Modern Windows PCs produced after Windows 8’s release have UEFI firmware with “Secure Boot” enabled. This helps protect against rootkits and other malware infecting the Windows boot loader, but it can also prevent Linux and other non-Windows operating systems from booting.
Some Linux distributions have had their boot loaders signed by Microsoft so they’ll boot with no problems. But for many Linux distributions you’ll have to disable Secure Boot before you can even boot a Linux distro from a USB drive.
Linux distros compatible with Secure Boot
PCs with Secure Boot check that the system’s boot loader is signed by an approved key before booting from it. These PCs ship with Microsoft’s keys preinstalled, so they’re effectively checking Microsoft has signed the boot loader before allowing it to boot. Microsoft provides a signing service Linux distros can take advantage of, allowing them to boot on most Secure Boot-enabled PCs with no further configuration. The handful of Linux distributions that take advantage of this should boot with no problems and no further configuration on a PC with Secure Boot enabled.
There is one catch here. While Microsoft does sign Linux boot loaders with a Microsoft key, these boot loaders are signed with a separate key from the one Microsoft uses to sign Windows. PC manufacturers aren’t required to include the Microsoft key for third-party UEFI applications as part of the Secure Boot specification, which means that these Linux distributions may not actually work on all Secure Boot PCs. But, in practice, most PC manufacturers do install this Microsoft key.
Modern versions of Ubuntu, Fedora, openSUSE, and Red Hat Enterprise Linux all “just work” without disabling or configuring Secure Boot. They use a small “shim” boot loader signed by Microsoft, which in turn confirms the main boot loader was signed by the Linux distribution before loading it. Some other smaller Linux distributions also use shim.
The Linux Foundation has released its own Secure Boot solution, which other Linux distributions would be free to use instead of shim. Matthew Garrett pledged to work on combining the Linux Foundation’s solution and shim to create one standard boot loader all Linux distributions can take advantage of. Work is ongoing on making this easier for Linux distributions, and all Linux distributions can support Secure Boot-enabled PCs with a bit of work already.
How to disable Secure Boot
Microsoft requires all PCs shipped with Windows 8 and 8.1 let you disable Secure Boot. However, Microsoft changed its rules with Windows 10. Windows 10 PCs may or may not provide you with a way to turn off Secure Boot—that’s up to each PC’s manufacturer.
If your PC does have an option to disable Secure Boot, you’ll find it on the UEFI firmware settings screen. To access these options, hold down the Shift key on your keyboard and click the “Restart” option in the Start menu, Start screen, or Settings charm. Your computer will reboot into an advanced startup options menu. Select “Troubleshoot,” “Advanced Options,” and then “UEFI Firmware Settings.”
This should take you to your computer’s UEFI settings screen, which will look different on each computer. Look for a category named something like “Security” or “Boot.” Find the “Secure Boot” option and disable it. You can now save your settings and reboot your computer. Secure Boot will be disabled and you can boot Linux or any other operating system.
The process may be a bit different on some computers—you might have to press a key during the boot process to access the UEFI settings screen. Search the web for your model of computer (or motherboard, if you built your PC yourself) and “disable Secure Boot” if you can’t find the option.
Windows itself doesn’t require Secure Boot to run, so your Windows system will continue to boot and work properly with Secure Boot disabled—just as if you installed Windows 10 or 8.1 on an older PC without Secure Boot capabilities. If you want to re-enable Secure Boot in the feature, visit the UEFI settings screen again and switch it back on.