Should I use Secure boot or Legacy boot?

[keniv]

I am not entirely sure if is the correct section of the forum for this question but from the sections available I thought this to be the best choice.
I've been given a Lenovo Yoga 310-11IAP laptop which was on it's way to an electronic waste bin. It was setup to run Win10 but no longer did so. I was told it no longer worked after a failed update which would not install. As this has only a 32GB MMC drive I wondered if there was now insufficient room to both download and install the update but as I did not want to run Win10 this was not an issue. My intention was to run Mint Linux Mate v22 and multi boot with two pups, BookwormPup 10.0.7 and FP96-4CE. This machine has no optical drive so I burned the Mint Linux iso to a USB flash drive. I then changed the boot order to boot from the USB drive first. I was sure I had read somewhere that I had to disable secure boot and I did this but I know think that this may have been unnecessary. I installed Linux Mint. This took up about 13.8GB of the drive. I shrunk the partition in which Mint resides to about 20GB thinking this would be enough if I didn't add a lot of stuff. I made a new partition formatted ext4 from the now unallocated part of the drive and made frugal installs of BookwormPup 10.0.7 and FP96-4CE in this partition and used the version of grub in Mint to boot these. All of this works using legacy boot, however, I now think that I should not have disabled secure boot as all three of the above OS should work with secure boot. So my question is if I am not using Win10 is there any "security" advantage booting my linux OS with secure boot or am I OK to continue using legacy boot.

Regards,

Ken.

[wizard]

@keniv

I wondered if there was now insufficient room to both download and install the update

Most likely the issue.

any "security" advantage booting my linux OS with secure boot

Secure boot on will probably cause, at least your Pups, not to boot.

wizard

[keniv]

@wizard

Secure boot on will probably cause, at least your Pups, not to boot.

Yeah, I actually tried to boot with the bios set back to secure boot and got an error and no boot. I didn't expect it to work as I had set everything up with the bios set to legacy boot. All I'm concerned about is if booting with legacy boot is less secure than booting with secure boot in a linux system. If booting with legacy boot does not cause a reduced level of security in a linux system then I'm happy to stick with the legacy boot particularly since to go for a secure boot system would presumably involve a reinstall of everything and my frugally installed pups are likely not to work.

Regards,

Ken.

[bigpup]

The easy way to have minimum boot issues is to do what you did and just run it that way.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

Usually, (depends on the UEFI bios firmware version) secure boot needs to be disabled to get it to boot from a USB drive.

To get any operating system to boot with secure boot enabled.

A security key for the operating system has to be installed onto the computer.

This security key, the bios boot process looks for, to tell it the operating system is OK to boot the computer.

running in legacy mode and secure boot disabled.
Bios does not look for a security key and just boots whatever OS it is.

Mint 12 should have installed a security key for it, but maybe not. Need to read it's help for info on this.

Most of the newest Puppy versions, have the Puppy security key in their ISO, with the program that installs it.
do need to run this program to get it installed on the computer.

But most of the older Puppy versions do not provide this key.

Frugalpup Installer program, does provide the key, if you install the UEFI boot loader it can install.

[keniv]

@bigpup

Usually, (depends on the UEFI bios firmware version) secure boot needs to be disabled to get it to boot from a USB drive.

I did have to disable secure boot in order to install Mint 22 from a USB.

A security key for the operating system has to be installed onto the computer......Mint 12 should have installed a security key for it, but maybe not.

Perhaps as Mint 22 was installed onto a legacy boot system it did not bother to install a key for a secure boot system, however if installing Mint 22 from a USB requires secure boot to be disabled it would seem not to be possible to install Mint 22 to a secure boot system yet this is the method suggested on the Mint Linux site.
I have no intention to run another OS on this machine so can I ask if it's safe to continue to use legacy boot to boot Mint 22, BookwormPup 10.0.7 and FP96-4CE.

Regards,

Ken.

