[uefi-secure-boot-guide] master: Add instructions for disabling UEFI Secure Boot (459a5f5)
sparks at fedoraproject.org
sparks at fedoraproject.org
Sat Feb 16 13:53:30 UTC 2013
Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git
On branch : master
>---------------------------------------------------------------
commit 459a5f5213165b07c26a821e1bc82ba392bb8a57
Author: Florian Weimer <fweimer at redhat.com>
Date: Fri Feb 15 17:45:31 2013 +0100
Add instructions for disabling UEFI Secure Boot
Signed-off-by: Eric Christensen <sparks at fedoraproject.org>
>---------------------------------------------------------------
en-US/System_Configuration.xml | 158 ++++++++++++++++++++++++++++++----------
1 files changed, 120 insertions(+), 38 deletions(-)
diff --git a/en-US/System_Configuration.xml b/en-US/System_Configuration.xml
index 9955fb6..8a8d729 100644
--- a/en-US/System_Configuration.xml
+++ b/en-US/System_Configuration.xml
@@ -101,12 +101,117 @@ will be shown.
</section>
<section>
+<title>Disabling UEFI Secure Boot</title>
+<para>
+Systems which come with Microsoft Windows 8 pre-installed typically
+have enabled UEFI Secure Boot, and ship the Microsoft keys in the
+firmware.
+</para>
+<para>
+The Lenovo desktop system we use as an example makes disabling Secure
+Boot fairly straightforward. First, enter the firmware as described
+in <xref
+linkend="sect-UEFI_Secure_Boot_Guide-System_Configuration-Enter"/>.
+Press the <keycap>→</keycap> key until you reach the
+<emphasis>Security</emphasis> tab, as shown in
+<xref linkend="fig-Secure_Boot-Firmware_Security_Tab"/>.
+</para>
+<figure id="fig-Secure_Boot-Firmware_Security_Tab">
+<title>UEFI firmware Security tab</title>
+<literallayout class="monospaced">
+ Lenovo BIOS Setup Utility
+ Main Devices Advanced Power Security Startup Exit
+┌─────────────────────────────────────────────────────────────────┬───────────────────────────────┐
+│ │ Help Message │
+│ Hardware Password Manager [Enabled] │───────────────────────────────│
+│ Secure Boot Status [Enabled] │Select whether to enable or │
+│ │disable Secure Boot │
+│ Adminstrator Password Not Installed │[Enabled] Enable Secure │
+│ Power-On Password Not Installed │Boot,BIOS will prevent │
+│ │un-authorised OS be loaded. │
+│ Set Administrator Password Enter │[Disable] Disables Secure │
+│ Set Power-On Password Enter │Boot. │
+│ │ │
+│ Allow Flashing BIOS to a Previous [Yes] │ . │
+│ Version │ │
+│ │ │
+│ Require Admin. Pass. when Flashing [No] │ │
+│ Require POP on Restart [No] │ │
+│ │ │
+│► Fingerprint Setup │ │
+│► Hard Disk Password │ │
+│► System Event Log │ │
+│► Secure Boot │ │
+│ │ │
+│ Configuration Change Detection [Disabled] │ │
+│ │ │
+└─────────────────────────────────────────────────────────────────┴───────────────────────────────┘
+ F1 Help ↑↓ Select Item +/- Chane Values F9 Setup Defaults
+ ESC Exit ←→ Select Menu Enter Select►Sub-Menu F10 Save and Exit
+</literallayout>
+</figure>
+<para>
+Press <keycap>↓</keycap> until you reach the <emphasis>Secure
+Boot</emphasis> item and hit <keycap>Enter</keycap>. The
+<emphasis>Image Execution Policy</emphasis> screen appears
+(<xref linkend="fig-Secure_Boot-Firmware_Security_Secure_Boot"/>).
+</para>
+<figure id="fig-Secure_Boot-Firmware_Security_Secure_Boot">
+<title>UEFI firmware Secure Boot settings</title>
+<literallayout class="monospaced">
+ Lenovo BIOS Setup Utility
+ Main Devices Advanced Power Security Startup Exit
+┌─────────────────────────────────────────────────────────────────┬───────────────────────────────┐
+│ Image Execution Policy │ Help Message │
+│─────────────────────────────────────────────────────────────────│───────────────────────────────│
+│ Secure Boot Status User Mode │Select whether to enable or │
+│ Secure Boot [Enabled] │disable Secure Boot │
+│ │[Enabled] Enable Secure │
+│ Reset to Setup Mode │Boot,BIOS will prevent │
+│ │un-authorised OS be loaded. │
+│ │[Disable] Disables Secure │
+│ │Boot. │
+│ │ │
+│ │ . │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+└─────────────────────────────────────────────────────────────────┴───────────────────────────────┘
+ F1 Help ↑↓ Select Item +/- Chane Values F9 Setup Defaults
+ ESC Exit ←→ Select Menu Enter Select►Sub-Menu F10 Save and Exit
+</literallayout>
+</figure>
+<para>
+Make sure that <emphasis>Secure Boot</emphasis> is selected, and press
+<keycap>Enter</keycap>, hit <keycap>↑</keycap> to choose
+<emphasis>Disabled</emphasis>, and press <keycap>Enter</keycap> again.
