Linux Fu: UEFI Booting

Unless your computer is pretty old, it probably uses UEFI (Unified Extensible Firmware Interface) to boot. The idea is that a bootloader picks up files from an EFI partition and uses them to start your operating system. If you use Windows, you get Windows. If you use Linux, there’s a good chance you’ll use Grub which may or may not show you a menu. The problem with Grub is you have to do a lot of configuration to get it to do different things. Granted, distros like Ubuntu have tools that go through and do much of the work for you and if you are satisfied with that, there’s no harm in using Grub to boot and manage multiple operating systems.

An alternative would be rEFInd, which is a nice modern UEFI boot manager. If you are still booting through normal (legacy) BIOS, the installation might be a hassle. But, in general, rEFInd, once installed, just automatically picks up most things, including Windows, Mac, and Linux operating systems and kernels. The biggest reasons you might change the configuration is if you want to hide some things you don’t care about or change the visual theme.

Basics

A UEFI computer stores boot information in nonvolatile RAM. You can examine this and even make some changes using the Linux utility efibootmgr:


$ efibootmgr
BootCurrent: 0004
Timeout: 1 seconds
BootOrder: 0004,0003,0001,0002,0005,0006
Boot0001* UEFI OS
Boot0002* UEFI:CD/DVD Drive
Boot0003* ubuntu
Boot0004* rEFInd Boot Manager
Boot0005* UEFI:Removable Device
Boot0006* UEFI:Network Device

Generally, you won’t want to directly add or delete things using this tool, even though you can. Usually, your operating system takes care of all that. However, it is a pain to pick one partition over the other if you, for example, boot Windows and Linux. You can see from the above dump that I don’t do this, at least not on this computer. However, I do often boot from a removable disk or have multiple kernels or even operating systems installed in different places.

Grub can handle all this, of course. Especially if you use a distribution with a lot of tools, they will scan, looking for things, and rebuild your grub configuration. But if that configuration ever goes bad and you forget to build, look out! Time to boot from a rescue disk, more than likely. Grub is both a boot loader and a boot menu. But rEFInd is a boot menu manager only.

Pros and Cons

There are several reasons you might opt for rEFInd. The biggest practical reason is that it scans for bootable items on every boot. It is also nice looking and can support touchscreens and mice, but not both at the same time. There was an Ask Ubuntu post where the author of rEFInd listed the pros and cons between his code and Grub. His advantages list include:

  • Scans for new kernels on every boot
  • Eye candy
  • Reliable booting fo Windows with secure boot active
  • Able to launch BIOS-mode bootloaders
  • Ability to speed up installs if you don’t install Grub at all
  • Strict enforcement of secure boot policies

Of course, there are also some downsides. Grub is the “official” way to handle things for most distributions and you can assume distros and tools will be compatible with it. It relies primarily on a single developer. Grub is easier to use with networking, LVM, and RAID booting, although these are possible with rEFInd, too. Because rEFInd scans on each boot, there is a brief pause when you boot, of course.

It is possible to have rEFInd boot into Grub, and that can be useful sometimes, but in general, you’ll want to use rEFInd instead of the Grub menus. One exception is if you want an emergency USB drive with rEFInd on it, that might be useful since it can mostly configure itself.

Install

If you use a distro that can handle Ubuntu PPAs, installing the program is simple.


sudo apt-add-repository ppa:rodsmith/refind
sudo apt-get update
sudo apt-get install refind

You can also find detailed instructions on installing in special cases on the project’s website. Once you install, you probably don’t have to do anything, but you might want to browse the configuration file (something like /boot/efi/EFI/refind/refind.conf). There you can adjust a few things like timeouts, default kernel options, and the like. There are quite a few options, but most of them are commented out.

You can also make manual entries, much like Grub. There are several examples in the default configuration file, but you’ll notice they all have the disabled keyword in them, so you would remove that keyword after making changes to suit you. You can also pick a text-based mode, the default screen resolution, and other parameters. I changed the line to show some tools (like reboot or boot into BIOS setup) that were not on by default. In many cases, you won’t need any changes at all.

If you see entries on the screen you don’t want, highlight them and press the minus sign. Don’t worry, you can manage the “hidden tags” using a menu if you change your mind later.