[dimkr]

Most Puppy variants contain packages built manually on somebody's computer, making it impossible to confirm that the package was built from the original source code, without any malicious changes.

You can sign the kernel and an enroll a MOK and there you have your Secure Boot capable Puppy, but that won't fix the security risk of unverified binaries running as root. Secure Boot adds security only when the entire OS, all the way to the boot loader, is reproducible and verifiable (for example, using dpkg --verify), with the signing keys in the hands of somebody who knows how to protect them against theft of any kind.

It's possible to use UEFI boot with Secure Boot disabled, you'll get the same degree of (in)security but without having to mess with key enrollment.

[bigpup]

You could be right about Mint 22 not trying to install a security key, because it was running in legacy mode with secure boot disabled.
That is booting in old type bios operation.
So no need to do anything to support secure boot, because old type bios did not have this feature.

Again, you need to go look in Mint support help on this subject.

I have been running computers with secure boot disabled for years.
Booting different versions of Puppy Linux.
Never had any issues.

I am booting with some version of Puppy Linux and it is me doing it.
I think I can trust me.

[keniv]

@dimkr and @bigpup

but that won't fix the security risk of unverified binaries running as root. Secure Boot adds security only when the entire OS, all the way to the boot loader, is reproducible and verifiable

I have been running computers with secure boot disabled for years.
Booting different versions of Puppy Linux.
Never had any issues.]

Given the above comments I've decided to leave legacy boot in place as I don't currently see any way of booting what I have using secure boot. I will do more reading and see if I can find a way of installing Mint 22 with secure boot using a USB drive. If I find a way to do this I may try reinstalling with secure boot enabled. If anybody has successfully installed Mint 22 from a USB drive onto a secure boot system I'd be interested to know how it was done. Even better if you've been able to boot it together with a couple of pups.

Regards,

Ken.

[mikewalsh]

@keniv :-

Frankly, I agree with @wizard , above. A modern version of Windows occupies between 15-20 GB, bare minimum install. The sheer amount of space it needs in order to run & function properly is mind-boggling! Unlike older versions of Windows - like XP, say - new versions require at least 3-4 times their own installed size just to correctly install updates. How the hell an OS can occupy SO MUCH SPACE has always been a total mystery to me, but.....there ya go. And any remaining 'spare' space on the primary drive, Windows likes to fill up with 'shadow' copies of itself.....

......which explains why so many Windows fanbois recommend an absolute minimum of 500GB for your primary drive, preferably 1 TB.

A decade ago I was able to triple-boot XP 'Pro' alongside two Puppies on ye anciente Dell Inspiron lappie....and that was highly-customized AND well-stocked. All from a miniscule 20 GB Hitachi Travelstar HDD, along with just 1 GB of DDR1 and a 32-bit 400FSB P4......and believe it or not, that tiny drive was still only around 65% full.

============================

Do the maths. TBH, I think it's criminal that hardware vendors be allowed to foist such under-powered crap on an unsuspecting public, but they rely on the fact that your average Joe knows squat about tech, and this way they have wiggle-room to 'encourage' him to shell out more money for the type of hardware he should have been sold in the first place.....IF the vendor had anything resembling a conscience.

Businesses the world over, regardless of their product, will always take advantage of the gullible. Sad....but true.

Mike.

[keniv]

@mikewalsh
Yeah, I agree it's definitely underpowered as far as running Win10 is concerned. It has a dual core CPU and only 4GB ram with a 32GB MMC drive.
However, it seems to be OK with Mint 22 Mate, BookwormPup 10.0.7 and FP96-4CE. To be honest I'm mainly using BookwormPup which I'm using to type this and it's quite acceptable in terms of speed etc. I've also added a 32GB SD card which I had going spare. I do find the touch pad a bit skittish but I'm not used to using one. I've had a look at the settings for this.

which explains why so many Windows fanbois recommend an absolute minimum of 500GB for your primary drive, preferably 1 TB.]

