[kwlug-disc] Adventures in dual boot land...

Chris Irwin chris at chrisirwin.ca
Wed Feb 8 01:44:57 EST 2017 

On Tue, Feb 07, 2017 at 06:17:59PM +0000, CrankyOldBugger wrote:
>A couple of months ago I picked up an M.2 drive for my main desktop, with
>the intention of loading Ubuntu on it for a dual boot setup with Windows 10
>on the other drives.  It's part of my big plan to completely eliminate
>Windows from my systems.
>
>Last time I did a dual boot was when Microsoft first started pushing
>EFI/UEFI/Secure Boot and that sort of stuff.  The solution at the time was
>to turn these features off in the BIOS if you wanted to install Linux.  So
>I did the same thing this time around when I tried to install Ubuntu on the
>M.2.

A lot of people link UEFI and Secure Boot together, when they're really 
quite different things (although the latter depends on the former).

UEFI is great. Seriously. It *is* different than what we're used to, but 
BIOS booting was such a pain, particularly when dual booting. Most of 
that is solved with UEFI. No longer do you have to worry about windows 
"taking over", or blowing away GRUB.

It does take a bit to learn, because it's different than BIOS booting.  
Those differences are mostly good.

Regarding UEFI problems, most were due to particularly buggy 
implementations. For the most part, those have been either patched or 
worked-around (and afaik, there are very few issues on currently 
shipping hardware).

For example:

* Early on, Samsung had some lovely behaviour that would brick laptops 
sometimes if poked just right. This was not a Linux-specific issue, 
though it was reported as such originally.

    http://mjg59.dreamwidth.org/22855.html

* Some machines (Lenovo thinkcentres) were doing weird things that 
"passed the tests" but is stupid. Like refusing to run a bootloader 
unless it identified itself explicitly as "Windows Boot Manager" or "Red 
Hat Enterprise Linux".

    http://mjg59.dreamwidth.org/20187.html

* Some of the "early" UEFI equipment had some really glaring issues that 
were never patched. My own server at home actually hangs when attempting 
to register a new UEFI bootloader. That's not desired behaviour, but 
little I can do to fix it. This is perhaps worse because it's an actual 
Intel-branded motherboard, with an Intel UEFI. If Intel could mess up 
their early UEFI servers...

    http://I haven't written this yet.


Now Secure Boot is a different beast. It's simply verifying signatures 
of your boot loader, etc. Compare that to the Lets Encrypt talk from 
yesterday: Signatures are all well and good, but you (and your system) 
need to initially trust somebody to get the ball rolling. For consumer 
hardware, that's Microsoft.

I won't get into the politics of why Microsoft is running the signing 
organization, or how I don't think that's an entirely bad position 
currently, and how they've actually done a mostly decent job in the 
role, surprisingly. This would be a whole debate on it's own, and some 
theoretical "Lets Encrypt for bootloaders" would actually be worse for 
security. But I digress...

>From a windows point of view, you can be relatively sure that your OS 
itself isn't compromised, and it can be trusted to behave properly 
(insofar as you trust Microsoft. But if you don't, then why are you 
running Windows).

Secure Boot itself could be a desireable feature even if you don't trust 
Microsoft. If you install and trust your own keys (and remove 
Microsoft), you can then self-sign your boot chain. You can then be sure 
that only the components you've configured/signed are loaded, and no 
"evil maid" has altered your system (aside from hardware keyloggers, 
etc).

To use myself as an example, I need to type a passphrase at boot to 
decrypt my disk. However, I don't have any way to verify that the screen 
I'm typing my password into is actually *my* boot-time password screen, 
or a lookalike booted from USB/replaced on my system/etc). Secure Boot 
can solve that problem.

In practice, there seems to be little interest or tooling around 
entirely self-signed boot chains. That said, while I do have UEFI 
machines, I don't have any that support Secure Boot. So I haven't played 
around with it, or researched any of the tooling to self-sign your boot.

Most Linux distros are signed with a trusted key already (yes, via 
Microsoft), so you probably don't need to disable it.

>So the setup is:
>
>/dev/sda is the Windows 10 SSD
>/dev/sdb is a 1TB HDD for the Windows side
>/dev/sdc is the new M.2 for Ubuntu
>/dev/sdd is the USB stick for installing Ubuntu from (and of course only
>temporary)
>
>I ran in to nothing but trouble with this on this install.  Ubuntu seems to
>install fine, for the most part, but it always failed when it came time to
>writing GRUB on the Windows 10 disk. I tried going with different sorts of
>partitioning schemes, using GParted to set up the linux side prior to
>installation, I even tried other distros such as Fedora to install.  Just
>couldn't get past the "writing GRUB" part.

What's likely happened is you have an EFI Windows 10 install on a GPT 
disk. This is normal.

You were trying to install Legacy BIOS Ubuntu, installing GRUB to the 
windows disk (because it's /dev/sda, and that's where BIOS magic 
happens). BIOS Grub on a GPT disk is a problem.

The problem is that Grub stores it's core.img in the "Post MBR Gap".  
Basically, the unused space before the first partition actually starts.  
However, on an GPT disk, this space isn't available. The solution is to 
create a small (1MB) partition of the appropriate type. Grub will 
recognize this and use it. However, if you've already partitioned the 
drive, you're SOL.

Some more information about booting with BIOS grub on a GPT disk:

https://wiki.archlinux.org/index.php/GRUB#GUID_Partition_Table_.28GPT.29_specific_instructions

>So, with nothing else to think of, I turned on the EFI stuff in the 
>BIOS,and sure enough, Ubuntu was able to write GRUB to the Windows 10 
>drive with no problems.  I now have a working dual boot configuration 
>(and as a bonus, I haven't booted into Windows since the install).

The "proper" way that Ubuntu should have installed, using UEFI, on 
/dev/sdc is to create a new EFI partition, likely /dev/sdc1. Ideally, 
you could remove your windows drive and still have properly boot Ubuntu.  
And vice versa.

Doing this on a BIOS system would be.. problematic. GRUB would be on 
/dev/sda, but it's stage2 would be on /dev/sdcX (your /boot partition).  
Removing either drive will result in an unbootable machine. Joy.

>I mentioned this to a few friends of mine and one of them seems to think
>that the new M.2 drives require EFI (or UEFI, whatever) to be turned on for
>proper operation, but I haven't been able to confirm this yet.

Depends. You were obviously able to see the drive after booting via BIOS 
mode, and (disk formats aside) nothing would stop you from installing a 
bootloader on one.

However, m.2 is just a connector. The device itself could be either USB, 
SATA, or PCIe (NVMe). It's very probable that NVMe booting would depend 
on UEFI firmware support.

-- 
Chris Irwin

email:   chris at chrisirwin.ca
 xmpp:   chris at chrisirwin.ca
  web: https://chrisirwin.ca

More information about the kwlug-disc mailing list