Dual-boot Windows/Linux on Sony laptop with UEFI and Secure Boot
Sony laptops are nice and performing Windows machines, but they are notorious for being incompatible with Linux on many fronts. This one is not an exception. I spent a considerable time figuring out how to set it up properly and by documenting this for you, my dear reader, I hope to save some of your time.
This article documents the working steps I took to manually install Linux (Fatdog64), with Secure Boot enabled all the way (never turned off), and keeping Windows available for dual-booting.
To protect the innocent I will not mention the exact model, but you can be assured based on the many articles I've read, other UEFI models suffer from similar problems too.
This is a bit lengthy. If you just want to read the steps, go ahead and click here.
- Why don't you just use installers? Because Fatdog64 does not come
with one. You can boot Fatdog64 in UEFI/SecureBoot fine (using
optical disc or USB flash drive), but there is no automated installer
for UEFI systems.
- Why Fatdog64 then? Obviously because I'm one of the co-maintainers ☺
- If I use big-brand distros that do have installers, do I need to
bother reading this? Well, no, if they work for you. But sometimes
they don't, and this article may help you to get that final step
to get your distro of choice running on your machine.
- I heard it is easy to install Fatdog64? Yes, you just need:
- copy two files (
initrd) to any existing partition.
- install a bootloader and tell it to load those two files.
- (and in this case, make sure that the bootloader is actually loaded by the UEFI BIOS so it can do its job),
- Lastly, Fatdog64 bootloader is generic - it can be used to boot
other Linuxes (and Windows) too as long as you have the correct
grub.cfg. So if you favorite distros bootloader does not work, but you managed to install it to the point where it has a good and valid grub.cfg, you can use Fatdog64's bootloader to boot it, too.
Simplified overview of UEFI boot process
I assume you are familiar with BIOS (non-UEFI) boot process. The term MBR (Master Boot Record) should not be foreign to you.
When UEFI BIOS is ready to load the operating system, it will attempt to find and load a bootloader. Unlike in BIOS system where the bootloader is in a fixed place in MBR, in UEFI the bootloader location can vary, as long as it is located in a special disk partition called the ESP (EFI Service Partition) (Protip: ESP is a term, not a label, and there can be more than one ESPs).
The default bootloader is named
bootx64.efi (for amd64/x86_64 systems)
and is located in
/EFI/Boot directory. In other words, the default
filepath for the bootloader is
in the first ESP partition (if there is more than one).
At least in theory.
But this is not set in stone. Apart from answering the obvious
question (but no obvious answer) of "which one is the first ESP partition",
in a properly configured and spec-compliant UEFI BIOS, you can define
and store entries that points to many different bootloaders - both
specifying their filepaths as well as which partition that keep them.
You can, for example, define that an entry calledFooBar that
/EFI/FooBar/mybootloaderx64.efi from the third
partition of the second hard disk.
Then, you can also choose, among these entries, which are the default bootloader. And it is expected, although not required, that at boot time, the UEFI BIOS provides some means for the user to choose alternative bootloaders other than the default one (just like the legacy BIOS provides hotkeys to choose boot devices) - so you can choose to boot FooBar instead of the default one.
Once the bootloader is loaded, UEFI BIOS will transfer control to it and
its job is done. The bootloader is responsible to load the rest of the
operating system just like the MBR does; and in fact its
job is easier - in legacy BIOS, the MBR is only 512-byte - not
much space to cram complex logic that modern disk subsystem requires,
so MBR is usually only used to load and find the "second stage" loaders
which are the "real" loaders: e.g.
ldlinux.sys for syslinux, or
second stage of grub, or
grldr for grub4dos, etc.
An UEFI bootloader on the other hand can be of any reasonable size (e.g 1MB, 2MB is common) and is loaded at once, effectively skipping the MBR stage and goes direct to the "second-stage".
That's it! Simple, right?
If you want more details and want to really know what exactly happens within UEFI BIOS from the point the computer is turned on until it starts looking for a bootloader, you may want to read from this link instead. ☺
If it is so simple then what's the problem?
Many! The main problem is that many UEFI BIOS-es are non-compliant to the specs. They just implement enough to get Windows booting, and nothing else (what else is new here - same thing happened to ACPI too).
For example, you may not have the interface to add/edit/define entries. Or the UEFI BIOS may not offer you the ability to choose boot entries to use at boot time. Certain UEFI BIOS-es always boots Windows first if it can find it, regardless of whatever other entries and whatever default entries you have specified. To add insult to injury, certain software (not sure whether it is the UEFI BIOS, Sony EFI pre-loaders or Windows boot manager) removes some entries it deems extraneous (that is, everything which has nothing to do with Windows).
I hope you see the problem. Sony UEFI BIOS comes with all of those problems. About the only redeeming feature is that you can make it boot from external media quite easily (press Sony "Assist" button, and when the menu appears, choose "external media").
As noted above, installing Fatdog64 is easy, just copy over two files. Installing bootloaders in UEFI (even in Secure Boot mode) ie easy too, just copy a bunch of files - contrast this with installing legacy BIOS which requires you to write toe MBR, boot sector, making sure that boot files are stored in contiguous location on disk, etc etc.
What is especially difficult is telling the UEFI BIOS to make use of the bootloader you just installd; and to keep using it as the default bootloader regardless of various hostile actions that try to remove it.
In the days before UEFI, it is possible to use Windows bootloader
as the primary bootloader to start Linux operating system.
You can do it this way: configure
bootmgr in Windows
Vista and 7) to load a bootsector image and chainload to it.
