Fedora 34 Clean Install on UEFI BIOS with Secure Boot

Video

Secure Boot

The Fedora 34 ISO has had its Grand Unified Bootloader 2 updated and will pass an updated UEFI BIOS with Secure Boot that has been patched to address Security Vulnerability CVE-2020-10713. Fedora have been behind the curve to update their installation media to address this Security Exploit.

All older versions of Fedora will be blocked by a 2020 (or later) Updated UEFU BIOS and display Secure Boot with Verification Failed: (0x1A) Security Violation.

The RedHat team take a stringent Open Source philosophy with Fedora and the installer only includes Open Source code that passes Secure Boot.

There is no option to install closed-source Linux Drivers or additional multimedia codecs and to setup an associated Machine Owner Key (MOK) like there are on Ubuntu based distros for example.

Multimedia Playback Codecs

The closed-source multimedia codecs are usually only really required for video or audio playback, particularly for more restricted content with a browser.

Open access videos such as YouTube videos will typically play using the Open Source multimedia codecs however subscription paid for access multimedia content e.g. Prime Video, NetFlix and so on typically require installation of the Closed Source Codecs for Video Playback. In short, these videos may not play on Fedora 34 with the preinstalled Open Source FireFox or if the Open Source Chromium browser is installed.

To install the Closed Sourced Multimedia codecs will require you to Enable the RPM Fusion Repositories. Even with the Repositories Enabled, FireFox has a lower HTML5Test score than Google Chrome so if you have additional video playback issues it might be better to try using Google Chrome. The Closed Source Google Chrome Browser is however available as a (RedHat Package Manager) RPM package for Fedora and includes all the Closed-Source Multimedia codecs required for video playback built in. Note after installation these multimedia codecs will however only be accessible from Chrome and not FireFox or Chromium.

Drivers

It should be noted that the vast majority of Linux drivers are inbuilt into the Linux Kernel for pretty much all modern (>2012 UEFI hardware) for Intel and AMD hardware. Drivers from smaller chip manufacturers such as Broadcom who make networking components are also inbuilt into the Kernel.

For the vast majority of cases, you will be fine using only the inbuilt drivers within the Linux Kernel. The only notable exception is if you have a NVIDIA graphics card. In such a case, the chip manufacturer NVIDIA refuse to make an Open Source Driver and instead only release a closed-source NVIDIA driver. Fedora 34 will install a generic driver which has basic performance. For full performance you should install the NVIDIA driver. Doing so will require you to Enable the RPM Fusion Repositories and to install the NVIDIA closed-source driver you will unfortunately need to Disable Secure Boot.

Create a Bootable USB

Create a UEFI Bootable USB in Windows 10

You can download Fedora from the Fedora website:

RedHat have a Fedora Media Writer which works well on Windows 10. Select Download Now:

Then select the Windows Logo:

Launch the Fedora Media Writer and Accept the User Account Control Prompt:

Select I Agree:

Select Install:

Select Next:

Select Finish:

Accept the User Account Control Prompt:

Select Fedora Workstation 34 to download the ISO. If you have already downloaded the ISO you can load it by selecting Custom Image:

Select Create Live USB:

The ISO will download and the Fedora Media Creation Tool will check the ISO Checksum in the background, giving the green light to create installation media if the ISO is complete:

Select your USB and then select Write to Disk:

The Fedora Media Writer will make your Bootable USB. When Finished it will stated Finished. You can select Close:

Create a UEFI Bootable USB in Fedora

Open up software and search for USB. The Fedora Media Writer should be near the top of the search results:

Select Install:

Select Create Live USB to Download the ISO and Create the Bootable USB (if you have already downloaded the ISO select Other Variants… and then select the ISO you have Downloaded):

The ISO will Download:

When its Downloaded it will state Ready to Write, select your USB and select Write:

When done it will say Finished. You can select Close:

Unified Extensive Firmware Interface (UEFI) Setting

Dell Unified Extensive Firmware Interface (UEFI) Settings

Update your UEFI BIOS

All Computers Manufactured in 2012 or later have a Unified Extensive Firmware Interface (UEFI). Make sure your UEFI BIOS is updated to the latest version before attempting to install Fedora 34 as a number of UEFI BIOS Updates resolve some common Boot Issues. For Dell systems manufactured in 2016 or later you can update the UEFI BIOS from a USB Flash Drive within the UEFI BIOS Boot Menu. For UEFI 2012-2015 models or Legacy 2008-2011 models you will have to either update the UEFI BIOS or Legacy BIOS within Windows or use a FreeDOS Bootable USB:

UEFI and Secure Boot

You should install Fedora 34 with a UEFI BIOS with Secure Boot (requires a computer manufactured in 2012 or later). The SATA Operation must be AHCI (a computer with a single >250 GB SSD is recommended).

