Step-by-Step Guide to Installing Linux on Modern Hardware with UEFI and Secure Boot

Deploying Linux on UEFI-based systems with Secure Boot can introduce challenges not present in legacy BIOS environments. This guide assumes hardware manufactured post-2018, with UEFI Class 3 firmware (no CSM) and Secure Boot enabled by default. Legacy BIOS steps are omitted here.

Required Tools and Artifacts

8GB+ USB flash drive
Verified Linux installation ISO (e.g. Ubuntu 22.04 LTS, Fedora 39, Debian 12)
Host system with UEFI firmware and configurable Secure Boot
USB flashing tool: Rufus 4.x (Windows), Etcher (all platforms), dd (Linux/macOS)

Note: Avoid unbranded USB drives. Some fail EFI initialization.

1. Write ISO to USB, Ensuring UEFI Boot

UEFI hardware requires a USB formatted with GPT and a properly structured EFI partition.

Windows + Rufus

Select Linux ISO; Partition scheme: GPT.
Target system: UEFI (non-CSM) (CSM disables Secure Boot support).
File System: FAT32 (some ISOs >4GB need NTFS, but this may break UEFI boot—workaround: use Ventoy).

Linux/macOS
Modern ISOs (e.g. Ubuntu 22.04, Fedora 39) can be written directly:

sudo dd if=linux.iso of=/dev/sdX bs=4M status=progress conv=fsync

Replace /dev/sdX with your USB device; double-check with lsblk. Wrong selection can wipe your data.

Cross-platform (Etcher)
Etcher handles most UEFI/GPT details but offers less partition control. Suitable for common cases.

2. Data Backup & UEFI Configuration

Back up data. Repartitioning can cause data loss.
Enter the UEFI firmware interface (usually F2, Del, or Esc at POST).
Locate Secure Boot:
- Leave enabled for maximum firmware verification.
- Disable if using niche distributions or kernel self-compiling. Most mainstream ISOs sign their bootloaders.
Confirm “Fast Boot” is disabled if dual-booting. This interferes with UEFI NVRAM boot order updates.

3. UEFI Boot: Select Proper USB Device

Insert prepared USB stick.
Boot to the UEFI boot menu (F12/F11/Esc, varies by vendor).
Choose the entry labeled “UEFI: <USB_NAME>”.
If “Legacy” or “BIOS” is visible, do not use—modern installations must use UEFI for correct ESP setup.

4. Launch Installer & Partition Storage

Upon successful boot, the graphical Linux installer appears (e.g., Ubiquity or Calamares). Select Install.

Key Partitions for UEFI:

EFI System Partition (ESP):
- ~300MB FAT32, mount at /boot/efi
- Only one ESP per disk; re-use Windows ESP for dual-booting.
  (Gotcha: Making a second ESP confuses firmware on some laptops. Seen on Dell Latitude and certain HP models.)
Root:
- /, ext4, minimum 20GB; 30-40GB for dev/ops tools or containers.
Swap:
- Optional if system RAM ≥8GB. If hibernation is needed, allocate swap ≥ RAM size.
Additional:
- Home directory split (/home) not essential, but common in multi-user setups.

Partition layout example (dual-boot):

Mount Point	Size	Type	Comment
/boot/efi	300 MB	FAT32	Existing or new
/	40 GB	ext4	Main OS
swap	8 GB	swap	Optional

5. Proceed With Installation & Observe EFI Bootloader

Installers such as Ubiquity (Ubuntu), Anaconda (Fedora), or Debian Installer auto-detect UEFI. At the bootloader stage, confirm the installer points to /boot/efi.

Known issue:
Some older firmwares (e.g. certain Lenovo BIOS v1.14) do not update UEFI NVRAM entries if Secure Boot is disabled. You may need to manually add an EFI boot entry post-install with efibootmgr from a live USB.

6. Secure Boot: Handling Edge Cases

For Ubuntu 22.04/Fedora 39 and similar, Secure Boot just works. Signed shimx64.efi and grubx64.efi are present.
Community distros (e.g. Arch) require manual signing, which is outside scope.
For advanced users: shim-signed
Error message during first boot such as
```
Verification failed: (15) Security violation
```
indicates unsigned binaries or wrong USB boot mode. Solution: Re-flash USB image, verify UEFI boot.

7. First Boot & Post-install Checks

Remove the USB stick. System should present a GRUB boot menu. If not:

Boot straight into Windows? UEFI may not have updated boot order. Boot from USB again, use efibootmgr:
```
sudo efibootmgr -v
sudo efibootmgr -o 0002,0001
```
Replace 0002/0001 with Linux and Windows entries.
Boot drops to shell? ESP partition might not be mounted at /boot/efi. Repair via chroot or reinstall.

Check UEFI boot mode from Linux:

test -d /sys/firmware/efi && echo "System booted in UEFI mode" || echo "Legacy BIOS mode"

Non-obvious Tips

Multiple operating systems? Only one ESP per disk. Shrink Windows partitions from within Windows for best safety.
ISO mismatch: Some manufacturers release devices incompatible with generic kernels (e.g. Surface Laptop 4, WiFi/TPM). Consider latest Ubuntu LTS or use pre-release kernel builds.
Ventoy is excellent for multi-ISO USBs but isn’t officially Secure Boot signed—has its own workaround, which some firmware may block.

Troubleshooting

No GRUB menu:
- Set system to prioritize UEFI Linux entry (efibootmgr or UEFI settings).
Boot fails with “security violation”:
- USB booted via legacy mode. Redo USB, ensure UEFI mode, verify Secure Boot compatibility.
Windows fast boot interferes:
- Disable in Windows:
```
powercfg /h off
```

Summary Table

Step	Critical Detail	Tool
USB creation	GPT, UEFI (non-CSM), FAT32	Rufus, Etcher, dd
Data/UEFI prep	BIOS/UEFI access, Secure Boot toggle	BIOS setup utility
UEFI boot USB	UEFI boot menu, not legacy	Firmware menu
Partitioning	Reuse/create ESP, root as ext4	Installer UI
Secure Boot handling	Signed loader or temporarily disable	UEFI firmware, installer
Post-install validate	GRUB menu, correct boot entry	efibootmgr, firmware settings

Practical deployments often require negotiation with firmware quirks. Proactive ESP partition planning and attention to boot modes sharply reduce failed boot scenarios. For deep customization or exotic hardware, review distro-specific UEFI notes.

For unresolved issues or edge case hardware, post detailed logs and error outputs for peer review. Direct, detailed symptoms almost always accelerate resolution.

How To Install Linux