For a long time, new PCs and laptops have been equipped with a 'uefi' instead of the old-fashioned bios. However, the 'security' argument is incorrectly used to make it difficult to boot from a CD or USB stick (with GParted, malware recovery or Linux distribution, for example). In this article you can read why this is the case and how you can still boot the way you want.
what is uefi?
Before we actually get started, it doesn't hurt to run through some terms. Uefi stands for 'unified extensible firmware interface' and is, as it were, its own operating system for the computer. The classic bios (basic input/output system) is firmware, but the uefi lies between the firmware and the operating system. Uefi and bios can coexist on the same computer.
In the past there was also efi (extensible firmware interface). That was developed by Intel, but since 2005 Intel has been participating in the UEFI Forum: a consortium of companies from the computer industry that further develops the UEFI. Uefi is 'unified' because it is entirely software-based: previously the bios was compiled separately for each chip, uefi is a lot more generic.
In this article we dive into the world of uefi. Every PC or laptop today comes with a uefi. It is a change that seems to have changed very suddenly for some users. There is a lot to like about the uefi: the basic settings of the PC are easier to operate, there is more functionality and the PC starts up faster.
Unfortunately, there are also disadvantages: it has become a bit more difficult and complicated for users to boot from other media, for example from a USB stick. Many PC manufacturers have boarded up their uefi in such a way that that is not just possible. Moreover, the situation has become more complicated due to backward compatibility, allowing you to still boot from the bios in a uefi environment.
In this article we look at how booting from the uefi works with USB sticks, how and why it is boarded up. And we will also apply this knowledge in practice to start up with alternative media.
01 Uefi Boat
The moment the PC starts, the uefi boot manager gets to work. It looks at the boot configuration and loads the firmware settings into memory. After that, the kernel of the default operating system is started. In the firmware settings, which are stored in the nvram, is the path of the efi file to be started. Nvram stands for non-volatile random-access memory, which is present on the motherboard. Non-volatile means that the data is kept in memory even when the power is turned off.
The boot files are located on an efi partition, also known as the ESP (efi system partition). Such a partition is a simple fat32 partition and has a folder for every operating system on the PC. Each folder contains one efi file, created by the installed operating system. Such an efi file is created in a uefi programming language very similar to the C language and that file starts the actual operating system.
The advantage of the uefi is that it can automatically detect new uefi boot targets. That way you can easily boot from other media. To enable that functionality, uefi uses default paths to define the bootloader. For example, such a path and file name is /efi/boot/boot_x64.efi for a 64bit system and for the ARM architecture the file would be bootaa64.efi to be named.
Especially at the beginning of the introduction of the uefi, there were sometimes start-up problems. Each bootloader had its own problems or quirks. For example, Windows 7 created a new fat32 ESP, even though there was an existing one with fat16. Then the installation failed. Many Linux distributions used to create a fat16 ESP. In addition, Ubuntu 11.04 and 11.10 had a serious bug where the ESP was sometimes accidentally emptied.
When booting, one more term is important: CSM, which stands for compatibility support module, and it provides support for legacy booting by providing support for the bios. You can only enable CSM if the Secure Boot option is off, but more about that in Section 3.
02 Gpt
Gpt, or the 'guid partition table', replaces the old mbr (master boot record), the way disks used to be partitioned. The gpt is part of the uefi. Since Windows Vista, Windows can only boot from gpt drives in uefi. The partition header of a gpt disk contains information about which blocks can be used on the disk. This header also contains the 'guid' of the disk: the general unique identifier, a unique identification number. A gpt drive can be basic or dynamic, just like the mbr. Gpt supports up to 128 partitions and it automatically backs up the gpt partition table.
The problem with the master boot record was that it was outdated: disks larger than 2 TB could not be booted, for example. Gpt supports disks up to 9.4 ZB in size. That's zetabytes, or 9.4 x 10^21. Incidentally, the gpt in the very first block still contains an mbr for compatibility reasons. This is in block 0. Block 1 contains the gpt header and the rest contains the partitions.
03 Secure Boot
Secure Boot is part of uefi and is intended to stop malware attacking the firmware. Such malware is very bad, because it can survive a reinstallation of the operating system because it nestles in the firmware. The principle of Secure Boot is very simple: only binaries (files with only code) that are signed by a trusted party are started. Malware can theoretically not be signed, so malware is then blocked. Companies can have their uefi binary signed by Microsoft. Most UEFIs contain Microsoft's public keys. If a company has its binary signed, this is done with Microsoft's private key, so that the firmware recognizes and starts that binary.
Ubuntu already saw the mood and so has its binaries signed by Microsoft. That's why you can use Ubuntu on uefi systems since 2012. If you want to use a Linux distribution that is not signed, you can either disable Secure Boot in the UEFI or you can install your own keys in your UEFI. Ultimately, Secure Boot simply uses a public-private key architecture, so you can then install the public key of the binary, after which it can be started normally.