Attach your Bootable USB and make sure your Dell PC is powered down. Then power it up and press [F2] to get into the UEFI setup.

Look for Advanced Boot Options and make sure Enable Legacy Option ROMs is Disabled.

Look for Secure Boot and Ensure that it is Enabled:

Next go to Boot Sequence. It should be set to UEFI. Your Fedora USB (in my case the SanDisk USB) should display. If you have old versions of Linux they will also display. Uncheck your Bootable USB and highlight any old Linux installations and select Delete Boot Option.

You should now have a single entry, your Fedora USB Flash Drive. Select Apply:

Then OK:

Expand System Configuration and go to SATA Operation. The storage controller must be set to AHCI:

The Fedora installer doesn't support RAID (Intel Rapid Response Technology) or Intel Optane Memory. If it is enabled the Fedora 34 installer will halt and tell you to disable Intel RST.

Secure Erase Internal Drives

We can use Dell Data Wipe for a more through wipe of all internal drives than the Format within the Fedora 34 install. To do this select the Maintenance Tag and then go to Data Wipe, select Wipe on Next Boot.

Note the Dell Data Wipe does not touch USB Flash Drives or USB External Drives.

Note that only models manufactured in 2016 or later have Dell Data Wipe.

Select OK:

Select No (to proceed):

Then select Exit:

Select Continue:

Select Erase:

Select OK:

Lenovo Unified Extensive Firmware Interface (UEFI) Settings

You should install Fedora 34 with a UEFI BIOS with Secure Boot (requires a computer manufactured in 2012 or later). The SATA Operation must be AHCI (a computer with a single >250 GB SSD is recommended).

Update your UEFI BIOS

All Computers Manufactured in 2012 or later have a Unified Extensive Firmware Interface (UEFI). Make sure your UEFI BIOS is updated to the latest version before attempting to install Fedora 34 as a number of UEFI BIOS Updates resolve some common Boot Issues. For Lenovo systems you will have to either update the UEFI BIOS within Windows or use a FreeDOS Bootable USB:

UEFI and Secure Boot

To access the Lenovo UEFI BIOS, power up your Lenovo and press [F1]:

You will be on the Main Tab with System Summary highlighted by default, press [↵] to view the System Summary:

This will give details about the Drives. In my case I have a Samsung M.2 SSD. Press [Esc] to exit the field:

Press [→] to get to the Device Tab, then press [↓] until ATA Drive Setup is selected. Press [↵] to view the options:

Ensure that the SATA Controller is Enabled and Configure SATA as is set to AHCI. Press [Esc] to exit the field:

Press [→] until you highlight the Security Tab and [↓] until you get to Secure Boot and press [↵] to view the settings:

Secure Boot should be Enabled. Press [Esc] to exit the setting:

Press [→] to get to the Startup Tab. The Boot Mode should be UEFI Only and CSM should be Disabled:

Secure Erase Internal Drives

Press [←] until you get to Security tab. Press [↓] and select Hard Disk Password. Although Lenovo call these settings "Hard Disk" they also relate to Solid State Drive.

Press [↓] until you get to (Hard Disk) Drive Password and press [↵]:

In this screen look for Security Erase (HDD) Data. If you do not have this option, your system may be too old to support Data Wipe from the UEFI BIOS and you will have to use a third party utility lke Parted Magic instead.

Press [↓] until you get to Security Erase (HDD) Data.

Unfortunately the Lenovo Data Wipes requires one to setup a temporary Hard Drive Password.

Setting a Drive Password will lock the drive at the drive firmware level and there is some risk doing so. If you set a password and the password is forgotten you will never be able to use the drive again.

Press [↑] until you get to M.2 Drive Password and press [↵].

You have the option to set a User only password or a User + Master Password.

The first is designed for a User Only in which case the user would have full admin access to perform a data wipe.

