Hacker News new | past | comments | ask | show | jobs | submit login
Installing Linux on Windows 8 PCs: No easy answers (itworld.com)
104 points by tanglesome on July 31, 2012 | hide | past | web | favorite | 73 comments

I bought a $300 eMachines EL1360G-UW11P for a home server to replace my 2001 vintage 800MHz P-III.

I installed linux but it wouldn't boot. Major bummer.

It wasn't clear that UEFI signing was at fault, but there was no other reason for it to refuse to boot the image. The install went fine right through the reboot. I re-installed linux trying several different things, all unsuccessfully. I also booted a "rescue" image and verified the install looked valid.

There was no way to turn off UEFI signing in the BIOS menus.

I went to the manufacturer's web site and found they had a "Linux BIOS" image. http://support.gateway.com/us/en/emac/product/default.aspx?t... I was able to reflash the BIOS with the P01.C1L image, but I had to force it by looking at their "flash.bat" file adding a /X flag to the flash command in there.

With the "linux" BIOS image, the board booted linux just fine. Huh.

Lessons Learned:

* UEFI is a real risk. Most mainstream PCs nowadays boot linux out of the box. I lived through the times when I bought a new PC "at risk" because it might have chips that were not supported by linux. UEFI brings that risk back, but through software, not hardware. Sucks!

* The hardware manufactures apparently are getting the "it must run linux" message, even for low end throw-away machines. Yeah!

* Reflashing BIOSes, especially when the user has to manually override "self protection" aborts, is not something an unsophisticated user is going to be able to do. Sucks.

To be fair: downloading a .iso file, burning the image onto a blank disk, rebooting and entering bios setup, setting boot device order , inserting disk and rebooting again, partitioning disks and doing install process isn't something that an unsophisticated user is going to be able to do without significant guidance though.

The BIOS flashing does add an extra risk factor though, prepare for many "Linux fucked my PC!" rants from users who screwed up the flashing process.

You can skip most of those steps doing a network install with unetbootin, no cds or usb drives needed


I've used UNetbootin, and as far as I know, there is no way to do a netboot/install without any media.

I took a look at the site, and it doesn't appear to have any information about that. Are you aware of some functionality that isn't listed on the site?

For what it's worth, UNetbootin is a really nice way to create liveUSB drives that you can use to install Linux/BSD.

Select type "hard disk" (last row of options) instead of "usb drive". I've used it do to full network installs of centOS

I think we have different notions of what "network install" means. Yes, you can download packages from the web during the install (perhaps booting from a minimal install, as most net work installs do).

I was really more interested in netboot installs, where the machine downloads a boot image (via TFTP generally) and does the install from there.

In fact, no hard drive is needed in the machine if you want to just boot an image from a network share.

Apple uses a technology like this to reimage boot drives:


This is how it works in Ubuntu:


> Every new PC sold with Windows 8 will be locked up tight with Microsoft's UEFI ... secure boot on

Not that I don't agree that there's a potentially dangerous precedent here, but this is omitting a key detail. For x86 computers, MS's certification requires that users can disable secure boot. Of course, this is not true for ARM computers, hence the dangerous precedent.

I find it strange how people refer to a Windows RT tablet as an "ARM computer", but the iPad, Kindle Fire, Nook and a zillion other Android tablets(most of which have locked bootloaders, hello "Dangerous Precedent"!) are not referred to as ARM PCs.

It just shows how the terminology is changed to have a higher impact for an argument.

I find Android having locked bootloaders to be dangerous in the long term and just very annoying in the short term. The only solution is to only buy Google devices.

iOS is a lost cause, most likely, since it won't even let users run whatever they want.

On the contrary, it seems the big Android manufacturers start to understand the advantages of letting users unlock the bootloader. There are official tools from HTC[1] and Sony[2], Motorola seems to follow suit[3] and Samsung's dragging its feet in the same direction with the Galaxy S3[4].

[1] http://htcdev.com/bootloader

[2] http://unlockbootloader.sonymobile.com/

[3] http://www.motorola.com/blog/2012/07/26/unlock-the-bootloade...

[4] http://www.androidcentral.com/samsung-offer-hacker-friendly-...

I think even HTC still don't unlock all of their phones. Same with Sony.

Motorola have merely promised, my Milestone is exactly as locked as it was before that blog post.

Hopefully things will improve, but I'm not holding my breath. Next phone is a Google device.

