openSUSE/Windows8 dual boot installation Questions for Secure Boot, UEFI and GPT

I have a number of TPM (secure boot), UEFI/EFI, and GPT (GUID partition table) related installation questions that I am looking for help on. These questions came after reading up on these subjects and I was not able to figure out the answer on my own, given the time I applied to the research.

The questions are to support a purchase decision (yes or no) of a Toshiba Z930 ultrabook (per this openSUSE forum Ultrabook thread) which will come with Windows8 already installed (and no separate installation media).

My hope is to install openSUSE-12.3 in a dual boot with Windows8 using an external USB DVD drive. After research, I am reasonably happy with this Ultrabook’s hardware compatibility with GNU/Linux and thus hopefully with openSUSE-12.3.

My questions are related to installation. Please note I note I do NOT yet own this Ultrabook. I have no access to this Ultrabook (our local shops do not have the exact same model in stock). This is all pre-purchase planning (and also technical education for me).

I’ve read the Toshiba Ultrabook Z930 comes with Windows8 in a secure boot, using EFI (or UEFI) and GPT partitioning. Possibly with 5 partitions on a 256 GB SSD :

• 450 mb recovery partition – as to what this recovers, I do not know
• 260 mb EFI system partition * - possibly boot loader for all windows (?) operating systems
• 9.66 GB recovery partition – as to what this recovers, I do not know (I read a suggestion it will be an HDD recover partition]
• 8 GB Primary partition * - I read speculation this is a factory restore partition
• ~220 GB boot, pagefile, crash dump, primary partition *

where only partitions marked with * are allowed to be deleted with windows disk management.

So 1st Question: Can/Will any Windows8 users speculate/confirm what these 5 partitions are likely for ?

I note from the openSUSE-12.3 release notes that (with some work arounds) one can nominally install openSUSE with secure boot still enabled, using an EFI firmware, and using GPT partitioning. However I also have read that the Toshiba Z930’s EFI implementation is not standard and the grub2-efi does not work with it. Hence to install and subsequently run GNU/Linux on a Toshiba Z930 one needs to disable and keep disabled the secure boot.

From an openSUSE GNU/Linux point of view, a non-secure boot (ie TPM/secure/safe-boot/ disabled) is ok.

BUT I have also read that an OEM installed Windows8 with a secure boot install (by the manufacturer), may not boot if secure boot is disabled in BIOS. Hence one may need to re-install Windows8 with non-secure boot selected as the Windows8 option. However I won’t have Windows8 installation DVDs (I need to create recovery DVDs), so my next questions:

2nd Question: Is it correct that if one changes the BIOS to non-secure boot will an OEM-Secure-Installed-Windows8 not boot ? Or will it boot ?

3rd Question: If I create recovery DVD media from the Windows8 secure mode (OEM install on the hard drive), can I use those recovery DVDs to re-install windows8 in a Non-Secure Mode, or will they be hard coded to a secure boot (per the OEM install where they were made) ?

4th Question: If I end up registering Windows8 multiple times (2 or 3) on same PC as part of my re-installation efforts, will I have warantee problems with Microsoft on this Windows8 install ?

5th Question: Where could I install GNU/Linux given the Ultrabook likely comes with 5 partitions ? Can I simply shrink the Windows8 ~220GB partition (following instructions such as post#6 in this thread) and then install GNU/Linux in that partition ? or is it essential I ‘blow away’ one or more of the Windows8 partitions. Please note I have reasons to keep Windows8 (even if worst case I disable it semi-permanently).

6th Question: Where does the 1st part of Grub2 end up going ? Inside a legacy ‘MBR’ in a ‘GPT’ ?

7th Question: I’ve seen reference to a separate openSUSE /boot/efi partition that needs to be separate from the MS-Windows8 EFI partition. Is this /boot/efi separate from /home ?

8th Question: Are there other questions that I really should be asking (or researching) given the lack of knowledge I clearly displayed above ?

Many thanks for any assistance. While this is specific to my Toshiba Z930 purchase deliberations, I think the questions also relevant to other MS-Windows8 dual boot installs.

