New dual boot installation - bootloader/gpt & uefi/ secureboot questions


I’m building a desktop to dual-boot Leap 42.3 and W10.
Windows 10 is already installed in UEFI/secureboot mode and shrunk to half the SSD size, for Leap installation.

SSD is a Samsung 840 Evo, updated with the latest firmware. It currently has 4 gpt partitions created by windows 10, as reported by gparted:

 /dev/sda1 450 MB NTFS (recovery)
 /dev/sda2  99 MB EFI system partition
 /dev/sda3  16 MB MS reserved partition (file system unknown)
 /dev/sda4 100 GB NTFS Basic Data partition
 132 GB unallocated space.

MoBo is a Gigabyte H81M-H (LGA 1150) with latest firmware, rev. F9 (08/11/2015).

Relevant BIOS settings, AFAIU, are currently this:

Boot Option #1: Windows Boot Manager (on SATA0 SSD)
Execute Disable Bit: Enabled

Windows 8 Features: Windows 8
CSM Support: Always
  Boot mode Selection: UEFI only
  Storage boot Option Control: UEFI First
Other PCI Device ROM Priority: UEFI OpROM

info only: System Mode State: Setup
info only: Secure Boot State: **Disabled**

I don’t understand this last line, as right below there are the following settings:

Secure Boot: **Enabled**
Secure Boot Mode: Standard

Time is set to local in BIOS, and shown correctly in W10.

SSD is a Samsung 840 Evo, updated with the latest firmware.

There’s also a 1TB HDD with a backup of the previous oS 42.1 /etc and /home folders, that I intend to selectively restore to the SSD (nfs shares, thunderbird and FF folders, etc).

This HDD has 209 GB unallocated space at the beginning and a /dev/sda4 XFS partition with the backup and a lot of work data I need to keep. It’s partition table is msdos, not gpt. The unallocated space previously housed three partitions of the previous oS 42.1 install.

My main concern is to avoid damaging the Windows installation, as it houses a suite of bought-and-paid-for expensive software that are a PITA to reinstall, with multiple harware/IP locks. One of them (SAP2000) broke in a test W10 VM and it took 2 months to get it authenticated again, due to the very severe lock-down the publisher sees fit to use. Even de-authenticating it was fraught with pitfalls. Also transferring W10 and Office 2016 took a lot of comings and goings with MS support.

My intention is to install LEAP from the DVD, set to UEFI in the BIOS. I intend to disable the HDD in BIOS during installation, so the installer will only see the SSD.

So I’d like to ask for help on the following concerns I have:

**1) **Where (which partition) should the grub2 bootloader be installed on /sda? And the boot flag? The default installation settings should work?

**2) **Can I partition the HDD unallocated space at the beginning as one partition only (either NTFS for W10 drive D or an additional linux FS for data), so there’d be only /sdb1 and /sdb4 or the missing /sdb2 and /sdb3 will cause problems?
3) **Secure boot is enabled or not? What’s better for this work machine?

There. A long preamble for a few questions :slight_smile:
Thank you;


Re: 1) - So you don’t use a bootloader as such, so not boot flag, it’s UEFi boot, so you can share /dev/sda2 with windows, just during install select the expert partitioner and then rescan the disk and select the partition sda2 as ‘Not To Format’ and select the mount point as /boot/efi. Windows 10 uses about 26MB and an openSUSE install ~20MB so 100MB is fine for /dev/sda2.

In windows add a registry key for RealTimeIsUniversal (google the location for this :wink: ) and set the BIOS clock to UTC time.

You only need 40GB for / if using btrfs on /dev/sda if using the SSD, use the rest for home, put the swap on the rotating drive?

On or off for secure boot, your call, I have no problems with it, you may at times when booting get a new key request update from MokManager.

Ahhhh, sound of penny dropping…

Thanks Malcolm, you are a prince!

(and I’m still smiling at your avatar :))

If it were me, then I would first take an image of the current system with something like Acronis True Image.

Beyond that, I’m mainly agreeing with Malcolm.

**1) **Where (which partition) should the grub2 bootloader be installed on /sda? And the boot flag? The default installation settings should work?