I'd attribute it to the software. iOS and Android are clearly meant to coexist with and not supplant a more traditional OS. To me, the dangerous precedent is that this new ARM computer comes loaded with "Windows", a label which connotes a more traditional OS, yet it can only run apps from MS's app store and cannot be booted into Linux. Yes, this is a slippery slope argument given that MS also provides the x86 version which can do all of those things, but I think the distinction will be lost on the general public.

I can't wait to hear all those stories of people who buy a "Windows" RT device and then find out they can't actually run any Windows software on it.

Since everything has to be downloaded from the Windows Store (which can control the experience) and it comes with Office RT, most people probably won't notice. There will be people who will ask where the DVD drive door is...

Microsoft has been through this already with the failed Alpha port of Windows. It should be interesting to see what plans they have to mitigate this.

Actually, x86 software ran fine on NT/Alpha; at one point x86 apps ran faster emulated on Alpha than natively on x86. (And emulated 68K on PPC was sometimes faster than native 68K.)

Was there an x86 emulator that shipped with NT/Alpha? I never heard about this before, and Google isn't being helpful.

I don't think it is fair to call it a "failed" alpha port. AFAIK WinNT was developed on multiple CPU architectures from the get go to ensure they didn't take any dependencies on one architecture. Alpha was one of those architectures http://en.wikipedia.org/wiki/Windows_NT_3.1 (also courtesy of the fact that Dave Cutler and a whole bunch of other guys from DEC were hired by MS to build NT) and continued to be supported for a while. I think Alpha's lack of success in the marketplace eventually killed NT's support for it.

I meant failed in the sense of a commercial failure, not a project failure.

There is nothing distinguishing Android from a conventional general-purpose computing OS, aside from the fact that it's designed to be used with a finger rather than a mouse. The question you're really asking is whether traditional computing tasks can be performed efficiently with a touch interface.

> There is nothing distinguishing Android from a conventional general-purpose computing OS

Except the expectations of the consumer, which was, you know, the whole point of my post. The touch interface has literally nothing to do with it.

To be totally clear, I agree that Android doesn't carry the same caveats as iOS and Windows RT, but in the eyes of the consumer, Windows and Android mean very different things.

There should be an antitrust lawsuit against Microsoft.

"Secure boot" creates barriers to entry for operating system innovators. I don't see how this isn't an abuse of monopoly power to tighten the screws on a market threatened by disruptive competition; if antitrust laws can't help us here, I don't know why we even bother to have them.

Does anyone know the process in the USA for lodging antitrust complaints with the government?

How is it anti-trust to make vendors have a secure boot but also require them to allow users to disable it? And on the RT side, how is it anti-trust to do exactly what Apple does in a market where Microsoft has exactly zero penetration?

Double standard. It seems people are willing to let it slide with Apple but not with Microsoft. Even Mozilla came out decrying Microsoft's policy of not allowing third party browsers but never said a peep about iOS. There's no use throwing a fit just because Microsoft is doing it when you let the actual tablet monopoly get away with it for so long.

Other operating system vendors are free to arrange with hardware manufacturers to include certificates for their operating systems. It's not an antitrust issue that other OS vendors were not able to get their act together in order to do so.

On top of that, they have the option of piggybacking on Microsoft's certificate. Microsoft will even subsidize the cost of getting a certificate from Verisign to allow that.

Finally, Microsoft is using their market power to force OEMs of x86 computers to include a way for users to disable Secure Boot and to add new certificates.

> Other operating system vendors are free to arrange with hardware manufacturers to include certificates for their operating systems.

Actually, this isn't quite true. It turns out that the Secure Boot specification only allows for a single valid certificate in certain places.

"...the UEFI specification only allows an image to be signed by a single key" - https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035...

> Other operating system vendors are free to arrange with hardware manufacturers to include certificates for their operating systems. It's not an antitrust issue that other OS vendors were not able to get their act together in order to do so.

For a lot of users, merely having the option of signing their images simply won't be good enough. Unless the signing keys are available to everyone, you cannot boot a self-compiled kernel on a secure boot system.

If you want to compile your own kernels and boot them without disabling Secure Boot, make your own self-signed certificate, add that to the certificate list the firmware maintains, and self-sign your kernel with your certificate.

This is has so many problems that it's sort of silly to just name one. But for me, this makes OS research much more painful, let alone anyone else doing anything with Linux that isn't using a distro blessed by Microsoft or one their proxies.

If they are frequently switching between Linux and Windows on a dual boot system, then yes it will be more painful unless the go to the trouble of generating their own signing keys and adding them to the firmware's key database and signing their Linux.