On Thu 04 Apr 2013 05:56:05 PM CDT, oldcpu wrote:

I have a number of ‘TPM (secure boot)’
(Trusted Platform Module - Wikipedia), ‘UEFI/EFI’
(UEFI - Wikipedia),
and ‘GPT (GUID partition table)’
(GUID Partition Table - Wikipedia) related installation
questions that I am looking for help on. These questions came after
reading up on these subjects and I was not able to figure out the answer
on my own, given the time I applied to the research.

The questions are to support a purchase decision (yes or no) of a
‘Toshiba Z930 ultrabook’ (http://www.linlap.com/toshiba_portege_z930)
(per ‘this openSUSE forum Ultrabook thread’
(http://tinyurl.com/d539bsm)) which will come with Windows8 already
installed (and no separate installation media).

My hope is to install openSUSE-12.3 in a dual boot with Windows8 using
an external USB DVD drive. After research, I am reasonably happy with
this ‘Ultrabook’s hardware compatibility’
(http://www.linlap.com/toshiba_portege_z930) with GNU/Linux and thus
hopefully with openSUSE-12.3.

My questions are related to installation. Please note I note I do NOT
yet own this Ultrabook. I have no access to this Ultrabook (our local
shops do not have the exact same model in stock). This is all
pre-purchase planning (and also technical education for me).

I’ve read the Toshiba Ultrabook Z930 comes with Windows8 in a secure
boot, using EFI (or UEFI) and GPT partitioning. Possibly with 5
partitions on a 256 GB SSD :

• 450 mb recovery partition – as to what this recovers, I do not
  know
• 260 mb EFI system partition * - possibly boot loader for all
  windows (?) operating systems
• 9.66 GB recovery partition – as to what this recovers, I do not
  know (I read a suggestion it will be an HDD recover partition]
• 8 GB Primary partition * - I read speculation this is a factory
  restore partition
• ~220 GB boot, pagefile, crash dump, primary partition *

where only partitions marked with * are allowed to be deleted with
windows disk management.

So 1st Question: Can/Will any Windows8 users
speculate/confirm what these 5 partitions are likely for ?

I note from the openSUSE-12.3 release notes that (with some work
arounds) one can nominally install openSUSE with secure boot still
enabled, using an EFI firmware, and using GPT partitioning. However I
also have read that the Toshiba Z930’s EFI implementation is not
standard and the grub2-efi does not work with it. Hence to install and
subsequently run GNU/Linux on a Toshiba Z930 one needs to disable and
keep disabled the secure boot.

From an openSUSE GNU/Linux point of view, a non-secure boot (ie
TPM/secure/safe-boot/ disabled) is ok.

BUT I have also read that an OEM installed Windows8 with a secure boot
install (by the manufacturer), may not boot if secure boot is disabled
in BIOS. Hence one may need to re-install Windows8 with non-secure boot
selected as the Windows8 option. However I won’t have Windows8
installation DVDs (I need to create recovery DVDs), so my next
questions:

2nd Question: Is it correct that if one changes the BIOS
to non-secure boot will an OEM-Secure-Installed-Windows8 not boot ? Or
will it boot ?

3rd Question: If I create recovery DVD media from the
Windows8 secure mode (OEM install on the hard drive), can I use those
recovery DVDs to re-install windows8 in a Non-Secure Mode, or will they
be hard coded to a secure boot (per the OEM install where they were
made) ?

4th Question: If I end up registering Windows8 multiple
times (2 or 3) on same PC as part of my re-installation efforts, will I
have warantee problems with Microsoft on this Windows8 install ?

5th Question: Where could I install GNU/Linux given the
Ultrabook likely comes with 5 partitions ? Can I simply shrink the
Windows8 ~220GB partition (following instructions such as ‘post#6 in
this thread’ ([SOLVED] shrinking Windows 8 partition for dual boot)) and then install GNU/Linux in
that partition ? or is it essential I ‘blow away’ one or more of the
Windows8 partitions. Please note I have reasons to keep Windows8 (even
if worst case I disable it semi-permanently).

6th Question: Where does the 1st part of Grub2
end up going ? Inside a legacy ‘MBR’ in a ‘GPT’ ?

7th Question: I’ve seen reference to a separate openSUSE
/boot/efi partition that needs to be separate from the MS-Windows8 EFI
partition. Is this /boot/efi separate from /home ?