Be warned that while the system does support secure boot, if you use it, it may need a little tweaking. Here’s the good news. If it doesn’t work, just change the boot order back to boot Grub first and you can troubleshoot from there.

Themes

One fun thing you can do is get different themes for the program. These are just collections of artwork used as the banner and as icons for different distributions. For some reason, the program didn’t automatically pick up my Neon with the Neon logo, even though it was present. My simple solution was to replace the default Tux penguin with a copy of the Neon logo.

I’ve read that pressing F10 will screenshot rEFInd, but apparently, I don’t have the latest version, so I had to rely on my phone to take an old-school screenshot. You can see why I changed the penguin logo.

 

The tools along the bottom let you run a memory test, or reboot and shut down. You can also launch an EFI shell or alter the EFI boot order.

Low Risk

Any time you dink with the booting of your computer, you are taking a risk. However, if you install with Grub, you can always leave it as an option from rEFInd. If you get in big trouble, Grub is still there and you can boot from a rescue medium and use efibootmgr to pick your default Grub setup. The documentation for rEFInd has a good writeup on what the author calls “boot coups” when an operating system — looking at you, Windows — presumptively takes over booting.

If you don’t dual boot, you can probably stick with Grub. It is nice to have a more modern-looking boot menu, but it isn’t that compelling. But if you dual boot with Windows, Mac, or other EFI-capable operating systems, or even if you change kernels often, you should really check out rEFInd.

For some specialized cases, you might want to check out a specialized fork of rEFInd, which offers certain additional features. You can find out more about the differences on its home page.

If you want more technical details on UEFI, here you go. Of course, as Scotty famously said, “The more they overthink the plumbing, the easier it is to stop up the drain.” UEFI is a big attack target, and it has been hit before.

27 thoughts on “Linux Fu: UEFI Booting

    1. Official boot systems on most computers are not especially secure. Even enabling “Secure Boot” provides a marginal security improvement at best. In typical use-cases, you should worry much more about random software from potentially questionable sources.

      I will say rEFIt does support secure boot. It probably isn’t any worse than an official boot system.

    1. Refind Plus also offers all of that, and is mentioned. (As being useful “For some specialized cases”, a fair assessment of relatively uncommon scenarios like booting unsupported NVMe devices.) It also has a bunch more added features, a number of them focused on booting Mac systems. I may actually try wedging it into my Hackintosh “system”, to work around OpenCore annoyances (particularly when running in a VM).

  1. I’ll stick with EFI stub and my kernel/initramfs/early dependencies (like GPG and LUKS) on a USB flash drive on my keychain.

    I settled on this mechanism because my motherboard’s UEFI implementation is particularly bad, and would randomly decide to boot from the NVMe where my Windows VFIO passthrough setup is stored, thereby ruining everything. This frequently resulted in the need for rescue media, mounting and chrooting, then signing/redeploying kernels and making appropriate EFI entries.

    With secure boot enabled, Microsoft’s keys revoked, and my own (automatically) signed kernels, it’s impossible for something to “boot coup”.

    rEFInd is cool and all, but I feel like it’s a little gimmicky and redundant when most modern motherboards can boot EFI images without the use of an external bootloader. Keep it simple.

    1. Thanks. Whenever I waste time on some video games I must boot windows which boot-coups.

      Using refind didn’t stop it. I still have to hot-key boot from a flash, then mount –bind the EFI partition and do a chroot to the booted linux and reinstall refind or grub with seven commands or so.

      It does keep me using windows less, and hating it more.

      I thought to try the same thing, a boot USB with LUKS headers. I wan’t a machine I can swap boot drives on. Apparently TPTB frown on freedom and privacy.

      1. Usually, all Windows does on UEFI systems is choose its own entry on the ESP for booting automatically (if it all). I’ve never heard of it touching the other EFI boot entries.

        So all you have to do in such a case is manually choose one of the other entries (such as grub or rEFInd) when booting and then under linux switch the default boot entry back (with efibootmgr). No need for elaborate rescue scenarios.

        There’s usually a key to hammer when booting before the boot loader kicks in to get the boot menu from your board’s firmware. Something like F8 or F11.