The bootsector image could then load
grldr (grub4dos bootloader) or
other bootloaders which then load Linux.
If you configure this properly, you will even get a boot menu when the
computer is started, asking you to choose to boot Windows or the other
entries. It is nice and good.
After UEFI, however, nobody has figured out how to use Windows bootloader to boot anything other than Windows. The closest one I can find is this - but it didn't work when I tried it.
The steps to install and setup the bootloader
The actual steps are quite simple.
- Very important: Before you start doing this, make sure that
you have turned off FastBoot and disable hibernation, then
do a proper shutdown of Windows. The steps are all over the Internet,
you just need to search for it.
Test this a couple times by shutting down and starting up Windows, making sure that it really does a shutdown and cold startup rather than using its FastBoot / HybridBoot / HybridSleep stuff (which is a cheap trick because they couldn't get Windows to boot faster properly).
- Boot to Fatdog64 using USB flash drive. You can do this pressing
the Sony "Assist" button, and then tell it to boot from external
media. Once booted, you need to whitelist Fatdog64's binaries by
enrolling its certificate. This process uses MokUtil from mjg59's
shim and is described elsewhere.
- Once inside, notice the partition layout of the main harddisk.
In my case, the layout is like this:
- [sda1] - SONYSYS - Sony System partition (not sure what is this for, some says that this is meant for the "Assist" button to work, and since the "Assist" button is the only way to enter UEFI BIOS menu, you really really don't want to tamper with this).
- [sda2] - WinRE (Windows Recovery environment) - in case you kill your Windows, etc. You also don't want to touch this.
- [sda3] - Windows ESP, containing Windows bootloader (
/EFI/Microsoft/Boot/bootmgfw.efi). This will be our target.
- [sda4] - Windows reserved partition, don't know what this is for.
- [sda5] - Windows primary partition (the C: drive). You should
install Fatdog64 here, or if you do what I do, I shrunk the partition
and create a new partition (
sda7) for Fatdog64.
- [sda6] - Sony Recovery image - this contains compressed image of Windows OS which is needed in case you want restore the system to factory default. Don't touch unless you have Windows 8 install DVD or would not care about restoring Windows.
- Mount your Fatdog64 flash drive containing the UEFI bootloader
sdb2). Then copy over Fatdog's
- Copy over
/driversdirectory from Fatdog UEFI bootloader driver and put it under
sda3, and rename it to
drivers_x64so that they are automatically loaded and the rEFInd bootloader will have access to NTFS partitions (especiall important if your Fatdog64 files are located in NTFS).
- Up to this step, if you reboot your machine, you will get the
new bootloader working. But Windows is no longer bootable since
we moved its bootloader to
/EFI-winand the UEFI BIOS does not know how to boot that. Rather than fighting with UEFI BIOS, it is much simpler to modify rEFInd configuration and tell it to load Windows bootloader (normally rEFInd does not require this step as it can find Windows bootloader automatically too, but since we moved it to
/EFI-win, it can't find it and has to be told where it is).
- So, edit
sda3) and create a new entry to boot Windows. A sample entry already exists, but it points to
/EFI/Microsoft/Boot/bootmgfw.efi. All you need to do is modify it so that it points to
/EFI-win/Microsoft/Boot/bootmgfw.efiinstead. Then remove the "disabled" line to activate it. You can add icons if your want to get fancy.
- That's it! Of course, copy over Fatdog64's
grub.cfg(this is needed by grub2 to find out which partition has Fatdog64 installed).
grub.cfgmust be put at the root of the partition that contains Fatdog64.Note that by installing it this way, some says that updating Windows will overwrite our /EFI directory with Window's one. I have not yet updated Windows after I did the steps above, so I could neither confirm or disprove it. If Windows does overwrite it, the fix is easy - just boot from USB again, remove the bad /EFI folder and replace it by our own again.
- Lastly, note that none of the steps disable Secure Boot. Secure Boot is enabled and remains enabled through the entire process from beginning to end.
Installing a new bootloader also means that ALL your previously installed operating system will not boot unless you configure the new bootloader to boot them. If you don't understand the consequences of the actions described in earlier, you'd better stay away from doing this altogether. You have been warned!
UEFI bootloaders and boot processes in general. Highly recommended.
I quote the second post from the top:Hello mickpf! Sony does not support the installation and use of two operating systems (dual boot) on our computers. Sony will support the factory installed operating system and the original software and drivers.
Boot Linux from Windows, it didn't work for my case. Perhaps it would work if Secure Boot is disabled but in my case I was attempting to do the installation without disabling Secure Boot at all.
(did not work - the new entry was ignored and after a few boots to Windows it got deleted).
This should work, as it is similar to what this article explains only that it is less extreme, but it did not work for me - somehow the UEFI BIOS or Sony preloader managed to find the right copy of bootmgfw.efi from somewhere and still booted Windows. You should definitely try this one first before going with what steps outlined in this article.
- https://www.preining.info/blog/2014/08/sony-vaio-uefi-lie/ and
(I am not the only one with this problem).
The ability to boot from UEFI and Secure Boot is the result of hard work from many people, without which none of this would have happened. Fatdog64 owes its ability to boot from UEFI/Secure boot by using excellent software from these people / projects:
- Matthew Garret's shim: http://mjg59.dreamwidth.org/20303.html
- rEFInd UEFI boot manager from Roderick Smith: http://www.rodsbooks.com/refind/
- GNU GRUB 2.00: http://www.gnu.org/software/grub/ in UEFI mode, with suitable patches from Fedora: http://pkgs.fedoraproject.org/cgit/grub.git/
Thank you, guys!