8th Question: Are there other questions that I really
should be asking (or researching) given the lack of knowledge I clearly
displayed above ?

Many thanks for any assistance. While this is specific to my Toshiba
Z930 purchase deliberations, I think the questions also relevant to
other MS-Windows8 dual boot installs.

Hi
Wait for openSUSE 13? as secure boot is still experimental, but should
work, you can always create your own signed kernel etc…

5th question: The good thing about gpt partitioning you can have
128… just shrink and add new partitions as required (you use the
existing /boot/efi so don’t format ).

7th question: Yes you can create additional ESP’s but with 256MB in
the default one, should be more than enough.

Here is mine on a HP with Win7, 12.2 and 12.3;

lsblk

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0 465.8G  0 disk 
├─sda1   8:1    0   256M  0 part /boot/efi
├─sda2   8:2    0   128M  0 part 
├─sda3   8:3    0    30G  0 part 
├─sda4   8:4    0    30G  0 part /
├─sda5   8:5    0   338G  0 part /data
├─sda6   8:6    0   7.4G  0 part [SWAP]
└─sda7   8:7    0    60G  0 part

df -kh /boot/efi

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1       256M   75M  182M  30% /boot/efi

You can always use gummiboot rather than grub2 as this works with
secure boot.

What brand of SSD is in the system?

–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.3 (x86_64) Kernel 3.7.10-1.1-desktop
up 3 days 2:41, 4 users, load average: 0.06, 0.10, 0.07
CPU Intel® i5 CPU M520@2.40GHz | GPU Intel® Ironlake Mobile

grub2-efi (default if installer detects EFI platform) works with secure boot too.

I am of course not 100% sure, but its most likely your windows restore partition.

OEM windows versions.

Ms want these versions installed on the pc, by the hardware manufacturer.
Pc builders can buy oem versions, which are only meant for system-builders.
These version are on dvd’s but, MS does not want the manufacturer, to deliver the dvd to the buyer of the hardware.

In my country (and others) you can however buy oem versions on cd or dvd.
Ms has tried to battle this in court, but lost. lol!

What these shops do (loop hole): You can’t just buy the windows oem dvd, you need to buy at least one part of hardware too.

OEM version are cheaper then regular versions.

You do not have support from ms, and can only install it on one pc.
For support you need to contact the manufacturer.

My pc is dual boot, win 7 pro and openSUSE.
The windows version is an oem version.

Replacing the harddisk when it breaks, can be a problem. because basically your windows version is tied to the hardware.
In my situation, I still have the dvd, but I am in doubt if I can activate it again.

If your harddisk dies, I am pretty sure you would have to buy a new windows version.

Of course there are always solutions, but none legal.

Thank you for the answers/interpretations provided thus far. I am currently digesting what I have been educated on.

It does appear I simply need to remove the Win8 pagefiles (and such), defrag the SDD drive, and then boot to BIOS, disable the Secure boot, confirm that Windows8 will boot with that setting (it may not) and if Windows8 boots, then reboot with an external USB DVD drive connected, press the appropriate (F12 ? ) Toshiba code to boot from the external USB DVD drive, and then install openSUSE GNU/Linux (keeping the UEFI setting).

I did think of another question … When I install openSUSE on any PC, I always as a precaution backup the MBR with dd and store that on a USB stick.

So that leads to the question: How does one backup the MS-Windows GPT header and table, such that it can be restored later, if one decides to remove GNU/Linux, and one does not have the MS-Windows8 installation media ? ie the backup would need to be made by booting to a liveDVD and saving any settings on an external USB stick or external hard drive.

With a winXP/win7 and the nominal MBR based file structure, one could backup partition table with:

dd if=/dev/sda of=partition-mbr-sda-backup-512 bs=512 count=1 

and one could backup only the MBR with:

dd if=/dev/sda of=mbr-sda-backup-440 bs=440 count=1 

Then copy the partition-mbr-sda-backup-512 and the mbr-sda-backup-440 files to a USB stick for use later if needed.

I read (one blog on backing up/restoring GPT header and table on a Mac) which suggested :

dd if=/dev/disk0 of=GPT bs=512 count=34

The GPT table and header of the disk can be restored as below :

sudo dd if=GPT of=/dev/disk0 bs=512 count=34

where presumebly I would use /dev/sda instead of /dev/disk0 and the file to keep is called ‘GPT’. But I have not read that elsewhere and I am thinking that may be wrong or it may be Mac specific ?

What ‘dd’ values would one use to backup the “equivalent” with GPT ? Or is it even appropriate to use ‘dd’ in such a GPT disk formatting case ?

I read one case on the internet where the gdisk (GPT fdisk tools) are recommended to be used (GPT fdisk Tutorial) where:

GPT fdisk (consisting of the gdisk, cgdisk, sgdisk, and fixparts programs) is a set of text-mode partitioning tools for Linux, FreeBSD, Mac OS X, and Windows. The gdisk, cgdisk, and sgdisk programs work on Globally Unique Identifier (GUID) Partition Table (GPT) disks, rather than on the more common (through 2011) Master Boot Record (MBR) partition tables. The fixparts program repairs certain types of damage to MBR disks and enables changing partition types from primary to logical and vice-versa.

Has anyone attempted this sort of backup with an Windows8 GPT headers/table prior to installing GNU/Linux ?

I don’t know yet, as I have not yet purchased the Ultrabook (Toshiba Z930). I will likely purchase a variant built for the Canadian market , have it shipped to my sister’s place in Canada, and when I visit there in 2-months time pick it up. Hence because of the long distance and time delay (but have reasons for ordering now) I want to research this best possible in advance. I won’t be ordering direct from Toshiba, but rather ordering from another supplier.

The Toshiba site calls this a “256GB SSD; mSATA hard disk drive” with a link here which does not help as it has a Toshiba brand name on it. As to who actually builds the drive, its not so easy to find out.

I’ll keep my eyes ‘peeled’ for an Internet blog or article that may provide that information.

I am now very skeptical as to what I read above, and I think the users who posted that the Toshba Z930’s EFI implementation does not work with grub2-efi were either incorrect, or were generalizing too much. I say that because I have subsequently read of other GNU/Linux users whose posts suggest they have their GNU/Linux installed with EFI enabled on the Toshiba Z930.

I am now trying to deduce whether, when I install openSUSE-12.3, if I will need to switch the Toshiba Z930 firware settings from EFI to CSM (compatibility support mode).

This has been educational researching this.

When considering UEFI firmware in a computer, I have learned that CSM is a firmware component that emulates a more traditional BIOS environment, which can allow legacy operating systems and some ‘optional ROMs’ (that do not support UEFI) to still be used.

While I have read in linlap and other Internet sites that to install GNU/Linux on the Toshiba Z930 ultrabook they (‘they’ being mostly Ubuntu users) had to not only switch the firmware to disable Secure boot, they also had to switch the firmware from EFI to CSM. Unfortunately they often did not state their Ubuntu nor kernel version.

I am thinking such a firmware switch from EFI to CSM may not be necessary for openSUSE-12.3. I do note that a Fedora17 (linux-3.3.4 kernel) user reported on linlap that there was no need to play with the Toshiba Z930’s UEFI/CSM boot options to install Fedora-17 (however that was with a Win7/Fedora dual boot and not a Win8/Fedora dual boot). I believe there is a disadvantage to choosing CSM on a Toshiba Z930 with Windows8, as I believe if that is selected then Windows8 will not nominally boot in a dual boot (TBC by me when I obtain the PC).

Further to the above, I noted in a post by a user who installed win7 in a dual boot with win8 that they were able to boot win8 with secure boot disabled and EFI selected. With both secure boot disabled and CSM selected they could not boot win8.

I note that some of the Toshiba Z930 Win7 users, with an OEM standard MBR setup in their Toshiba, had all 4 partitions occupied. They ended up creating recovery DVDs, and re-installing win7 with less than 4 partitions. But I believe if I stick with EFI (and not switch to CSM) that I will not need to do this.

I have recently been introduced to the world of windows 8, gtp and uefi. It does require a slight change of thinking but overall it is possibly better than the old bios world!

Firstly switching off secure boot just requires entering the uefi settings (similar to the old bios settings) pressing the delete button on boot etc and taking the tick out. Windows 8 starts up without any problems. 12.3 is supposedly able to boot with secure boot enabled - although I have not bothered testing this.

Shrinking the main windows partition works in the normal way. Typically I just use windows to shrink the partition leaving empty space. The opensuse installation dvd works in the normal way and defaults to installing the bootloader using grub2-efi and using the empty space (unallocated disc space) to create suitable linux partitions.

grub2-efi picks up the windows installation and adds a windows entry to the opensuse boot loader. The differences are that the default o/s option is choice is contained in my uefi settings. So I have two entries there 1 - windows 2 - opensuse. If windows was set as the default the p/c would just start windows. My default is opensuse, so when my p/c starts it uses the opensuse bootloader and gives me the option to boot opensuse or windows (if required). I never have windows as the default uefi setting.

The actual boot function is held in partition 2 - both for windows and opensuse. With the opensuse boot config settings in the folder /boot/grub2-efi. There is a settings function under yast boot settings (like you would see using a bios based system - but with a few less options).

If I uninstall opensuse windows 8 starts without any problems. If I uninstall windows 8 opensuse starts without any problems. So there are separate functions here - so situations that I’ve had in the past when I re-wrote the mbr with grub, and made a mess of things, ending up with a system that would not boot (either opensuse or windows) want happen with uefi.

This is /boot/grub2 in 12.3. /boot/grub2-efi is link retained only for compatibility with previous version and already removed in factory. So it is better to not get accustomed to it

I appreciate all the stories, accounts and explanations on this. I am hoping it will help to remove a lot of the fog and mystery and thus potentially prevent me from making too many mistakes.

I’ve read of /boot/grub2 and /boot/grub2-efi in various posts. One point that is not clear to me, as I have conflicting memories as to what I have read, … is /boot/grub2 in a separate partition, or does it share a partition with / or with an MS-Windows boot partition (but in its own separate directory in the shared partition and sim linked/mapped (or what ever) from an openSUSE /boot/grub2).

I ask that dumb question as I have read both explanations (albeit for different GNU/Linux distributions).

On Fri 05 Apr 2013 09:56:04 PM CDT, oldcpu wrote:

I appreciate all the stories, accounts and explanations on this. I am
hoping it will help to remove a lot of the fog and mystery and thus
potentially prevent me from making too many mistakes.

arvidjaar;2544898 Wrote:
>
> This is /boot/grub2 in 12.3. /boot/grub2-efi is link retained only for
> compatibility with previous version and already removed in factory. So
> it is better to not get accustomed to it
>

I’ve read of /boot/grub2 and /boot/grub2-efi in various posts. One
point that is not clear to me, as I have conflicting memories as to what
I have read, … is /boot/grub2 in a separate partition, or does it
share a partition with / or with an MS-Windows boot partition (but in
its own separate directory in the shared partition and sim linked/mapped
(or what ever) from an openSUSE /boot/grub2).

I ask that dumb question as I have read both explanations (albeit for
different GNU/Linux distributions).

Hi
The only partition that needs to be separate is the ESP which
is /boot/efi as this needs to be vfat and set to type ef00 for the UEFI
boot. Every thing else can be how ever you like, separate /boot
residing in / wherever

–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.3 (x86_64) Kernel 3.7.10-1.1-desktop
up 4 days 5:43, 3 users, load average: 0.02, 0.04, 0.05
CPU Intel® i5 CPU M520@2.40GHz | GPU Intel® Ironlake Mobile

I’ll comment on my experience (with a Dell desktop system).

I’m not quite sure about the partitions. With the mouse over the partitions in Windows disk manager, two of them show as recovery, and one shows as OEM. The others are the EFI (for booting) and the main Windows partition.

When I turn off secure-boot, Windows still boots without a problem.

I started creating Windows recovery DVD, except that it told me that it wanted a USB, not a DVD. Further investigation told me that it wants a 32G USB device for recovery media, and will overwrite whatever is already on that disk. I have not got around to doing that. I did make a full Acronis backup to an external disk.