The latter is designed for a company with a large IT department. The IT department would have the Master password to unlock the device and to perform a data wipe.

Select [User] and press [↵].

Input a basic password in this case I will use the letter a:

Confirm the password:

Select [Continue]:

Press [F10] to save and Exit. Highlight [Yes] and press [↵]:

Your computer will restart:

You will be prompted for your password as your computer begins to reboot. If you have a master password set you can press [F1] to switch to the master user.

In this case, the user password a will be input.

As soon as the user password is input press [F1] to get to the UEFI BIOS Setup. You will be on the Main tab. Press [→] until you get to Security and press [↵]:

Press [↓] until you highlight (Hard) Disk Password and press [↵]:

Then press [↓] until you get to Security Erase (HDD) SSD Data and press [↵]:

Select Erase NVMe Slot 1 Data and press [↵]:

Highlight [Yes] at the confirmation dialog and press [↵]:

Input your User Password and press [↵].

If a user and a master password are set it may only ask for the master password, so you will need to know the master password.

The Secure Erase will be performed and the Drive password will be removed.

Select [Continue] and press [↵]:

It should then have an error stating no Operating System found, this is because your internal drives are blank. You'll need to install Fedora 34 now:

Booting from a Fedora Live USB

Insert your USB Flash Drive into your Dell and press [F12] while powering up to get to the Boot Menu:

The Boot Mode should be set to UEFI and Secure Boot should be Enabled.

Select your USB Flash Drive and press [↵]:

Insert your USB Flash Drive into your Lenovo and press [F12] while powering up to get to the Boot Menu:

Highlight your USB Flash Drive and select [↵]:

Select Test this Media and Start Fedora 34:

You should see your OEM logo:

You will be taken to the Fedora 34 live desktop:

By default Activities will be highlighted to the top left. You can click anywhere on the Desktop to reach the Desktop:

Installing Fedora

You can either select try Fedora, to try Fedora using the Fedora Live USB or select Install to Hard Drive to launch the installer:

You will be prompted for your language, I will change to English (UK):

In the next screen you will need to customize your Time & Date settings and select the drive you wish to install Fedora 34. The keyboard option by default will match the language options selected on the previous screen but can also be customized if desired.

Select Time & Date:

Then select the location of your capital city on the map or use the dropdown menu and then select Done:

You will be taken back to the previous menu. Select Installation Destination:

This is actually I would say the worst menu on the Fedora installer as the drive looks unselected by default.

Your main drive should be selected by default (however it is not highlighted in blue) and displays an inconspicuous black check on it to the bottom right. If this is the case select it and then press Done:

Selecting the drive will highlight it blue and ironically remove the tick unselecting the Drive:

Pressing Done will take you back to this screen saying No Disks selected:

Now entering this menu, shows the drive selected with the black tick (this I would argue is the way it should be displayed by default but it is an error carried through by essentially all versions of Fedora):

You can now select Begin Installation:

Select Finish:

To Finish the installation you can, select the Power Option and then Restart:

Select Restart:

You will see some command details flash up and the system will reboot. Unfortunately Fedora 34 doesn't prompt you to remove your Bootable USB however in my case, the system booted to the Fedora 34 installation with the Bootable USB attached. Just bare this in mind in case you end up rebooting to the Live USB instead of the Fedora Installation. In such a case select Power Off and wait for your system to Power Off. Then remove your Bootable USB and then power your system on without it:

You will see your OEM logo alongside the Fedora logo and a spinner:

User Accounts

Select Start Setup:

Select your Wireless Network and select Connect:

Input your Password and select Connect:

You will see a Checked icon beside your wireless network:

You can review your privacy settings and select Next:

You can optionally connect to an Online Account or select Skip:

Input your name and Password and select Next. Your Full name should include your first and second name and can include capital letters and a space.

Your username on the other hand can only be lower case characters.

Select Next:

Input a password and confirm it:

Then select Start using Fedora:

Fedora 34 includes GNOME3 (Version 40). The GNOME 40 implemented within Fedora is essentially "pure GNOME" and not modified for users coming from other Operating Systems like in the case of Ubuntu. If not familiar with it or you are coming from Ubuntu it is recommended to take the tour:

Select Start:

The first thing you will notice is that none of the windows have title buttons (Minimise, Maximise or Close) and typically GNOME 40 is setup so only a single window is in focus or a couple of windows.

