On Fri, Apr 22, 2016 at 4:11 AM, Timothy Murphy <gayleard@xxxxxxxxxx> wrote:
> Chris Murphy wrote:
>
>> What you should revert back to UEFI only, with Secure Boot enabled,
>> and reinstall CentOS, deleting the previous partition/mount points
>> including the BIOS Boot partition that was created for CentOS's
>> bootloader.
>
>> The gotcha is that with Secure Boot enabled, the CentOS GRUB-efi
>> package doesn't support chainloading the Windows bootloader. This is
>> getting fixed in Fedora 24 but I have no idea how long it'll take to
>> get to CentOS 7. You could either disable Secure Boot (which I don't
>> recommend) or you switch between CentOS and Windows using the
>> firmware's boot manager. You'll have to figure out which F key brings
>> up the boot manager. On my Intel NUC it's F10, *shrug*.
>
> May I ask a couple of questions which I'm afraid betray my ignorance.
It's much safer to betray ignorance and ask the question than end up
stuck in the mud. It's not your fault, we've kinda been betrayed with
these changes with a combination of overly complicated implementation,
massive piles of bugs, hideous documentation, and misleading
terminology reusage (mainly by the manufacturers).
>
> 1. Why is it advisable to "revert back to UEFI"?
> Is this just a safety measure?
Windows is already installed in UEFI mode. Mixed installations are
just a PITA to support. You'll get almost no help from anyone on a
list because how this works will be firmware dependent and chances are
no one else will have that same make/model and firmware revision.
And yes, I can't in good conscience recommend a setting that makes you
less safe. The computer came to you with Secure Boot enabled, and
you're best off leaving it in that condition. CentOS 7 supports UEFI
Secure Boot out the box. What it doesn't support is dual boot, but
that's technically true even if Secure Boot is disabled, or this were
a system with BIOS firmware. But the firmware boot manager can provide
you with a way to switch between the two. Firmware setup might even
have an option in there somewhere to present the boot manager by
default for each boot. This is true on my Intel NUC which uses
American Megatrends firmware.
> I would have thought that if an intruder had got in this far,
> enabling him to install unsigned modules,
> he would have you at his mercy anyway?
There are levels of compromise. The bootloader malware compromise
means you can reformat and still be owned. Secure Boot pretty much
assures that you're not compromised except in user space, which is why
you run with SELinux enabled, right?
>
> 2. I installed CentOS-7.2.1511 from a Live USB stick,
> and I have a Windows 10 partition that I can boot into.
> So I assume that UEFI is not used by default?
> Will it become so at some point?
If your firmware setup has an option for Secure Boot and/or "legacy"
anything, then it is UEFI firmware. Strictly speaking, UEFI != BIOS
but the manufacturers think we're all morons so they repurposed BIOS
to apply to a completely different behavior of firmware, completely
different discovery of the bootloader method, completely different
bootloader installation and location for the binaries. Anything that
comes with Windows 10 pre-installed has UEFI firmware, with Secure
Boot enabled and any legacy option disabled as a requirement of the
Windows hardware certification spec.
And CentOS can support that condition, you're best off not just
security wise, but in terms of getting support on lists the less you
customize things at a firmware level. And changing to a hybrid UEFI
CSM-BIOS mode is a mess. If it works for you, great, and if some
expert wants to hand hold, fine, but it's not something I recommend.
It's already complicated enough, I think it's made worse by enabling
legacy stuff.
--
Chris Murphy
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
