Mint 20 Clean Install on UEFI BIOS with Secure Boot

Issues

Secure Boot GRUB2 Bootloader Issue

There is a Secure Boot Security Vulnerability that has been addressed by Intel CVE-2020-10713. Dell and other OEMs have been releasing a series of UEFI BIOS Updates to patch this. The Security Update is related to the Grand Unified Bootloader 2 (GRUB2) which most Linux distributions which formerly passed Secure Boot rely on. You will now get Verification Failed: (0x1A) Security Violation. Mint 20 and older versions of Mint 20 are now rejected by Secure Boot. We need to either Disable Secure Boot or await an updated installation ISO with an updated GRUB2 Bootloader.

This image has an empty alt attribute; its file name is vlcsnap-2020-10-01-22h32m54s844-1024x576.png

FireFox Touchscreen Issue

FireFox OOBE touchscreen experience is poor. FireFox highlights text instead of scrolling on touchscreen, the issue appears to be with FireFox using a terrible input method for FireFox by default. It can be changed to another input method which actually works by touchscreen using a command line.

The snapd and Chromium

Chromium Browser touchscreen experience is good but install requires snapd and there is a small (deliberate) conflict between the Linux Mint team and canonical. This is just awkward but there are workarounds available.

Auto-rotation Does Not Work Properly

This is an issue with the Cinnamon Desktop. Essentially the touchscreen autorotates but the touch Input does not auto-rotate. Partial workaround but this reduces the ueser experience on 2 in 1 touchscreen devices.

Video

Create a Bootable USB (Windows)

You will need to download the Mint 20 ISO and need to use Rufus to make the Bootable USB:

Press [Ctrl] + [ f ] on the Downloads page and search for your country or a country nearby. Then select one of the local servers.

To the top of the page, select verify your ISO:

Select the Version:

Select the text file containing the ISO Checksums:

You will get the ISO checksums:

Once you have downloaded the ISO and Rufus. Launch Rufus:

Accept the User Account Control Prompt:

Select your USB Flash Drive:

Select, select:

Load your Mint 20 ISO:

Select the ISO Checksums button:

The SHA256 should match that shown in the text file. If not you have a corrupt download and should try again.

Change the Partition Scheme to GPT and the File System to FAT32:

Select Start:

Select Write in ISO Mode and select OK:

Select OK to format the USB Flash Drive:

When Finished it will say Ready:

Create a Bootable USB (Mint)

You will need to download the Mint 20 ISO:

Press [Ctrl] + [ f ] on the Downloads page and search for your country or a country nearby. Then select one of the local servers.

To the top of the page, select verify your ISO:

Select the Version:

Select the text file containing the ISO Checksums:

You will get the ISO checksums:

Once you have downloaded the ISO. Go to downloads, right click the ISO and select rename (or press F2)

Then select all the text (or select [Ctrl] + [ a ]):

Then right click and select copy (or select [Ctrl] + [ c ]):

Open up the terminal:

Type in:

cd Downloads

Then select [ ↵ ].

This will change the directory to your Downloads folder:

Type in:

sha256sum 

Then right click and select paste (or select [Ctrl] + [ v ]):

Then press [ ↵ ]. Your checksum should be computed and it should match that displayed in the text file. If it does not you have a corrupt download and should try again:

Go to Accessories and select USB Image Writer:

Select Write Image:

Then go to the Downloads folder and select your ISO:

To the right hand side select your USB Flash Drive:

Then select Write:

You will need to acknowledge the fact that you are going to format your USB Flash Drive so input your password and select Authenticate:

The utility should not make a FAT32 Bootable USB that will pass Secure Boot.

Unified Extensive Firmware Interface (UEFI) Settings

All Computers Manufactured in 2012 or later have a Unified Extensive Firmware Interface (UEFI). Make sure your UEFI BIOS is updated to the latest version before attempting to install Mint 20 as a number of UEFI BIOS Updates resolve some common Boot Issues:

Attach your Bootable USB and make sure your Dell PC is powered down. Then power it up and press [F2] to get into the UEFI setup.

Look for Advanced Boot Options and make sure Enable Legacy Option ROMs is Disabled.

Look for Secure Boot and Ensure that it is Enabled:

Next go to Boot Sequence. It should be set to UEFI. Your Mint USB (in my case the SanDisk USB) should display. If you have old versions of Linux they will also display. Uncheck your Bootable USB and highlight any old Linux or Windows installations you want to remove and select Delete Boot Option.