        Failing that, you can also go into your firmware setup (try hammering ESC, F2 or DEL very early when booting or choose it from Windows’ rescue boot options) and choose the entry to boot (i.e. grub or rEFInd) there.

    1. Yours may have been in the last generation that was still BIOS-only; my 2011-vintage Sony laptop (1st-gen Core i3) didn’t have UEFI either, but I’m pretty sure my HP 8000 USFF (2nd-gen i3) does.

      But booting something else isn’t an issue, as long as nobody set a BIOS password (always a hazard with old office boxes) – just disable Secure Boot, enable Legacy boot, make sure removable media boots first, and you’re good to go.

  2. UEFI is a stupid incomprehensible mess. It is an ‘os of its own’, but it is the unfriendliest of OSes ever created. Magic commands no tools, half of it does not work on ‘your vendor’s implementation’.

    The first thing I disable on my machines.
    Windows complains about ‘trusted whatever’ – don’t boot windows.
    To paraphrase an old Russian dictator – no UEFI, no problem.

  3. Personally, I have only one ‘base’ bare metal OS for all systems (laptops, desk, server, SBCs) which of course is Linux. Anything else goes into a VM if needed. So default grub(2) work fine for my needs. Kind of funny, but I just install the OS on the machine, haven’t cared if using UEFI or what bios as defaulted too.

    Always someone trying to build a better mouse-trap :) . Neat though.

    As for security. If one has access to the machine, he/she have access to everything. Even, removing the drives and done (or just take the machine if in a hurry). Work on getting info at your leisure back at the errr – ‘workshop’. So, if security is ‘that’ important…. have a good secure location to begin with and encrypt your disks (I don’t encrypt as ‘who cares’. No secrets here) and keep a copy of your data off site too so it can be restored (I do, because a few things are important to have around).

      1. It was touch-and-go for a while, before signed bootloader shims and etc. got worked out. For a few years if you wanted to install a Linux distro your only option was to disable secure boot. But yeah, these days Linux installs are able to meet the secure boot requirements just fine.

        Luckily, most hardware vendors showed little interest in helping to lock distros out of their products. At least, not when it came to the major players. (On both the vendor and distro sides.)

        1. These problems are coming back with the switch to disabling alternate keys by default. Even if you can change them configuration an error by default means many corporate users will be unable to override and end users will not know what to do.

  4. I don’t really see why your article describes secureboot compatibility as a good thing. The right thing to do is turn secureboot OFF, full stop. It doesn’t provide any worthwhile security advantages, if a virus is being blocked by secureboot it already has full root access to read and modify anything and everything on your system. Secureboot provides, in effect, a defensive line BEHIND your valuables. Also, I’m mystified why people would want to dual boot, if you need Windows for something which Wine can’t handle then use a virtual machine, the more stable and reliable OS being the host and Windows being the guest.

  5. No mention of Das U-Boot ( https://www.denx.de/wiki/U-Boot/ ) which is used by a large number of SoC Boards ? It implements a subset of the UEFI specification (the EBBR specification – Embedded Base Boot Requirements).

    A ROM executes code typically loaded into the CPU’s L1 cache (which is temporarily used as SRAM), it’s job is to load the spl-u-boot (Secondary Program Loader) typically into the CPU’s L2 cache (which is temporarily used as SRAM) where the SPL brings up the main DDR memory and then loads the full u-boot environment into DDR.

  6. I wish System Commander still existed. Incredibly easy to set up, incredibly friendly, incredibly easy to customise, and dealt happily with Windows, Linux and scads of other things.

  7. i tried to decipher it for only a few moments before realizing this article doesn’t make any sense to me because the one time i had to use UEFI (the laptop i’m typing on right now), i managed to do it without learning anything! all i know is the vendor-installed windows featured a small partition which i copied a linux kernel and ?some garbage? onto and now it boots linux.

    i hope and pray i can maintain this level of ignorance into the future. long live UEFI!

  8. Refind is the best bootloader.
    There are no special modules (like in grub) for odd filesystems eg. ZFS, REISER4, HAMMER etc…
    So you would have to build your own kernel and boot partition from outside.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.