2.2. Disabling UEFI Secure Boot

⁠2.2. Disabling UEFI Secure Boot

Systems which come with Microsoft Windows 8 pre-installed typically have enabled UEFI Secure Boot, and ship the Microsoft keys in the firmware.

The Lenovo desktop system we use as an example makes disabling Secure Boot fairly straightforward. First, enter the firmware as described in Section 2.1, “Entering the UEFI firmware”. Press the → key until you reach the Security tab, as shown in Figure 2.3, “UEFI firmware Security tab”.

⁠

                                     Lenovo BIOS Setup Utility
    Main  Devices  Advanced  Power  Security  Startup  Exit
┌────────────────────────────────────────────────────────┬───────────────────────────────┐
│                                                        │          Help Message         │
│  Hardware Password Manager            [Enabled]        │───────────────────────────────│
│  Secure Boot Status                   [Enabled]        │Select whether to enable or    │
│                                                        │disable Secure Boot            │
│  Adminstrator Password                Not Installed    │[Enabled] Enable Secure        │
│  Power-On Password                    Not Installed    │Boot,BIOS will prevent         │
│                                                        │un-authorised OS be loaded.    │
│  Set Administrator Password           Enter            │[Disable] Disables Secure      │
│  Set Power-On Password                Enter            │Boot.                          │
│                                                        │                               │
│  Allow Flashing BIOS to a Previous    [Yes]            │                               │
│  Version                                               │                               │
│                                                        │                               │
│  Require Admin. Pass. when Flashing   [No]             │                               │
│  Require POP on Restart               [No]             │                               │
│                                                        │                               │
│► Fingerprint Setup                                     │                               │
│► Hard Disk Password                                    │                               │
│► System Event Log                                      │                               │
│► Secure Boot                                           │                               │
│                                                        │                               │
│  Configuration Change Detection       [Disabled]       │                               │
│                                                        │                               │
└────────────────────────────────────────────────────────┴───────────────────────────────┘
 F1     Help     ↑↓     Select Item     +/-     Change Values       F9     Setup Defaults
 ESC    Exit     ←→     Select Menu     Enter   Select►Sub-Menu     F10    Save and Exit

Figure 2.3. UEFI firmware Security tab

Press ↓ until you reach the Secure Boot item and hit Enter. The Image Execution Policy screen appears (Figure 2.4, “UEFI firmware Secure Boot settings”).

⁠

                                     Lenovo BIOS Setup Utility
    Main  Devices  Advanced  Power  Security  Startup  Exit
┌────────────────────────────────────────────────────────┬───────────────────────────────┐
│                     Image Execution Policy             │          Help Message         │
│────────────────────────────────────────────────────────│───────────────────────────────│
│  Secure Boot Status                   User Mode        │Select whether to enable or    │
│  Secure Boot                          [Enabled]        │disable Secure Boot            │
│                                                        │[Enabled] Enable Secure        │
│  Reset to Setup Mode                                   │Boot,BIOS will prevent         │
│                                                        │un-authorised OS be loaded.    │
│                                                        │[Disable] Disables Secure      │
│                                                        │Boot.                          │
│                                                        │                               │
│                                                        │                  .            │
│                                                        │                               │
│                                                        │                               │
│                                                        │                               │
│                                                        │                               │
│                                                        │                               │
│                                                        │                               │
│                                                        │                               │
│                                                        │                               │
│                                                        │                               │
│                                                        │                               │
│                                                        │                               │
│                                                        │                               │
└────────────────────────────────────────────────────────┴───────────────────────────────┘
 F1     Help     ↑↓     Select Item     +/-     Change Values       F9     Setup Defaults
 ESC    Exit     ←→     Select Menu     Enter   Select►Sub-Menu     F10    Save and Exit

Figure 2.4. UEFI firmware Secure Boot settings

Make sure that Secure Boot is selected, and press Enter, hit ↑ to choose Disabled, and press Enter again.

The previous step only disables verification of cryptographic signatures, it does not remove some restrictions Microsoft imposes on firmware settings. If you want to boot non-UEFI operating systems, it is necessary to disable the OS Optimized Defaults.