If they aren't frequently switching back and forth between Windows and Linux, what's wrong with going into the firmware settings and turning off Secure Boot so that they can run whatever Linux they want with no restrictions?

Microsoft is willing to sign your bootloader as long as you promise not to boot any malware.

Why has this issue resurfaced? What has changed?

I thought that the windows 8 certification for x86 required that users should be able to disable secure boot.

Manufacturers might be satisfying that requirement by providing an unlocked boot image for users to flash themselves.

Then the problem is fraudulent manufacturers.

There can't be any universe in which that isn't a shortsighted and downright ludicrous move.

If anything we should be happy for the manufacturers that does that, it means we'd never have to consider them again.

>Then the problem is fraudulent manufacturers.

Or a certification standard that mandated that vendors do something, but was highly nonspecific as to exactly how they were to do it.

AND a certification standard...

This would never be a problem without both fraudulent manufacturers and an unclear certification standard.

Do people still believe this crap? It's not as if OEMs are being forced to make Microsoft the sole CA of machines they sell. The requirement for the logo is that the feature is available. Any OEM who doesn't provide options to enable/disable the feature or adjust trust options is crazy. I mean, come on -- what if your hard drive fails? These are desktop computers we're talking about. It's an open platform.

To be honest, I'm very excited for Secure Boot. It, combined with TPMs and disk encryption, will finally allow desktop computers to be a truly secure platform (barring opening up the ICs on the motherboard, anyway).

It's not as if OEMs are being forced to make Microsoft the sole CA of machines they sell.

Here's Fedora's response (Matthew Garret mjg59):

"We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs."

Surely the answer is to sign distributions (or not) as verified as originating from a domain (eg microsoft.com), then let the user choose which os to boot in the bios (or whatever becomes). Then if you want to run an os from an untrusted domain you can, or you can just stick to whatever is sighed as coming from microsoft

As far as I can see all pc manufacturers would need to do is verify the certificate of each os on an os selection screen and display the result to the user

But couldn't they have just signed the other distros' keys? (Naive question)

Yes, but that would make them responsible for any malicious code that any other distro used. That would mean they would have to do security reviews of every other distro if they wanted secure boot to remain secure, which is not feasible at all.

Why would you need to open up the ICs on the motherboard? Just plug in to that "thunderbolt" that's got people so excited, and DMA whatever you need.

Surely the Thunderbolt interface has an IO-MMU?

From wikipedia:

>A number of Intel processors since the introduction of the Nehalem microarchitecture (that is, a number of CPU branded Core i5, Core i7, or later) support VT-d, an IOMMU implementation. This allows the operating system (OS) to isolate a device in its own virtual memory address space (in a manner analogous to the isolation of processes from one another using the MMU). Devices could thus be prevented from having access to unauthorized parts of the memory space. However, this feature isn't generally used other than for its initial purpose of giving guest virtual machines passthrough access to specific host hardware.[citation needed]

So.. maybe? Resolving that 'citation needed' would be nice.

I find this really stupid on Microsoft's part. I operate a dual boot solely for the purpose of using Windows for gaming. With Steam potentially coming to Linux, I'll just drop Lenovo as my vendor of choice as go with a vendor who supports my OS of choice, Linux.

Unfortunately you'll still be missing out on lots of games, even with Steam for Linux. Initially, Steam for Linux will only be good for a few Valve titles and indie games.

But if enough people start giving up from windows since they are using it as a game only OS, game publishers will have to take action.

Yes it's a dream, but maybe one day... maybe one day...

I really don't see it happening ever. I have a lot of trouble seeing Linux distros be used by actual everyday consumers. I mean, it'd be cool if it happened, but the quality just isn't there.

Which is what you really should have done all along. If you really care about Linux, buy a computer with Linux pre-installed and supported.

"Secure Boot retains flaws in its design that will ultimately mandate that Microsoft's key is on every PC (because of core UEFI driver signing)"

And if this Microsoft key were to be found being used as part of an exploit, ala the previous Microsoft cert being used to sign Stuxnet?

Not that I am encouraging any specific behavior...

"Most people today who want to run Linux on a Mac use the Compatibility Support Module (CSM), which provides BIOS emulation on the Mac. This method is messy, doesn't work that well, and I'm quite certain will fail miserably on Secure Boot Windows 8 PCs."

