Ubuntu 17.10 Secure Boot and Legacy Boot install

Every since Secure Boot was released, I’ve been wary of it. Secure Boot can mean that my freedom on platforms has been removed. Why does this bother me?

Let me try and look at it from a different perspective for a minute. I’m a manufacture. I make smart phones/fridges/watches/whatever. I’m making the software and I don’t want people to mess with it. Best way to prevent that is a system like Secure Boot. Of course, my product doesn’t do as well as I want it to on the market, and upper management has decided it isn’t worth the investment. Losses are cut, and the product line is dropped. Support, it is a thing of the past.

As a user this is very irritating. It is my device. I paid for it. It is mine. I should be able to use it for whatever I want. For some reason, our society has deemed it acceptable that what I buy, isn’t really mine. It is owned by some corporation somewhere else. It is like I have “Big Brother” telling me what I can and cannot do with my device. I mean really, most people just want it to run Doom.

However, I can also see the benefit of locking systems down in a University or other public place. So there is a place for locking down the BIOS and configuring Secure Boot.

With that in mind, I would like to be able to have a USB install of Ubuntu be able to run in both a Secure Boot and Legacy boot mode.

I spent a bunch of time on Google, and I couldn’t come up with the right terms, or a good guide on doing this. It seems that most individuals aren’t interested in a “dual boot” option. Eventually I stumbled upon the following post, Partitioning hard disk drives for BIOS-MBR, BIOS-GPT, and UEFI-GPT in Linux. It is a good read, and I would recommend it.

The basics. I simply needed a 1 MB as my first partition of a GPT partitioned disk. I put the label of bios_grub on it. Then you need your standard “EFI System Partition” and other Linux partitions.

Typically I’ll do the install in KVM, which by default doesn’t boot with UEFI. This will do the legacy grub install.

Now I don’t recall if this next part is required, but it is what I did. I booted with the Ubuntu install media using OVMF in KVM to get the boot to use UEFI. I then do the appropriate mount –bind statements, and chroot into my install. I ensure the efi and boot volume is mounted.

I then install in Ubuntu the signed efi grub package.

apt install grub-efi-amd64-signed shim-signed
grub-install --uefi-secure-boot /dev/vda
apt install grub-pc git grub-pc-bin

After grub is installed for the UEFI, I re-install the grub-pc, since in Ubuntu the packages preclude the other.

I hope this helps someone else out there.