Can I re-enable Secure Boot, Fast Start-up, or Bitlocker on Win10 on a Dell Inspiron 15 3567 Dual boot (Grub default) Ubuntu18.4 Windows10 system? What are risks or implications.
Asked
Active
Viewed 5,872 times
1
-
2Welcome to Ask Ubuntu. This is a question answer site. Please see site help for how to ask questions in this site. Please ask one question at a time. – user68186 Apr 13 '19 at 16:29
-
1"peppermint9" off topic. – Rinzwind Apr 13 '19 at 17:25
-
If you think the answer is correct (the problem is solved) then put the green check mark (✔️) on the left margin of the answer. This will help others. – user68186 Apr 13 '19 at 22:02
1 Answers
2
Secure Boot
- Ubuntu installs differently when secure boot is disabled.
When Ubuntu is installed in the UEFI mode with secure boot disabled, it installs \EFI\ubuntu\grubx64.efi.
When Ubuntu is installed in the UEFI mode with secure boot enabled, it installs \EFI\ubuntu\shimx64.efi.
If you enable secure boot after installing Ubuntu, the Ubuntu will not not boot if the shimx64.efi does not exist.
The difference between shimx64.efi and grubx64.efi is that shimx64 is the actual Microsoft signed binary that works with Secure Boot enabled while grubx64 is the normal grub binary (Not signed).
- Some third party device drivers can only be installed when secure boot is disabled.
The third party device drivers may not load and thus, some specific devices will not work.
See Is re-enabling Secure Boot in UEFI secure? for more.
Fast Start-up
Fast Start-Up or fast-boot can mean two things.
I assume this is the option in Windows 10.
This is not the UEFI option that skips the boot setup and boot device select menu when the computer boots.
Fast Start-up does not shut down Windows properly, and puts it in a hibernate state when Windows is shut down. This means all the partitions that are accessible by Windows (C:\, D:\, etc) are not properly shut down. Ubuntu will not be able access these drives properly in this state. In particular, you will not be able write files, including copy, move, etc., to these partitions when you use Ubuntu. This will be an issue if you have a common partition that you share between Windows and Ubuntu.
See Unable to mount Windows (NTFS) filesystem due to hibernation this answer for more explanation.
Bitlocker
Enabling Bitlocker in Windows will also make the Windows partition inaccessible from Ubuntu.
There may be ways to get around it. See Use (Windows) BitLocker-encrypted drive on Ubuntu 14.04 LTS
Disclaimer: I have not tried any of these things. So, there may be other consequences of enabling Secure Boot, Fast Start-up, and Bitlocker I am unaware of. Use at your own risk.
user68186
- 33,360
-
As long as GRUB loads or Windows does that's OK cause I can just reenter BIOS and shut off Sure Boot. The question is, does Windows try to interrogate GRUB for "integrity" (which I suppose it can't), or does it just ignore it to analyze the Windows boot (or is that bypassed by GRUB?) – mako34 Apr 13 '19 at 21:48
-
Are you saying if you install Ubuntu with SB OFF,then it can't really be turned back on since it wasn't installed under proper SB protocols? As I understand it, only problems are with non-standard proprietary drivers so Ubuntu could have problems but Windows should be fine. Fast Start-Up obviously is unnecessary and risky; and Bitlocker scared me from first contact (ship computer with it enabled, where just booting up in Safe Mode can trigger a lock-out??), but I am in an insane threat environment & likely target, so would like Secure Boot, if possible, if it can give any additional protection – mako34 Apr 13 '19 at 22:04
-
An install with secure boot disabled will install the unsigned versions of the bootloader grubx64.efi. Turning secure boot on will then prevent grubx64.efi from booting, and there is no shimx64 either. That's why I like to install with secure boot on, then turn it off if necessary to install third party drivers. The system would then boot with secure boot in either state. – ubfan1 Apr 14 '19 at 01:18
-
-
Oh God, so it was stupid to install with SB Off, Ubuntu could say "dual install with SB on but then shut it off if there are boot problems!!" Can I convert grubx64 to shimx64 or delete it and load the latter? Can you elucidate on SB action with shimx64 - does it actually examine (integrity) the GRUB boot at all, or just ignore it; does it ignore the Windows boot sector (in which case viruses too would be bypassed) and go directly to Win startup? – mako34 Apr 14 '19 at 02:41
-
@mako34 There is nothing stupid to keep secure boot off. You should be able to copy shimx64.efi from the Live USB/DVD. Running boot-repair from the Live USB may also fix the problem after you enable secure boot. You will have to read up on shimx64.efi. I don't know much about how it works. Since this is not a discussion forum, you will have to (search for) ask another question about security, virus, Win startup etc. – user68186 Apr 15 '19 at 14:35
-
Related Issue: Apparently some Windows 10 1703/1803 Updates on Dells break the GRUB bootloader, or juggle partitions around. After I did it the Ubuntu wouldn't boot, haven't repaired it yet, and partitions order was changed. Some professional Dell computer guy was screaming about it on Windows Forum – mako34 Apr 15 '19 at 23:50
-
Is THIS still accurate? In case shimx64.efi is not listed, you can add it by executing (X = disk | Y = EFI partition) : sudo efibootmgr -c -w -d /dev/sdXY -p 1 -L "ubuntu" -l '\EFI\ubuntu\shimx64.efi – mako34 Apr 15 '19 at 23:54