[INSTALLATION] Secure Boot, Zorin OS or Intel Optane?

Hello everyone and moderators,

So today I purchased Zorin OS 15.3 after trying the Core version on VMware Workstation Pro, I was so happy to obtain my first Linux to install it on my local laptop, but it was not smooth, the story began with my hardware specification:

  1. UEFI plus Secure Boot with the combination keys from ASUS and Windows.
  2. Intel Optane with NVMe SSD H10, using Windows to manage the partition, something called "Intel Optane Memory and Storage Management", this drive has built-in Intel Optane to be configured for optimization with the SSD comes along with it, yes, it's in one package.
  3. NVIDIA RTX 2060.
  4. Intel Core i7.
  5. Basically, it's a ASUS Zephyrus M machine with the model number as GU502GV and I love it.

The problem started when I resized the 1TB linked Optane + SSD to get 100 GBs at the end of the partition to install Zorin OS 15.3, the installation process went well without any problem, I used the option to use modern NVIDIA drivers and connect the machine to the Internet so that it can pull updates globally during the installation. The machine needed to be rebooted so I got it rebooted without hassles, thing is, after the rebooting, the whole Boot Manager of the Windows was corrupted and the system has to repair the Boot Management and automatically restarted several times to complete the procedures.

After that, the next reboot after I went to Windows and restart it, I booted to Boot Menu of the UEFI, chose the record of the Zorin OS to try to start it up, but no luck, the screen flashed in 1 sec and returned to itself, made me to choose the Windows Boot Manager to fire things up.

So, what do we have here? I resized the partition for Zorin OS to install alongside with Windows, chose Secure Boot and put a password for it, used the modern NVIDIA drivers option to install Zorin or the SSD with Intel Optane cannot be installed with Zorin OS?

Thank you for your supports regardless it's from our beloved users or the masterminds behind!

Edited: P/S: I didn't use balenaEtcher (bE) to make the USB Boot but instead using Rufus since it could not format my thumb drive, I hate using bE :frowning:

1 Like

Welcome to the forum Corgei. I'm glad you decided on zorin.

Secure boot is for signed drivers, windows thing, and can be safely turned off....a necessity with Linux. I know it's not something that people look up before installing, but our recommended checklist prior to install should be read, which warns of windows fast boot option and hibernation, both locking the drive and causing issues in resize or even access. Disabling these in windows will help. Then try to access zorin again, though you may be looking at another install because of windows "features".

Edit: bE should be avoided at all cost, even though it's recommended by the devs. Rufus was a good choice.

2 Likes

That's a lot in one go.You pretty much have the anti-linux machine, there.
First things first; as you chose Zorin OS Ultimate, this comes with direct Installation Support from the Zorin Group Developers. Please use the contact form to request help:

  • SSD using eMMC or NVMe must use RAID instead of AHCI -set in your UEFI settings. Even then, these particular drive types are formatted to work with Windows.
  • It is advisable that Secure Boot be disabled in order to install and run a Linux Distro. This can be worked around, but given your experiences, you would want to make this as easy on yourself as you can.
  • Your motherboard is one known to resist use with Open Source, as well.
  • Nvidia is notoriously contemptuous of Open Source. Again, this usually still works, but it is just another aspect of your build that adds to the Wow factor.

From what you describe, you may need Boot Repair:
https://help.ubuntu.com/community/Boot-Repair

This video guide for installation may be helpful:

One option you may consider in the meantime is using a separate standard HDD and installing your copy of Zorin OS Ultimate on that.
You may also opt to running Zorin in VM if that works well for you.

And yes, I also recommend avoiding BalenaEtcher. I use Unetbootin, but Rufus is good, too.

1 Like

FYI. You can find that here: Before you install

Me too.

Well it looks like Windows 10 21H1 does well on hardening my main installation also secure it by implement the Secure Boot alongside with Hibernating the entire internal drive to make it trust with UEFI through TPM 2.0.