+<!-- picture: IMG_2828_CR2.jpg, needs color for proper presentation -->
+</para>
+<para>
+The previous step only disables verification of cryptographic
+signatures, it does not remove some restrictions Microsoft imposes on
+firmware settings. If you want to boot non-UEFI operating systems, it
+is necessary to disable the <emphasis>OS Optimized Defaults</emphasis>.
+<!-- FIXME -->
+</para>
+</section>
+
+<section>
<title>Enabling Microsoft Secure Boot</title>
<para>
Systems which do not ship with Microsoft Windows 8 typically do not
-enable UEFI Secure Boot (or its Microsoft variant). However, these
-systems still contain the Microsoft keys in the firmware, and enabling
-Microsoft Secure Boot is relatively straightforward.
+enable UEFI Secure Boot (or its Microsoft variant). However, many of
+these systems still contain the Microsoft keys in the firmware, and
+enabling Microsoft Secure Boot is relatively straightforward.
</para>
<para>
For example, on a Lenovo desktop system, you need to enter the
@@ -195,43 +300,12 @@ settings. A confirmation dialog will appear, and need to choose
Afterwards, check that <emphasis>OS Optimized Defaults</emphasis> has
changed to <emphasis>Enabled</emphasis>. Press <keycap>←</keycap>
several times until you reach the <emphasis>Security</emphasis> tab
+(<xref linkend="fig-Secure_Boot-Firmware_Security_Tab"/>),
+press <keycap>↓</keycap> to select <emphasis>Secure Boot</emphasis>,
+hit <keycap>Enter</keycap>,
and check that <emphasis>Secure Boot</emphasis> is enabled,
-as in <xref linkend="fig-Secure_Boot-Firmware_Security_Tab"/>.
+as in <xref linkend="fig-Secure_Boot-Firmware_Security_Secure_Boot"/>.
</para>
-<figure id="fig-Secure_Boot-Firmware_Security_Tab">
-<title>UEFI firmware Security tab</title>
-<literallayout class="monospaced">
- Lenovo BIOS Setup Utility
- Main Devices Advanced Power Security Startup Exit
-┌─────────────────────────────────────────────────────────────────┬───────────────────────────────┐
-│ Image Execution Policy │ Help Message │
-│─────────────────────────────────────────────────────────────────│───────────────────────────────│
-│ Secure Boot Status User Mode │Select whether to enable or │
-│ Secure Boot [Enabled] │disable Secure Boot │
-│ │[Enabled] Enable Secure │
-│ Reset to Setup Mode │Boot,BIOS will prevent │
-│ │un-authorised OS be loaded. │
-│ │[Disable] Disables Secure │
-│ │Boot. │
-│ │ │
-│ │ . │
-│ │ │
-│ │ │
-│ │ │
-│ │ │
-│ │ │
-│ │ │
-│ │ │
-│ │ │
-│ │ │
-│ │ │
-│ │ │
-│ │ │
-└─────────────────────────────────────────────────────────────────┴───────────────────────────────┘
- F1 Help ↑↓ Select Item +/- Chane Values F9 Setup Defaults
- ESC Exit ←→ Select Menu Enter Select►Sub-Menu F10 Save and Exit
-</literallayout>
-</figure>
<para>
Return to the <emphasis>Exit</emphasis> tab, choose <emphasis>Save
Changes and Exit</emphasis>, and press <keycap>Enter</keycap>.
@@ -255,5 +329,13 @@ operating system is started. This is not a problem with UEFI Secure
Boot; on the affected systems, it also happens with Secure Boot
disabled.
</para>
+<para>
+UEFI Secure Boot (and its Microsoft variant) require secure firmware
+updates. Typically, this is implemented by writing a signed update to
+a staging area, where the firmware picks it up during the next boot,
+verifies it, and then proceeds to overwrite the actual firmwre.
+However, this process is still far from foolproof and firmware updates
+still can make devices unusable, requiring a firmware replacement.
+</para>
</section>
</chapter>
More information about the docs-commits
mailing list