Yes I've also got an old Toshiba laptop which was also on it's way to the electronic waste bin. It also has Win10 installed which I'm told was super slow. It has a 500GB spinning rust drive which seems have a large part of the space taken up by Win10 files though it does have a lot of other stuff including music etc. Not so long ago 500GB seemed like a huge drive. Anyway in spite of all it's limitations I quite like the Lenovo. I've never owned a new computer or one with a high spec so maybe I'm just easily pleased.

Regards,

Ken.

[wizard]

@keniv

Your Lenovo Yoga 310-11IAP came with different CPU's, from barely usable, to quite good. You should look and see which one you have. Have several Lenovos and like them as well.

Not so long ago 500GB seemed like a huge drive.

500's are still a lot of storage, I use several in external USB cases for system image backups. IMO, really little need for that size as an internal drive since you can store big files on external drives.

I've never owned a new computer or one with a high spec so maybe I'm just easily pleased.

I find it is a lot more fun to "soup up" or rehabilitate an old computer.

wizard

[keniv]

@wizard

Your Lenovo Yoga 310-11IAP came with different CPU's, from barely usable, to quite good. You should look and see which one you have.

Below is the output from PupSysInfo for the CPU.

Code: Select all

CPU Specifications:
 Processor Name             Intel(R) Pentium(R) CPU N4200 @ 1.10GHz
 Socket Designation         U3E1
 Family                     Pentium
 Manufacturer               Intel(R) Corporation
 Signature                  Type 0, Family 6, Model 92, Stepping 9
 Voltage                    0.9 V
 External Clock             100 MHz
 BogoMips                   2188.80
 Min/Max Speed              800/2500 MHz
 Current Speed              Core 0:2289 MHz, 1:2295 MHz, 2:2290 MHz, 3:2335 MHz
 Core Count                 4
 Thread Count               4
 64-bit capable             Yes
 Frequency governor         ondemand
 Freq. scaling driver       intel_cpufreq

From this it seems to have four cores if I'm reading it correctly. I see the Min/Max Speed is shown as 800/2500 MHz and all four cores are shown as running at the top end of this speed yet the Processor Name is Intel(R) Pentium(R) CPU N4200 @ 1.10GHz. I find the 1.10GHz a bit confusing. I've never had a computer with a four core CPU before. I'm hoping that this is one of those that you would describe as "quite good".

I find it is a lot more fun to "soup up" or rehabilitate an old computer.]

Below is the info on the ram.

Code: Select all

 Installed Memory           4 GB
 Maximum Memory             16 GB
 Number Of Slots            2
                           
 Memory Module 1           
 Data Width                 8 bits
 Size                       2 GB
 Form Factor                DIMM
 Locator                    ChannelA-DIMM0
 Type                       DDR3
 Type Detail                Synchronous
 Speed                      1600 MT/s
 Manufacturer               0000
 Serial Number              00000000
 Asset Tag                  9876543210
 Part Number                 .      .      ..
 Configured Memory Speed    1600 MT/s
                           
 Memory Module 2           
 Data Width                 8 bits
 Size                       2 GB
 Form Factor                DIMM
 Locator                    ChannelA-DIMM1
 Type                       DDR3
 Type Detail                Synchronous
 Speed                      1600 MT/s
 Manufacturer               0000
 Serial Number              00000000
 Asset Tag                  9876543210
 Part Number                 .      .      ..
 Configured Memory Speed    1600 MT/s

It looks like two modules at 2GB each. I did wonder about swapping one of these for a 4GB. There are some second hand ones on ebay at a reasonable price but I'm a bit wary about buying these. Would going from 4 to 6GB be a worthwhile upgrade? Seems it can use up to 16GB.

Regards,

Ken.

[wizard]

@keniv

You hit the jackpot, the N4200 CPU is a quad core and has a Passmark v9 = 2027. Compare that to the low end N3050 dual core Passmark v9 = 874. That and 4gb of ram make your machine very capable.