Am I missing something here, as I post this from Debian running on my work iMac? All I had to do was install rEFIt ( http://refit.sourceforge.net/ ), install Debian, and let rEFIt detect it (I forget if it involved manual configuration, been a while.)

I think this is much ado about nothing, especially given that Microsoft seems to be insisting that manufacturers leave in the option to turn off secure boot. I also thought Linux had the capability to boot off of UEFI; is this not true?

It depends on the distribution. AFAIK you have to sign each version of the bootloader and for GPL related reasons you cannot do this with GRUB2 so Ubuntu are having to resort back to GRUB1.

This means that whilst you may be able to run big "brand name" distributions like Ubuntu or RedHat on a secure boot PC more obscure distros might simply not work at all (unless you turn secure boot off).

Actually you are allowed to use grub2. The issue would be if you sell a device with grub2 pre-installed, and no way to install a user version.

Also, the other distributions could simply use Ubuntu's signed bootloader (So could rootkits).

Is your iMac running Lion? When I upgraded from Snow Leopard, it borked my rEFIt ubuntu partition.

Keeping free OSes off computers in the name of security is the same, to me, as censorship in the name of protecting children: stupid and unworkable.

Behold the power of monopoly.

edit (lol, microsofties down voting this comment)

Still abusing it, too:

"Microsoft Files Motion in Apple v. Samsung to Hide Patent License Agreement Terms ~pj" As explained in the accompanying declaration of Tanya Moore, Microsoft's General Manager of Outbound Licensing, Exhibits 3A and 3B to the Teece Report contain sensitive confidential and proprietary business information from the Confidential Agreement between Microsoft and Samsung. The Teece Report summarizes sensitive portions of the Confidential Agreement, including the licensed technology, term of the license, royalty rates, and payment information, among other things. (Moore Decl. at ΒΆΒΆ 3-4).


Behold, the power of oh shit Microsoft doesn't even have a presence in the ARM tablet world, let alone a monopoly.

Samsung sells a lot of their hardware with MS software on it and are dependent on favorable licensing terms. This business Samsung does with them overshadows all their other partners in terms of revenue.

And that's relevant to Microsoft ARM tablets how? x86 devices don't have locked bootloaders, and Windows ARM tablets don't exist, so the reason you were downvoted isn't Microsoft fanboys, it's that you're wrong and seemingly quite proud to be so.

So, what will happen with the millions of servers that run Linux? Also I would think the EU wouldn't be happy to see Microsoft lock their operating system on each laptop. Obviously some solution will be found.

On a related note, why don't Canonical start selling their own hardware? Most laptops are pretty crappy, I'm sure they could do better and having official support would be great.

System76 is pretty close to being the official Ubuntu vendor. Full support, custom hardware, and Canonical's nod of approval. They're the Lenovo (et al) of the Ubuntu world.

I'm still new to the UEFI thing and don't really understand the issue totally ... but would doing something like getting a System32 box (or building your own) and then installing Win8 do the trick? Obviously it still would have Windows code on it, but wouldn't that sidestep the hardware manufacturer issue? or something ...

Yes - the requirement is for manufacturers who want to use the Windows logo to indicate that their systems support Windows 8.

But many new Linux users start by installing Linux on a PC bought with Windows, so we definitely want to make that as easy as possible.

Yes, but bitching about being oppressed is cooler than just buying a Linux PC.

There is a very simple way to install Linux on any Windows PC: a VM. I'm not sure why more people don't do it. It gives you all the flexibility and strength of command line while the battery life/drivers/software support of Windows. Its easy to back up, transfer to other PCs, etc...

This assumes you want windows at all, and all the problems that come with it. Using a slow system that tends to decay as the base of your computing experience isn't something I'm interested in.

It would make more sense to have Linux as the base, and windows in a VM.

Accidentally downvoted you, but I fully agree. Most of my computers running Linux are not laptops and don't even have screens/keyboards attached. I can't think of a single reason I would ever want windows on them even as just some sort of ghetto hypervisor.

Nor can I, but I presume gamers could come up with a few.

Then why is secure boot an issue for you?

It also gives you all the overhead of running two operating systems, and all the expense of purchasing a commercial one to use a free one.

I'm not saying it's a bad option, but it does have downsides.

I do this for my laptop (mainly because wireless support on linux still sucks) and it isn't perfect. Performance suffers quite a bit, which matters for low power devices. Plus, the windows layer will come bite you in all its sneaky ways, as usual.

Uh, no.

I'd like to not pay Microsoft just so I can use Linux.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact