I got an old HP laptop for a good price. (HP ProBook 650 G4.) It was cheap because it’s BIOS locked and requires secure boot. (I believe this is the same as “HP Sure Start”.)
Game over, right? Not quite. It still boots secure boot enabled Linuxes. I’ve installed Fedora with no problems. But I would like the ability to install any modern Linux OS.
To be clear, I have no security concerns subverting secure boot. I only have it on because my BIOS is locked.
There are a few methods that are too hard/expensive:
- creating my own exploit by referencing the patch notes of later firmwares (theoretically possible)
- dumping the BIOS myself and getting the BIOS password that way (it’s been done on this model)
- Figuring out the undocumented backdoor HP used until around 2018 to reset BIOS passwords. (It’s unclear if the backdoor is patched, or just no longer being used.)
I almost got what I want. I booted Ventoy via USB, and the laptop prompted me to enroll the Ventoy key in the secure boot system. I can boot any ISO I want from Ventoy. I can also boot Ventoy, and do LocalBoot (F4) via Ventoy into an unsigned locally installed OS. I booted Arch this way.
I just installed Mint Cinnamon and it prompted me during install for “3rd party drivers” as well as “enable secure boot”. It required an 8 character password (mint requirement or UEFI requirement?) which was required in UEFI on reboot (one time). Then I enrolled the key in secure boot and now I can boot straight into Mint. The install prompt was:
Installing third-party drivers requires configuring Secure boot. To do this, you need to choose a security key now, and enter it when the system restarts (Learn more)
You have chosen to enable third-party software as part of your install, which this system includes hardware drivers for graphics and/or Wi-Fi hardware. Your system also has UEFI Secure Boot enabled. UEFI Secure boot needs to be configured to allow the use of this third-party drivers.
- No, third-party drivers do not _need_ Secure boot
- No, the installation wizard also doesn’t say you need Secure boot for those drivers, it is warning you that you have secure boot enabled, thus special considerations will be necessary
What’s the easiest way to get insecure-boot-like behavior on this device? I was thinking I need to get rEFInd on here so it can search for any relevant OS. I also am not clear on how to install OSs properly in this environment (OSs want to change/configure the bootloader themselves). I’m hoping to install to an NVMe drive, but SATA, USB, and network boot (ha) are options too.
Alternatively, how can I do what Mint did on the install on other Linuxes?
I have a basic understanding of the secure boot “shim” and the cryptography in secure boot, but definitely no practical knowledge.
(I prefer to say BIOS over “UEFI” despite being technically incorrect.)
edit: Still don’t know what I’m doing, but Fedora (and thus Bazzite) supported secure boot. I just ran the Bazzite installer, rebooted when prompted, and entered secureblue as the key password. https://docs.bazzite.gg/General/Installation_Guide/secure_boot/
I would be looking for ways to clear it versus working around it. I assume they have a custom TPM-like chip, so pulling the BIOS battery probably won’t work.