How can I disable Secure Boot, without entering in BIOS Setup?
Solution 1:
By design, Secure Boot cannot be disabled from within an OS; you must enter your firmware's setup utility in order to disable it. With most computers, you can enter the firmware setup utility by hitting a function key, or sometimes Del, early in the boot process. Some computers don't enable the keyboard, though, or don't provide this option at all. If you've got such a system, you could try unplugging the hard disk from the motherboard and booting without a disk; that might kick the system into the firmware setup utility.
IIRC, the HashTool.efi
program that comes with PreLoader.efi
provides an option to reboot into the firmware's setup utility. This option doesn't work on all computers, though. If yours is one on which this feature works, you could get in by preparing a USB flash drive as follows:
- Download
PreLoader.efi
andHashTool.efi
. - Prepare a USB flash drive with a FAT filesystem. You may need to partition it with GPT and mark the partition as an ESP by giving it a type code of EF00 in
gdisk
or by setting its "boot flag" inparted
or GParted. - Copy and rename
PreLoader.efi
to the USB flash drive asEFI/BOOT/bootx64.efi
and copyHashTool.efi
asEFI/BOOT/HashTool.efi
. - Move the USB flash drive to your currently-unbootable computer and try to boot from it. With any luck, HashTool will come up and give you an option to reboot into the firmware setup utility.
Another option would be to prepare a USB flash drive or the like with a Secure Boot-enabled boot loader (PreLoader or shim). This would enable you to boot to Linux and install the Secure Boot-enabled boot loader on your hard disk. If you use PreLoader, you can begin as just described, but you'll also need to copy a regular Linux boot loader to the USB drive as EFI/BOOT/loader.efi
. When you boot, HashTool will then let you register that program as valid, and thereafter it will work. You'll still have to configure the boot loader to boot off your regular hard disk, though. For more information or if you want to use shim rather than PreLoader, see my Web page on the topic for details.
Update: Recent versions of rEFInd, and I believe also gummiboot, provide an option to reboot into the firmware setup utility. To be useful, you'll need to install these programs to launch from PreLoader.efi
or shim.efi
. My rEFInd Secure Boot documentation covers this process in detail for rEFInd.
Solution 2:
Is there a way to disable UEFI Secure Boot without entering in BIOS settings?
Secure Boot is an option enabled by default on UEFI OEM systems. Its actually required, to be turned on by default with the option to disable it, to be get a Windows 8 supported sticker from Microsoft.
So even if you remove the CMOS battery the default option would be to enable Secure Boot