You are using UEFI. So grub isn’t installed to a partition. Part of it will end up in your EFI partition ("/dev/sda2"), but it won’t use a lot of space there. The installer should recognize that this is a UEFI system, and it should want to mount your EFI partition at “/boot/efi”. It will put around 4M of files there. But most of grub will be in “/boot”, probably part of your root partition.

**3) **Secure boot is enabled or not? What’s better for this work machine?

I would leave it enabled. You can always disable later if there is a problem. Opensuse 42.3 should be fine with secure-boot enabled.

Thanks for your insight, nrickert. You raise good points, specially this:

I’ve created three primary partitions in the HDD unallocated space, like this:

/dev/sdb1 280 GB NTFS (for windows D)
/dev/sdb2   8 GB EXT4 (for /tmp, if advisable)
/dev/sdb3   2 GB EXT4 (for /var/log if advisable)
/dev/sda4 641 GB XFS  (existing backup partition)

The idea is to save a image file of the four windows partitions in /dev/sdb1 (a future windows D drive, maybe, or additional backup storage for syncthing).

I’m not sure, however, if it’s enough to image the three partitions (~ 100,6 GB) and the EFI partition has everything needed to restore the image later or if windows use something like a boot sector or flag outside these partitions, that I’d have to backup too (it seems not, as per your and Malcolm comments).

Worst case, /dev/sdb1 is large enough to hold a full uncompressed SSD image. But if I have to restore the image I’ll loose the Leap install.

I’m reading on Acronis (paid for) e Macrium, its free home version appear do do what I want.


/dev/sdb2   8 GB EXT4 (for /tmp, if advisable)
/dev/sdb3   2 GB EXT4 (for /var/log if advisable)

As a side note, these are equal to how I partitioned my main desktop, to keep these frequently written directories off the SSD. I’m not sure if this is still relevant, given the improved wear leveling on SSDs, but I think it won’t do any harm.

(and this also sidestep item 2 of post #1)

I’ve use Acronis. I’ve heard good reports on Macrium (free version), but I don’t have any experience with it.

With Acronis, I have twice replaced a disk and restored to the new disk from the most recent backup. Once was for Vista, and the other for Windows 7. And it worked perfectly, and booted without anything extra needed.

On another computer, I wanted to resize/move partitions with GParted. So I took an Acronis backup first, for safety. The resize worked – sort of. But Windows complained. Running CHKDSK fixed most of the problems. But then, I decided to just restore from the Acronis backup (to a different partition size). And that worked with no problems at all.

On “/tmp”: I would probably mount that from “tmpfs”. Perhaps swap should go to a regular hard drive, particularly if you have plenty of memory so that swap is not much used.

Check flash settings efibootmgr

Since you had a previous install it maybe that the flash point to he wrong thing ie leftover entries

Just did a disk image with Macrium free, it was very easy (way more than with Clonezilla). Also no PUPS at install, which is a big plus for me when using windows.

I made the image from the rescue CD it let you create, not from windows. The four partitions totaled ~29 GB used, the compressed image is ~15 GB.

Macrium seems to be a good tool for lazy GUI guys like me - supposing an eventual restore works, of course.

Now on to installing LEAP :slight_smile:

This happened the two or so times I used a not-windows-app to resize a windows partition, but the check it does (on reboot IINM) always fixed it completely.

It has only 8 GB RAM, and as LEAP may eventually run VMs, perhaps it would be better to put swap on the SSD. Or perhaps not, VM use won’t be as heavy on the main desktop - 24 GB, and swap was used a few times, but at least once because of a runaway app in a VM.

About /tmp, I tend to use 5+ GB as the machine has a DVD writer, and K3B and other recorders put temporary images there by default, and that’s obviously too much for 8 GB total RAM. I could change each recorder’s temp folder, but I’ve forgotten to do this more than once…

Thanks for your help, nrickert, it is much appreciated.

What are these flash settings? I tried googling it (duckduckgo actually) but only got references either to efibootmanager or flash player.

Ah, I forgot to mention that I’ve done a full erase (or a similar term) with Samsung’s tool, so there were no leftovers.



/dev/sdb2   8 GB EXT4 (for /tmp, if advisable)
/dev/sdb3   2 GB EXT4 (for /var/log if advisable)

Question: I think I’ll install LEAP with the default btrfs and xfs. I think it’s quite improbable, but is there any issue if I leave /tmp and /var/log as ext4?

Unless it’s related to the UEFI firmware or NVRAM - I’ve no idea if there is such a thing, actually. (puzzled icon here)

Well the efi boot settings is just part of the NVRAM (flash), and yes the tool to use for the ‘boot’ part is efbootmgr, use this tool to delete unwanted, add entries, set boot order etc.

If you want to have a look around the nvram, it can only be done with secure boot disabled and your system allows you to select an efi file to boot from and can pop the shell efi file onto a directory in /boot/efi or on a USB device (needs to be gpt, type ef00 and formated to vfat). You can download the pre-built binaries from;

You could also add as a boot option with a custom grub entry.

At first I assumed (from fragmented readings and wild speculation) that NVRAM would keep keys and something like a bootstrap, and the bootloader would be in EFI. After dealing with my daughter’s HP laptop I saw it was not so simple, as apparently each manufacturer can implement specific behavior at boot - f.e., the grub menu does not survive a windows 8 boot, after that it always boot straight into windows, so she uses F9 to select opensuse-secureboot from the boot options list.

I suppose I could try to learn and work around with it but unless I really have to, I’d rather have a good-enough just-works(*) way like using F9, given she rarely boots windows - I’m so proud of her!

(*) That’s why I prefer desktops, wired Ethernet and openSUSE :wink:

I suspect I’m at the limit of my competence with efibootmgr, perhaps better to let sleeping dragons lie :slight_smile:

Update (for my own sake later, if not for anybody else):

  1. Used gparted to create swap, / and /home partitions on SDA. LEAP 42.3 installer picked these and the existing windows partitions on sda (the SSD) perfectly - maybe because I formatted (btrfs and XFS), named and labeled them in gparted beforehand? Ignored the HDD for now, will add it from yast partitioner.

Only install glitch was a validation error when installing python-base. Not the media, I think, since I didn’t see this in a test install with the very same DVD - perhaps an aging DVD drive. Ignored the package for installation.

  1. 42+ automatic updates, everything OK, using nouveau. rebooted a couple of times alternating between W10 and LEAP, grub menu worked OK. Yast Software manager (but not the updater) automatically picked python-base as a missing dependency after first boot. I do appreciate Yast, it’s been a life- (and toil-) saver more than once.

  2. Some small defects rendering text in KDE. Added packman and nvidia repos, installed nvidiaG03 driver for the GeForce 210 card, nvidia-settings reported rendering enabled, all OK.

Tried to reboot, got ksmserver-logout-greeter crashed dialog. Same trying to log out. Same (!) with ALT+CTRL+Backspace twice. Forced a shutdown -h now from konsole (too lazy to ALT+CTRL+F1…) which worked. After booting back into LEAP, the greeter worked normally to shut off (tested just once right now).

  1. /tmp and /var/log for now are as default installation, as btrfs subvolumes. I have to find out how to move them to the dedicated partitions, if these partitions have to be formatted as btrfs (seems so if they should be “snapped”), etc. Some googling is in order.

  2. Now to restore firefox, tbird and others config and data folders before running them for the first time, and also syncthig config files and shared folders so it won’t need to transfer 400+ GB of files again.

Can be any format just mount partitions at the points you want to replace. Note that a mount supersede a normal director but leave the data alone so if you want totally rid of the directoreis you must first set the new mount in Yast then as root rename the directories and then reboot then you can delete the renamed if wanted. I do that with home all the time. I keep two root partitions and rotate them with new installs for OS version changes. Initially I do not mount home which means it is created in root and test the new OS until happy with it when I switch to the new OS I do the little dance above to mount my normal home and remove the temp home that was on root. Note I do this in a run level 1 terminal logged as root

Yes, I’ve also done this in my main desktop with /tmp and /var/log. To remove unwanted ex-system directories I generally reboot after creating the new ones and use dolphin in superuser mode. for more complicated things I boot from a parted magic live CD, it is quite nice.

Re. item 4 on my last post, I’ve been reading last night.
All those sub-volumes are separate from / exactly not to be included in the default snapshots. So no issues moving any of them wherever I want, in whatever format I choose - XFS in this case, just to keep the same FS in all HDD partitions. A bit OCD, I know…