If you install opensuse the right way, then the boot code will go in an EFI partition, not on any boot sector. My advice is to create a second small EFI partition for that. The evidence I have seen is that when you share an EFI partition with Windows, there can be frustration (Windows does not play nice). In my case, I added a second hard drive and put the additional EFI partition there. I have also experimented with a second EFI partition on the first drive, and that also works. A size of 100M would be sufficient.

The partition “/boot/efi” would be the EFI partition that you use. It is formatted vfat, and given the partition type code for EFI. Use grub2-efi for booting. Be sure to check the “secure boot” box on the booting install window.

You might find that the grub2 menu entry for Windows cannot boot Windows unless you turn off secure-boot. There’s a fix for that in the works (bug 809038), but I don’t think it is out yet.

On Fri 05 Apr 2013 10:56:01 PM CDT, nrickert wrote:

<snip>

A size of 100M would be sufficient.

<snip>

Hi
It should be fine for a dual boot setup. I would probably look at
something bigger than 100MB, openSUSE 12.3 by default enables multi
kernel versions?

I run gummiboot, which copies the kernel and initrd into efi
partition, on my test machine I have it at 256MB
to allow for them all… 3 installs (Win7, 12.2 and 12.3) and multiple
kernels… the next kernel upgrade would push mine over 100MB.

–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.3 (x86_64) Kernel 3.7.10-1.1-desktop
up 4 days 7:37, 4 users, load average: 0.11, 0.10, 0.06
CPU Intel® i5 CPU M520@2.40GHz | GPU Intel® Ironlake Mobile

However, grub2-efi does not put the kernel in the EFI partition. So using multiple kernels won’t affect how much EFI space is needed.

My current plan is to disable secure boot, but still enable the secure boot flag (?) in the openSUSE installer.

For the /boot/efi ~100MB partition, my assumption is I will need to custom create that with the openSUSE installer, as it is not created by default ?

I still have lots of time (just under 2 months) before I pick up my Ultrabook. I ordered it last weekend and it should be delivered to my sister’s place this week. But my sister’s place is a continent away, and I don’t traverse oceans that often, so it will be some time before I obtain and install openSUSE-12.3 on that device (probably in the mid-June to mid-July timeframe). In typical oldcpu over preparation fashion, that should hopefully give me enough time to learn this, and read/learn off of other’s problems and successes such that I am in better shape (from a knowledge perspective) when my turn to install openSUSE on that Secure-Boot/UEFI/GPT fitted Ultrabook comes.

“Secure boot” flag in YaST2 does two things

1. it arranges for shim to be actual bootloader. shim will verify signature and load grub2.
2. it makes grub2 to use different loader (linuxefi) to start kernel. This loader verifies signature of kernel and initrd before starting them using interface provided by shim

If secure boot is disabled in firmware, in principle it should be transparent - but the problem is, linuxefi works only with kernel that supports EFI stub. It is relatively new so you may not be able to load older systems. Also it is using slightly different boot protocol (e.g. I’m not sure that you can even pass video parameters into kernel).

So I would not enable Secure Boot in YaST2 unless you actually are using secure boot.

Thats good to know. I had thought I had read a recommendation otherwise, but when I went surfing again for that contrary recommendation, I could not find such an otherwise suggestion - causing me to believe my recollection is faulty (another dyslexic oldcpu recollection).

Hi !

Referring to your 1st posting:

This is a quite important question, I think.

One the one hand, as far as I read, openSUSE 12.3 should be able to install under ‘secure boot’.

On the other hand, I as well read that booting from USB devices is disabled booting in ‘secure boot’ mode.

Until present I couldn’t resolve the contradictions involved.

Maybe because I don’t have a win8 system for trial.

Yours
Mike

This can only be determined by trying and seeing what happens.

In my case, I copied the install dvd iso to a usb (using “dd_rescue”). I was able to boot and install with secure boot enabled.

I have not tried with a USB connected DVD device. In any case, implentations of the UEFI firmware vary between manufacturers. So it is not at all certain what will work.

Which contradiction? Whether or not allow booting from removable media is decision of your hardware manufacturer. It has nothing to do with whether this or that OS supports secure boot.

Of course, as secure boot allows booting only known good binary, there is no need to block removable media. But apparently some vendors try to be holier than pope …