Activities Button

Selecting the Activities button to the top left will show an overview of all open Windows allowing you to switch between them. In this case only the Tour is open:

Select the Window you want (in this case, the Tour Window) and it will be displayed in focus.

Start Screen and Panel

The next screen will tell you about the Apps Screen. You can view all Apps by pressing the All Apps button:

You can drag an icon to rearrange icons on the Start Screen and/or Bottom Panel. An icon can be dragged from the Start Screen to the Bottom Panel:

Workspaces

Fedora has a number of Workspaces, you may find yourself using these more if you are using stock GNOME 40 due to the user interface having a focus more on a singular main window or a couple of windows:

To access these select Activities. A small preview of all your workspaces will be displayed at the top. You can also select these to the right hand side:

Trackpad Gestures

The next screens focus on new features involving trackpad gestures. Fedora 34 by default uses trackpads and mice differently and this results in a lot of confusion so I will add some additional information here.

I am used to my trackpad in my XPS 13 9365 acting the following way. The red is the left click and the green is the right click. There is a divider in the middle indicating two buttons. When using Fedora I noticed that anywhere I clicked on my touchpad led to a Left Click.

Fedora does not uses the two bottom points of the touchpad as buttons and instead uses relative pressure to detect a click:

  • Pressing down anywhere on the touchpad with a single finger will lead to a left click.
  • Pressing down anywhere on the touchpad with two fingers will lead to a right click.
  • Pressing down anywhere on the touchpad with 3 fingers will lead to a middle click. The middle click is essentially uses as a copy paste button. If you have text highlighted and you use a middle click you will copy it, otherwise the action will be to paste text.

Details about new additional gestures will display at the end of the tour. Sliding three fingers up from the centre of the touchpad to the top is essentially a quick way of selecting the activities button. Note you should not apply any downwards pressure when using this gesture. Once activities display you should be able to select your desired window to bring it into focus:

Using three fingers to slide left or right from the centre instead switches the workspaces:

Touchscreen Settings

On my XPS 13 9365 2 in 1 convertible, the touchscreen response seemed to work as expected:

The touchscreen keyboard also works quite well although it did not work perfectly in FireFox. When I pressed into the search bar it didn't populate:

Until I opened a new tab, then it worked as expected:

The touchscreen keyboard within Fedora is more advanced than the one exhibited in Ubuntu 20.04 as it has additional emojis. Although it is sadly behind in functionality with respect to the symbol input included in Windows 10:

Tablet Autorotation

The XPS 13 is setup so only the keyboard and mouse are active in laptop mode. When the system is folded in tablet mode these are disabled.

In previous versions of Fedora (and GNOME) the rotation sensor was active always. Now it seems to only active in tablet mode.

Laptop Mode
Tablet Mode
Tablet Mode

There appears to be a bit of a bug however when switching back from tablet to laptop mode. If you switch without waiting for the screen to rotate upright while in tablet mode. You re-enter laptop mode with the screen using the last configuration of tablet mode and are not able to change it unless you re-enter tablet mode and then convert back to tablet mode:

Touchpad Stops Working in Tablet Mode

I have found that the touchpad intermittently stops working when in laptop mode. Converting to tablet and then back to laptop mode seems to temporally resolve the issue but it comes back. Restarting the system seems to reduce the likelihood of this issue but once the issue occurs once it is likely to reoccur.

A fix mentioned on a forum was to change a trackpad setting. To this open up file explorer. Select Other Locations:

Then Computer:

Then etc:

Then default:

Then in this folder we want to edit this grub file. If we open it by double clicking it, we will see it in a text editor but be unable to save it as the location is write protected:

To get around this, right click an empty space in the folder and select Open in Terminal:

Type in:

sudo nano grub

sudo is an abbreviation for super user do (Linux equivalent of Windows Run as Administrator).

nano is the name of the text editor.

grub is the name of the file.

As you have typed in sudo, you need to provide your password to authenticate (Linux equivalent of Windows User Account Control Prompt):

The line we want to change is GRUB_CMDLINE_LINUX:

Update it to:

i8042.nopnp=1

Press [Ctrl] + [ x ] to exit:

Press y to save:

To the bottom will be the name of the file grub. Press [Enter] to save it:

You can now close the Terminal:

Multi-Monitor and Dell WD19TB Thunderbolt Dock

The XPS 13 9365 has a high DPI screen with a scaling set to 200 % by default. Most Desktop monitors are non-touch and do not have such a high DPI setting and are designed to use a 100 % scaling.

