On Fri, Apr 22, 2016 at 4:11 AM, Timothy Murphy <gayleard at eircom.net> wrote: > Chris Murphy wrote: > >> What you should revert back to UEFI only, with Secure Boot enabled, >> and reinstall CentOS, deleting the previous partition/mount points >> including the BIOS Boot partition that was created for CentOS's >> bootloader. > >> The gotcha is that with Secure Boot enabled, the CentOS GRUB-efi >> package doesn't support chainloading the Windows bootloader. This is >> getting fixed in Fedora 24 but I have no idea how long it'll take to >> get to CentOS 7. You could either disable Secure Boot (which I don't >> recommend) or you switch between CentOS and Windows using the >> firmware's boot manager. You'll have to figure out which F key brings >> up the boot manager. On my Intel NUC it's F10, *shrug*. > > May I ask a couple of questions which I'm afraid betray my ignorance. It's much safer to betray ignorance and ask the question than end up stuck in the mud. It's not your fault, we've kinda been betrayed with these changes with a combination of overly complicated implementation, massive piles of bugs, hideous documentation, and misleading terminology reusage (mainly by the manufacturers). > > 1. Why is it advisable to "revert back to UEFI"? > Is this just a safety measure? Windows is already installed in UEFI mode. Mixed installations are just a PITA to support. You'll get almost no help from anyone on a list because how this works will be firmware dependent and chances are no one else will have that same make/model and firmware revision. And yes, I can't in good conscience recommend a setting that makes you less safe. The computer came to you with Secure Boot enabled, and you're best off leaving it in that condition. CentOS 7 supports UEFI Secure Boot out the box. What it doesn't support is dual boot, but that's technically true even if Secure Boot is disabled, or this were a system with BIOS firmware. But the firmware boot manager can provide you with a way to switch between the two. Firmware setup might even have an option in there somewhere to present the boot manager by default for each boot. This is true on my Intel NUC which uses American Megatrends firmware. > I would have thought that if an intruder had got in this far, > enabling him to install unsigned modules, > he would have you at his mercy anyway? There are levels of compromise. The bootloader malware compromise means you can reformat and still be owned. Secure Boot pretty much assures that you're not compromised except in user space, which is why you run with SELinux enabled, right? > > 2. I installed CentOS-7.2.1511 from a Live USB stick, > and I have a Windows 10 partition that I can boot into. > So I assume that UEFI is not used by default? > Will it become so at some point? If your firmware setup has an option for Secure Boot and/or "legacy" anything, then it is UEFI firmware. Strictly speaking, UEFI != BIOS but the manufacturers think we're all morons so they repurposed BIOS to apply to a completely different behavior of firmware, completely different discovery of the bootloader method, completely different bootloader installation and location for the binaries. Anything that comes with Windows 10 pre-installed has UEFI firmware, with Secure Boot enabled and any legacy option disabled as a requirement of the Windows hardware certification spec. And CentOS can support that condition, you're best off not just security wise, but in terms of getting support on lists the less you customize things at a firmware level. And changing to a hybrid UEFI CSM-BIOS mode is a mess. If it works for you, great, and if some expert wants to hand hold, fine, but it's not something I recommend. It's already complicated enough, I think it's made worse by enabling legacy stuff. -- Chris Murphy