I got an old HP laptop for a good price. (HP ProBook 650 G4.) It was cheap because it’s BIOS locked and requires secure boot. (I believe this is the same as “HP Sure Start”.)

Game over, right? Not quite. It still boots secure boot enabled Linuxes. I’ve installed Fedora with no problems. But I would like the ability to install any modern Linux OS.

To be clear, I have no security concerns subverting secure boot. I only have it on because my BIOS is locked.

There are a few methods that are too hard/expensive:

  1. creating my own exploit by referencing the patch notes of later firmwares (theoretically possible)
  2. dumping the BIOS myself and getting the BIOS password that way (it’s been done on this model)
  3. Figuring out the undocumented backdoor HP used until around 2018 to reset BIOS passwords. (It’s unclear if the backdoor is patched, or just no longer being used.)

I almost got what I want. I booted Ventoy via USB, and the laptop prompted me to enroll the Ventoy key in the secure boot system. I can boot any ISO I want from Ventoy. I can also boot Ventoy, and do LocalBoot (F4) via Ventoy into an unsigned locally installed OS. I booted Arch this way.

I just installed Mint Cinnamon and it prompted me during install for “3rd party drivers” as well as “enable secure boot”. It required an 8 character password (mint requirement or UEFI requirement?) which was required in UEFI on reboot (one time). Then I enrolled the key in secure boot and now I can boot straight into Mint. The install prompt was:

Installing third-party drivers requires configuring Secure boot. To do this, you need to choose a security key now, and enter it when the system restarts (Learn more)

You have chosen to enable third-party software as part of your install, which this system includes hardware drivers for graphics and/or Wi-Fi hardware. Your system also has UEFI Secure Boot enabled. UEFI Secure boot needs to be configured to allow the use of this third-party drivers.

According to Reddit:

  • No, third-party drivers do not _need_ Secure boot
  • No, the installation wizard also doesn’t say you need Secure boot for those drivers, it is warning you that you have secure boot enabled, thus special considerations will be necessary

What’s the easiest way to get insecure-boot-like behavior on this device? I was thinking I need to get rEFInd on here so it can search for any relevant OS. I also am not clear on how to install OSs properly in this environment (OSs want to change/configure the bootloader themselves). I’m hoping to install to an NVMe drive, but SATA, USB, and network boot (ha) are options too.

Alternatively, how can I do what Mint did on the install on other Linuxes?

I have a basic understanding of the secure boot “shim” and the cryptography in secure boot, but definitely no practical knowledge.

(I prefer to say BIOS over “UEFI” despite being technically incorrect.)

edit: Still don’t know what I’m doing, but Fedora (and thus Bazzite) supported secure boot. I just ran the Bazzite installer, rebooted when prompted, and entered secureblue as the key password. https://docs.bazzite.gg/General/Installation_Guide/secure_boot/

  • ShortN0te@lemmy.ml
    7·
    6 hours ago

    Yes. There are enough signed and exploitable Windows Boot loader which you can use to boot anything you want.

  • colournoun@beehaw.org
    8·
    6 hours ago

    The key enrollment that Mint did sounds like registering the Machine Owner Key (MOK). That basically tells the bios that anything signed with that key should be permitted. The MOK is especially required when compiling your own drivers. Anything shipped by a Linux distro should already be signed so that the shim will permit it. SecureBoot is more about making sure your boot files haven’t been tampered with rather than being about preventing the owner from doing something.

    You should already be able to boot any modern Linux OS that has support for SecureBoot. Only if you compile your own drivers or kernel would you need to use a MOK. If you do need that, you should be able to enroll another MOK or copy the MOK key files from the Mint install and use those keys to sign drivers in any other Linux distro.

    The cli program mokutil will let you view and export your enrolled MOKs.

  • just_another_person@lemmy.world
    61·
    7 hours ago

    I would be looking for ways to clear it versus working around it. I assume they have a custom TPM-like chip, so pulling the BIOS battery probably won’t work.