In older Linux Kernels it was not possible to have the external monitor with at 100 % scaling and the laptop screen at 200 % scaling. It was an either or making multi-monitor configurations largely unusable.

With the updated Kernel such a configuration is possible.

Plugging the WD19TB into the laptop works as expected. Unfortunately removing the XPS 13 9365 from the WD19TB Thunderbolt Dock, results in the system from freezing and becoming non-responsive:

The laptop then has to be force powered down but subsequently boots normally.

Multi-Media Codecs

The multi-media codecs are needed to play media content particularly videos and audio within a browser. Generally open access content will work such as YouTube however content that is from a streaming service likely won't work out of the box:

To get around this we need to either install a Browser with the multi-media codecs inbuilt such as Google Chrome which is available to download from the software store or alternatively we can install the RPM Fusion multimedia codecs:

To download go to:

Select the RPM Fusion Free:

Select Open with Software Install and then OK:

You will see Software is Ready:

Select Install:

Input your Password and select Authenticate to proceed with the software install:

RPM Fusion Free is now installed:

Repeat the process for RPM Fusion Non-Free. Although it states nonfree there is no charge for the software. The non-free software essentially has source-code that is non-commercial use only and for this reason is bundled separately. In any case most commercial users using Fedora or other RedHat Products will not be using the OS for video playback.

You should then after refreshing your streaming video file link, get an Enable DRM prompt at the top of FireFox:

Once you Enable the DRM, the video should load:

The Fedora RPM page has some additional command lines for installing additional multimedia codecs post install under the heading AppStream metadata, Multimedia post-install and Tainted repos. You can open up a terminal and copy and paste their commands line by line to install these.

Even when these are all installed, FireFox will have a lower score than Google Chrome on:

Note Disabling Secure Boot does not influence this score, so Secure Boot is not blocking any of the multi-media codecs:

If you encounter additional video playback issues, switching over to Google Chrome may relieve them.

NVIDIA Graphics Card

To check your graphics card open up a terminal and type in the following command:

sbin/lspci | grep -e VGA

In my case I have an Intel Graphics Card so don't need to install a driver:

If you have a NVIDIA Graphics card you will be using a generic video driver and should install the NVIDIA driver for full performance. This requires the RPM Fusion and multi-media codecs to already be installed:

I don't have a NVIDIA Graphics Card but demonstrated the install on a Lenovo P320 Tiny on Fedora 32 and the instructions are more or less identical for Fedora 34:

Settings and GNOME Tweaks

The settings available in Settings are quite limited:

There is little customization options available. Many of the expected "missing" settings are available in Gnome tweaks which as to be installed from Software:

GNOME Tweaks will also tell you that Extensions have been moved to GNOME Extensions which we will discuss in a moment:

GNOME Tweaks has a setting to allow for Windows TitleBars which gives a minimize and maximize button:

Unfortunately applications when minimized are minimized to the bottom panel and there is no setting to make the panel permanently visible (by default it is hidden unless the applications menu is enabled).

There is also an option to change the Touchpad settings. The Area option however assumes a three button touchpad and not a two button touchpad. It would be nice if both these settings were available. Although as mentioned the Fingers implementation is nice but takes a while to get used to.

GNOME Extensions

In FireFox or Chrome, search for GNOME Extensions:

If the browser extension is not installed, you will only see Sort by Popularity and not Version. You should also get a popup to install the Browser Extension:

Select Continue:

Select Add:

To the right, select Allow this Extension to run in Private Windows and select Okay:

Then refresh the page. To the top right you will see the GNOME extension icon which will take you to the extensions page. It is recommended to view the extensions by Current Version and Popularity (as these are normally the most widely supported and most useful):

I installed the Applications Menu, Extension List, Removable Drives Menu and Clipboard Indicator for example:

Note that Fedora 34 is bleeding edge and you may get some problems with some extensions. Installing and using the Screenshot Extension crashed my system and as a result all the extensions got disabled… 🙁

The existing extensions will likely become more stable in the future and more will be ported over for Fedora 34 compatibility.