My question is I didn't face this problem doing installation with Ubuntu originals version (both 20.04 LTS and 21), and the Rufus allow me to create my USB to work with Secure Boot using GPT and UEFI native option formatted as FAT32. Can I still use all the security option IF I ONLY use Zorin OS as the only OS on my other machine, having said that means Secure Boot enabled, TPM enabled, encryption enabled.

If bE needs to be avoided then why the Installation page of Zorin OS suggested me to use it to make the USB boot? It even leaded me to bE site to download it, I'm suprised:

I don't personally think the system to still use AHCI in UEFI anymore:

I want to make my machine to be a completely secure environment no matter what OS I am using, from Open Source to Close Source such as Windows.

I don't think it as well, I can still install Ubuntu or Pop OS if I want, just a little bit of working around if you know the root causes.

Vulkan does the job very well if you look into decent articles both on Google or YouTube

As said above, Windows did a very good job to successfully recovered my boot records (BIOS), well I meant EFI (UEFI) since I don't normally just partitioning drive and set a fixed partition to make the OS to be installed on there, I deleted the whole disk to be unallocated, then let the OS installation create other ones which people normally don't think how important they are:

Did think of it but I always ask myself why should I buy a Linux distro and make it to be portable in an antique HDD like that, forget about HDD, even if it should be portable, I'll make it with SSD external hooking into USB Type-C for broaden up the bandwidth preventing some of the bottlenecks.

Again, you guys recommend me to avoid bE, but the original site instructed people to do so, I think you guys should revolutionize the Webmaster's mind to change it to Rufus or any reliable USB thumb drive boot creator.

Perhaps I am not understanding properly what is conveyed here:

Are you able to boot into Zorin OS?

Yes. As you pointed out, you can workaround certain issues as long as you know the cause. Secure Boot can be enabled; it is only recommended to be disabled if possible since Secure Boot is known to cause issues. Not just in installation but in performance.

The best security begins with the User. TPM is useful. But Hardware Security is not the best Front Line defence. A malicious actor will work around hardware security quickly and when they do- replacing the hardware is not the best option.

I am sorry, I was not clear. HDD/SDD is fine; I was referring to an external drive that is not NVMe or PCI eMMC. Bottlenecks are a problem with external drives, so it is good to see that you understand this well.

As in all things, opinions vary. :wink:
The ZorinGroup recommends BalenaEtcher while many of us on the forum recommend against it.

Can we step back and ask you to please clarify: What has gone wrong with your installation? What symptoms, errors or failures are you seeing?

MBR sticks with BIOS quite GPT sticks with UEFI, basic understanding of what we are calling the boot records lay in the type of MBR, whilst EFI lay in the type of GPT, from traditional time, we are so used to the term of BIOS modifications and defined it as the thing when we go into them to configure, the BIOS we called should be known as "Firmware", not BIOS or UEFI, this is to what I have understood about the system, correct me if I'm wrong.

No, I was having meeting with colleagues for some Multi Cloud deployment so did not have a chance to rework.

I didn't call Secure boot a full stack solution for the security, but at least in Firmware based, it can prevent some known issues come from variant sources. Later on, if that hacking bypass the first security, OS line will handle, my Windows OS is hardened by different securities rules and with the helps from Firewall for Networking Defenses, Bitdefender Total Security and Malwarebytes with Microsoft 365 together Surfshark VPN for encrypting in and outbound connections and if everything fails, then I can revered back previous changes using my Arcronis True Image backups.

The firmware could not load the boot of Zorin OS and went straight to Windows for short.

You are correct.
Yes, many people say BIOS when what they mean is the UEFI settings.

Ok, the Windows Boot Repair seems to have only repaired boot for Windows and ignored the Zorin OS Grub. I suggest using the Ubuntu Boot Repair linked above in order to ensure that Both Windows and Zorin OS can successfully boot.

Windows requires such lengths because that is the focus of most hackers, for lack of a better term, aim to undermine. I don't know what you do for a living or who you are, but you go to lengths that most users would not. It is good to be secure but you must understand that some things are named specifically to get people who are paranoid about security to insist on their use.