I did wonder about swapping one of these for a 4GB

Looked at a disassembly on Youtube and didn't appear to have up-gradable ram. Here's a link where you can enter your serial number and find out more:
https://pcsupport.lenovo.com/us/en/prod ... rts/search

Using BW64 or F96CE_4 with zram manages the ram quite well and should handle most task. Just keep an eye on Conky's ram use. Also suggest you use pfix=nocopy on the grub kernel line which frees up ram and speeds up booting.

Thanks
wizard

[keniv]

@wizard

You hit the jackpot, the N4200 CPU is a quad core and has a Passmark v9 = 2027.

Ah thanks for that good news.

Looked at a disassembly on Youtube and didn't appear to have up-gradable ram.

I've downloaded a "teardown" for the Lenovo Yoga 310-11IAP as it was all I could find based on a quick search on upgrading the memory. I'll have to have a better look, however from what you said it may not be necessary. Also thanks for the link. Quite a lot of stuff available to buy at a price though I didn't find memory modules. Also downloaded a "Hardware Maintenance Manual" which I thought might help.

Also suggest you use pfix=nocopy on the grub kernel line which frees up ram and speeds up booting.

.
I'm just about to try the above. I'll keep the old boot stanza and add the new one so as I can compare them. I'll report back on how it goes.
Thanks again for the help with this.

Regards,

Ken.

[wizard]

@keniv

Had good luck with MX LInux on other Chromebooks, would be interesting to see how it works on yours.

Thanks
wizard

[keniv]

@wizard

Also suggest you use pfix=nocopy on the grub kernel line which frees up ram and speeds up booting.

I tried the above. l kept the old boot stanza and added the new one so as I could compare the boot up speed. This was with BookwormPup 10.0.7. There wasn't much difference. From pressing start button to desktop with nocopy=47s without nocopy 49s. Would you expect it to be much different to this. I thought both were quite fast.
The "teardown" for the Lenovo Yoga 310-11IAP I downloaded mentioned that there did not seem to be upgradeable ram although he only seemed to look at the bottom of the PCB though I guess if it was to be upgradeable the sockets would most likely be on the bottom as they'd be most accessible there.

Had good luck with MX LInux on other Chromebooks, would be interesting to see how it works on yours.

I've never tried MX Linux though I have seen it get a mention on the forum. Do you know how it compares with Mint Linux? Given the lack of drive space to test it I'd probably have to start again and use MX in the same way as I used Mint including using the version of grub in MX to boot the Pups. I'll have a look at MX.

Regards,

Ken.

[wizard]

@keniv

Would you expect it to be much different to this.

Would have expected little more than that, post your menu for the nocopy. My Acer CB3-431 with nocopy boots BW64 10.0.7 from a USB 3 flash in 22 seconds (timed from grub menu)

Also, look at ram use, you should gain several hundred mb.

LIke MX better than Mint as is lighter weight and can be installed frugally (mine is just under 5gb with VLC & Libreoffice). Just give a try from a USB, curious if it will recognize your sound chip.

wizard

[bigpup]

If the computer has 4GB of RAM.

There is no reason to boot with nocopy.

Just do a normal boot and let all of Puppy Linux load into RAM.

Everything will run faster as you use Puppy.

that is more than enough RAM.

----------------------------------------------------------------------------------------------------------------------------

To add RAM.

Need to find out if the RAM setup is single channel or dual channel.

Dual channel
The RAM sticks need to be a matched set. Same brand and model.
2 of the same exact kind in size and speed.

2 ->2GB sticks for total 4GB
2 ->4GB sticks total 8GB
2 ->8GB sticks total 16GB

Single channel
You can mix them up as long as they are close to the same speed ratting.
If one stick is say 1800MHz and another is 2400MHz, RAM will work at the 1800MHz speed.

