UEFI, Secure Boot, Windows 8 and Ubuntu 14.04 - more learnings

I'm writing this in November of 2014. Since UEFI and secure boot are still fairly new, it could very well be that what I'm writing now is more or less obsolete even a short while from now.
To my recollection both of the systems had Windows 8 (and not Windows 8.1)

The two systems on which I made this work was

  • A Gateway NV52L15U laptop
  • An HP Pavillion TS 15 Notebook. Windows 8, Insyde Bios V F.34

Step By Step Instructions

I presume here that you have a system with Windows 8 already installed, your PC uses UEFI and secure boot. If any of this is not true, you might find easier solutions than what I'm doing here

  1. Install Ubuntu 14.04
    I did this from a DVD. It should also work from a live USB, but if you have more esoteric ways of installing (like multisystem for example), secure boot will probably make that impossible.
    After the install I saw various behaviours. The ones I remember are these:
    • The pc boots into the GRUB menu, and selecting Ubuntu works fine.
    • Selecting Windows fails with a message that a file couldn't be loaded
    • I can get to the "Bios" boot selection prompt and select either Windows or Ubuntu and they both start fine
    • The very first boot into Windows after the install somehow "reverts" the startup behavior back to a direct Windows boot (Grub isn't displayed). But usually when you get into the "bios" boot selection menu, you can still get to the Ubuntu install.
  2. Boot into Ubuntu and type these commands
    wget http://www.codon.org.uk/~mjg59/shim-signed/shim-signed-0.2.tgz
    tar -xpzf shim-signed-0.2.tgz
    cd shim-signed/
    sudo mkdir /boot/efi/EFI/refind
    sudo cp * /boot/efi/EFI/refind/.
  3. In Ubuntu, visit the following site: http://www.rodsbooks.com/refind/secureboot.html and download the refind-bin-0.8.3.zip. It should end up in your Download folder
    unzip the file refind-bin-0.8.3.zip
  4. type these commands
    cd refind-bin-0.8.3/
    sudo ./install.sh --shim /boot/efi/EFI/refind/shim.efi
    sudo cp keys/refind.cer /boot/efi/EFI/refind/.
    sudo cp keys/canonical-uefi-ca.der /boot/efi/EFI/refind/.

    sudo reboot

  5. at that point you should boot into the rEFInd boot screen. When there, enroll the following keys (see http://www.rodsbooks.com/refind/secureboot.html, section on enroll key from disk for details)
    refind.cer
    canonical-uefi-ca.der
  6. go back to the rEFInd main screen, and boot into windows.
  7. In Windows get a command window with admin privileges and type these commands
    mountvol s: /s
    bcdedit /set {bootmgr} path \EFI\refind\shim.efi

Note that the uEFInd screen shows the grub as a boot option. You don't really need that one. To get rid of it, boot into Linux, and remove the folder /boot/efi/EFI/ubuntu.

That did the trick for me.

Attribution:
I spent lots of hours trying to understand all this. The most help for me was the refind web site maintained by by Roderick W. Smith. http://www.rodsbooks.com/refind/secureboot.html