Linux has very few attacks every year because it is a natively secure environment. Driver signing can be done by anyone who wants to put up the money to windows, which is all that secure boot in the firmware guarantees. That a company/individual took the time to pay windows to check their driver, which may not be the one that company/ individual puts the certification on. Linux, being the black sheep of OS's, has little support for drivers. Most are created by the Linux community or modified to make them work properly.

The majority of security holes are in software you use regularly... office, browser, email client, pdf viewer/reader, imaging software and such. The encrypted connections you use and antivirus/antimalware are the first line of defense and your main saving grace. The OS itself cannot and most of the time will not help at all. Linux sandboxes everything... all processes. That makes the antivirus software obsolete, because there is no way to change the system from that processes running environment.

You are the main line of defense. Most people who get viruses or maleware or Trojans aren't targeted, they clicked on something they shouldn't have and the "hacker" is notified of the fish dangling on the hook. Unless you make millions of dollars, have a high position in the fortune 500 companies, are an important part of government at any level... you will not be targeted. You are more likely to fall into the trap of not thinking before clicking than be targeted. You insist on limiting your experiences because of security with a less secure OS to begin with.

You have locks on your doors and possibly a security system... do you really think people can't get in? All of them can be bypassed, yet you have the illusion of security. Limiting yourself from a far superior OS, that is more secure than windows will ever be even with these new requirements for 11, is ludicrous. Any of the Linux distros will assist you in learning more about your computer, how to use it, what Microsoft has hidden from you to make it "easier" because they think they know what you should and shouldn't know.

Bottom line, secure boot has nothing to do with security. The hardware security features most computers have today are great, but like the locks on your door they won't keep anyone determined out.

Linux by nature is more secure than windows without any configuration. Add to that your encrypted connections, https and a mindful presence in the internet, you already have the most secure system you can without using it as a paper weight.

We on the forum do not have a say in what is in the website, supported by the devs or what they promote. We have handled so many issues of bE destroying usb drives that we cannot morally back the devs on that decision and refuse to. It has been suggested to them several times to change that statement and back another image writer, but that is one way they support themselves to continue this endeavor. I don't agree with it, but understand and appreciate the work they put into the os.

You should turn off secure boot to run Linux. You should turn off firmware fast boot to run Linux. You must turn off windows fast boot and hibernation because these lock the drive from access (read only) from other OS's. None of these actions make your system vulnerable, even in windows.

Edit:
I am not anti-Windows. I am Microsoft certified and know the system now for two decades. They have improved security, but still have bugs and gaps in it because they push to get the next feature or os out. As you see, ZorinOS 16 is in beta, and more secure and stable than windows will ever be. Yet they are still working on zorin to improve and make it as stable as possible before releasing the official version. This has caused delays in the release, but worth the wait. It's refreshing to see a distro focused on quality and making sure it works. IF ONLY Microsoft would learn from Linux developers.

4 Likes

Very well said.

I do need to add one small caveat in the interest of Open Honesty:
Bitcoin.

Bitcoin has caused a change in security, though slight. While the above is well said and correct; in these times bitcoin generation has led to average users being targeted more, in hopes of building a network of bitcoin generation for free by hijacking personal machines.
This affects Windows, really. It would be exceptionally difficult to hijack a linux machine for that purpose. But for those who Dual Boot- they are at risk of their computer being compromised, even if not the Linux install.
This makes a valid security concern that is purely modern. But this brings us back to You are the main line of defense. The main method of enabling this is to trick a user into clicking a file that contains a Binder that fakes the size of the file and utilizes a discrete launcher. Only an intelligent and attentive user can catch these; All the anti-virus in the world cannot catch a well constructed Binder. But a reasonably attentive person knows not to open dubious objects.

1 Like

This reminds me of this article:

Unfortunately, that fatigue makes it more likely users will click on a malicious email without knowing it – which explains why 94% of malware is now delivered via email.

1 Like