messing around with the options until you find a way." There is essentially no standardization in what options are available or how you access them in firmware user interfaces. Some options are very common, and a few are dictated by outside forces (like Microsoft requiring that Secure Boot can be disabled by users on systems that ship with Windows 8). For the most part, though, your best bet is to consult your manual or just poke around. – Rod Smith Dec 23 '15 at 17:50
  • Microsoft explicitly [mandates](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/1703/systems#systemfundamentalsfirmwareuefisecureboot) at least every x86 Windows system to be able to clear its PK. This in turns leads us back to [EFI spec](http://www.uefi.org/sites/default/files/resources/UEFI_Spec_2_7.pdf#page=2051) that says in this case system should enter SetupMode, in turn putting SecureBoot (at least temporarily) to 0. – mirh Jun 09 '17 at 13:00
0

Clearing the Secure Boot database would technically make you unable to boot anything, since nothing to boot would have corresponded to the Secure Boot's database of signatures/checksums allowed to boot. If you don't want to mess with this and install an OS not compatible with Secure Boot, the easiest option is to disable it by accessing the UEFI Firmware Settings (Hold Shift while rebooting -> Advanced Options -> UEFI Firmware Setttings), or you can add your own keys.

Charles Milette
  • 190
  • 1
  • 12
  • Are you just making an educate guess or what? Because I had found [reports](https://www.all4os.com/windows/disable-asus-motherboards-uefi-secure-boot.html) about a cleared database being equal to SecureBoot=0 on the other hand – mirh Jun 09 '17 at 13:02
  • 1
    My wrong, you're correct. This puts the machine in the Setup Mode, where Secure Boot effectively is turned off. However I wouldn't recommend it as programs running as admin within Windows would be able to use SetFirmwareEnvironmentVariableEx and in Linux efivars to put back the machine in User Mode and enforcing SB with custom malicious keys. Then you unknowingly could be forced running a rootkit until you put the machine back into Setup Mode and configure User Mode yourself. I would recommend simply turning off SB from the firmware if possible. (Still vulnerable but already better) – Charles Milette Jun 11 '17 at 19:16
  • Key enrolling requires **boot** _service_ SetVariable. Afaiu it should still be possible to take [exclusive] control of the platform by putting a dedicated uefi image (that contrarily to the OS doesn't trigger `ExitBootServices()`) to do the dirty work.. But it doesn't feel (significantly?) worse than SB-off. I mean.. a noob user still wouldn't know wherever to look, while 'one that knows' would just have to enter bios, wipe malicious keys and call it a day. – mirh Jun 19 '17 at 07:22
  • Ok I fear that [efi-updatevar](https://blog.hansenpartnership.com/efitools-1-4-with-linux-key-manipulation-utilities-released/) being a thing perhaps you are right. – mirh Jun 19 '17 at 07:23
-2

UEFI is required to use Windows 10 I personally dont think doing this will help your problem because Secure boot protects your computer from malware

Mike Melvyn
  • 1