[mikewalsh]

Just to add to what @bigpup has stated above:-

This is mainly for desktop PCs. It doesn't really apply to laptops, due to fundamental differences in construction. All the laptops I've ever seen only have a maximum of two DIMM slots.

Many more recent PCs, especially with micro-ATX boards, only have two DIMM slots. These tend to always run in dual-channel mode SO LONG AS THE STICKS ARE MATCHED.

A lot of older PCs will often have at least 4 DIMM slots. For dual-channel operation, these tend to be 'colour-matched'.....more often than not a pair of blue slots, and a pair of black slots. (TBH, this is not a hard'n'fast rule; I have seen other colours used, though black & blue seem to be more common.)

The main thing is to have a 'matched' set of sticks - as described above - AND to make sure they're both in the same colour slots. For dual-channel operation with the capacity 'maxed-out', make sure to have all four sticks the same type, make, speed, etc...

Just some more info.

Mike.

[keniv]

@wizard

post your menu for the nocopy.

Here's the nocopy line.

Code: Select all

linux /1006BookwormPup64/vmlinuz pmedia=ataflash psubdir=/1006BookwormPup64 pfix=fsck pfix=nocopy

Also, look at ram use, you should gain several hundred mb.

Ram use booted to desktop shown below
copy 1.26GB of 3.64GB
nocopy 565MB of 3.64GB

Like MX better than Mint as is lighter weight and can be installed frugally.

Have had a look at MX Linux including frugall install. Not sure about the example boot stanza.

@bigpup
Thanks for the info on upgrading the ram. I had a good look across the net and the consensus is that the modules are soldered to the PCB. While I've had some experience at removing and replacing SMDs I cannot find anywhere that has these modules available and even if I could get them I'm not sure it's worth the effort so I think I'll be sticking with the 4GB ram.

If the computer has 4GB of RAM. There is no reason to boot with nocopy.

Yes,I now have two opposing bits of advice. As you can see from above it does seem to make a difference to the amount of "free" memory which I suppose is no surprise. I've never run before with nocopy. At the moment I have two boot menu entries one with nocopy and one without so I suppose I can experiment.

@mikewalsh

This is mainly for desktop PCs. It doesn't really apply to laptops, due to fundamental differences in construction.

Again thanks for the extra info. I've changed mem modules in PCs before and even in old laptops but it looks like it's a non-starter in this one.

Regards,

Ken.

[wizard]

@keniv

linux /1006BookwormPup64/vmlinuz pmedia=ataflash psubdir=/1006BookwormPup64 pfix=fsck pfix=nocopy

Shorten it to this:

linux /1006BookwormPup64/vmlinuz pmedia=ataflash psubdir=/1006BookwormPup64 pfix=nocopy,fsck

That's a comma between them and no space.

Ram use booted to desktop shown below
copy 1.26GB of 3.64GB
nocopy 565MB of 3.64GB

Looks about right and not a trivial gain. You can try both with and without nocopy and pick the one you like the best.

Would not bother with trying a smd swap, could brick the board, plus as mentioned before, zram really does stretch the available ram. Have many systems running with 4gb ram and about the only time it is limiting is if running a Virtual Box session.

wizard

[keniv]

@wizard

Shorten it to this

linux /1006BookwormPup64/vmlinuz pmedia=ataflash psubdir=/1006BookwormPup64 pfix=nocopy,fsck

Thanks for tidying up my code. I've now tidied up my boot stanzas for both BookwormPup 10.0.7 and FP96-4CE.

Would not bother with trying a smd swap, could brick the board, plus as mentioned before, zram really does stretch the available ram.

No I've given up on that idea. Not worth the effort or risk. I now have another similar Lenovo again it was on it's way to electronic waste. It's an Ideapad 120S IAP. again 4GB ram but CPU is dual core. It also has a non-working version of Win10. Again I'll put linux on it. I might try your suggestion of MX together with BookwormPup 10.0.7. If I have problems I'll start a new thread.

Regards,

Ken.