Linux is a popular operating system that can be installed on a UEFI PC. This guide will show you how to boot and install Linux on a UEFI PC with Secure Boot. UEFI is an industry-standard platform for firmware development and deployment. It enables systems to boot from Secure Boot-protected media, such as DVDs or CDs, without needing to enter the BIOS. This makes it possible for businesses and governments to deploy secure Linux systems without having to worry about potential security breaches. To enable Secure Boot, your computer must have at least one EFI system partition that is formatted as FAT32. You can also create a separate FAT32 partition for Secure Boot if you want. Once your computer has been configured with Secure Boot, you must add the linux-efi file to the EFI system partition. Once the linux-efi file has been added, you can start booted by pressing F8 when your computer starts up and select “EFI System Partition” from the “Boot Options” menu. Then press Enter to continue booting into EFI mode. In EFI mode, select “Linux” from the “Operating System” list and press Enter . Then press Tab to move down the list until you find “linux-efi”. Press Tab again and select “Add.” From the Add dialog box, type in “EfiSystemPartition” (without quotes) and press Enter . The contents of this dialog box will be used as your system’s EFI system partition name. If you want to change this name later, just edit the contents of this dialog box after your computer has started up again (by pressing F8 during startup).

New Windows PCs come with UEFI firmware and Secure Boot enabled. Secure Boot prevents operating systems from booting unless they’re signed by a key loaded into UEFI — out of the box, only Microsoft-signed software can boot.

Microsoft mandates that PC vendors allow users to disable Secure Boot, so you can disable Secure Boot or add your own custom key to get around this limitation. Secure Boot can’t be disabled on ARM devices running Windows RT.

How Secure Boot Works

PCs that come with Windows 8 and Windows 8.1 include UEFI firmware instead of the traditional BIOS. By default, the machine’s UEFI firmware will only boot boot loaders signed by a key embedded in the UEFI firmware. This feature is known as “Secure Boot” or “Trusted Boot.” On traditional PCs without this security feature, a rootkit could install itself and become the boot loader. The computer’s BIOS would then load the rootkit at boot time, which would boot and load Windows, hiding itself from the operating system and embedding itself at a deep level.

Secure Boot blocks this — the computer will only boot trusted software, so malicious boot loaders won’t be able to infect the system.

On an Intel x86 PC (not ARM PCs), you have control over Secure Boot. You can choose to disable it or even add your own signing key. Organizations could use their own keys to ensure only approved Linux operating systems could boot, for example.

Options for Installing Linux

You have several options for installing Linux on a PC with Secure Boot:

Choose a Linux Distribution That Supports Secure Boot: Modern versions of Ubuntu — starting with Ubuntu 12. 04. 2 LTS and 12. 10 — will boot and install normally on most PCs with Secure Boot enabled. This is because Ubuntu’s first-stage EFI boot loader is signed by Microsoft. However, a Ubuntu developer notes that Ubuntu’s boot loader isn’t signed with a key that’s required by Microsoft’s certification process, but simply a key Microsoft says is “recommended. ” This means that Ubuntu may not boot on all UEFI PCs. Users may have to disable Secure Boot to to use Ubuntu on some PCs. Disable Secure Boot: Secure Boot can be disabled, which will exchange its security benefits for the ability to have your PC boot anything, just as older PCs with the traditional BIOS do. This is also necessary if you want to install an older version of Windows that wasn’t developed with Secure Boot in mind, such as Windows 7. Add a Signing Key to the UEFI Firmware: Some Linux distributions may sign their boot loaders with their own key, which you can add to your UEFI firmware. This doesn’t seem to be a common at the moment.

You should check to see which process your Linux distribution of choice recommends. If you need to boot an older Linux distribution that doesn’t provide any information about this, you’ll just need to disable Secure Boot.

You should be able to install current versions of Ubuntu — either the LTS release or the latest release — without any trouble on most new PCs. See the last section for instructions on booting from a removable device.

How to Disable Secure Boot

You can control Secure Boot from your UEFI Firmware Settings screen. To access this screen, you’ll need to access the boot options menu in Windows 8. To do this, open the Settings charm — press Windows Key + I to open it — click the Power button, then press and hold the Shift key as you click Restart.

Your computer will restart into the advanced boot options screen. Select the Troubleshoot option, select Advanced options, and then select UEFI Settings. (You may not see the UEFI Settings option on a few Windows 8 PCs, even if they come with UEFI — consult your manufacturer’s documentation for information on getting to its UEFI settings screen in this case.)

You’ll be taken to the UEFI Settings screen, where you can choose to disable Secure Boot or add your own key.

Boot From Removable Media

You can boot from removable media by accessing the boot options menu in the same way — hold Shift while you click the Restart option. Insert your boot device of choice, select Use a device, and select the device you want to boot from.

After booting from the removable device, you can install Linux as you normally would or just use the live environment from the removable device without installing it.

Bear in mind that Secure Boot is a useful security feature. You should leave it enabled unless you need to run operating systems that won’t boot with Secure Boot enabled.