Expand System Configuration and go to SATA Operation. The storage controller must be set to AHCI:

The Mint installer doesn't support RAID (Intel Rapid Response Technology) If it is enabled the Mint 20 installer will halt and tell you to disable Intel RST.

We can use Dell Data Wipe for a more through wipe of all internal drives than the Format within the Ubuntu install. To do this select the Maintenance Tag and then go to Data Wipe, select Wipe on Next Boot.

Note the Dell Data Wipe does not touch USB Flash Drives or USB External Drives.

Note that only models manufactured in 2016 or later have Dell Data Wipe.

Select OK:

Select No (to proceed):

Then select Apply and confirm the changes and then Exit:

Select Continue:

Select Erase:

If you have only internal SSDs the Data Wipe will proceed quickly (less than a minute normally) however if you have an internal HDD or HSSD it may take several hours.

Select OK:

Booting from your Mint USB

Power up your Dell and press [F12]:

Select your Bootable USB under UEFI Boot:

Select Mint:

It will load the setup:

Installing Mint

Select Install Mint:

Select your keyboard layout and select Next:

Select your wireless network and select Connect:

Input your wireless password and select Connect:

Select Continue:

Check Install third-party software for graphics and Wi-Fi hardware and additional media formats:

The Mint Boot 20 is signed to pass Secure Boot but some of the codecs used and third party graphics drivers are not. You will get limited functionality without these.

The Mint install can enable these and we can still use Secure Boot. To do this the Ubuntu setup which will create a boot entry that include the media codecs and any applicable third party drivers for your hardware and prompt you to create a Machine Owner Key (MOK).

During the first Boot of the Mint install the UEFI BIOS will inform you that there is a new Boot Entry but will only allow it to Boot if you authorise the Boot with the Machine Owner Key. This is a single instance verification, after it is initialised the UEFI BIOS will remember the Boot entry and automatically Boot.

In the next screen you can optionally select Advanced Features which allow encryption options:

Select Install Now:

Select Continue:

Select your time-zone:

Input your name, username and password. Note your username has to be all lower case. Select Continue:

The install will proceed:

Select Restart Now:

When this screen shows. Remove the installation media and then press [↵].

Machine Owner Key (MOK)

When Mint tries to Boot with the third party codecs it will be blocked by the UEFI BIOS. Select Enroll MOK:

Select Continue:

Select Yes to Enroll the key(s):

Input the password (note on my systems there is no indication on the screen for character input) and then press [↵]:

Then select Reboot:

First Time Boot

Mint should then boot:

You can close the Welcome Window:

Software Update

In the notification area, select the Update Mananger Icon:

select OK:

Select Install Updates:

Select Ok:

Input your password and select Authenticate:

Go to start and select the power icon:

Select Restart:

Themes

Select the settings icon from the Start Menu:

Select themes:

Change the Windows Borders, Icons, Controls, Mouse Pointer and Desktop to your desired settings:

Optimizing for Touchscreens

Select Accessibility:

For a TouchScreen you may want to enable Large Text.

You can also turn on the Touchscreen Keyboard.

There are two settings in Interaction Mode, show the keyboard only when the user activates it and show the keyboard anytime something expects an input. The second setting is a bit temperamental so I would recommend using the first setting.

You can change the keyboard position by default it is at the top and occupies a third of the screen. The rest of the OS works better with this setting as the panel is at the bottom. If you change the location to the bottom, you will cover the start menu and panel.

You can also enable the keyboard indicators for Cap Locks and Num Lock:

The touchscreen keyboard button does not display on the panel. To enable this, right click the panel and select Applets:

In the list select On Screen Keyboard and select Add:

You can now turn on and off the touchscreen keyboard:

It is also possible to add the Accessibility Menu to the Panel:

Which will give the following options including the onscreen keyboard:

On a high resolution touchscreen you may also want to select Display:

Then change the Zoom Level to a higher value.

Then selecting Apply:

It is also possible to change the Base Interface Scale (but in my testing this is less reliable than changing the Zoom Level when autorotation is enabled for instance).

Rotating Screen and Touchscreen Input

By default automatic screen rotation is disabled. To enable it go to the settings tab and uncheck Disable Automatic Screen-Rotation:

On my XPS 13 9365 the screen now autorotates but the Touch Input did not automatically rotate alongside it. The touch point for the start button should move from the following location as the screen is rotated:

In my case it remained in the same location.

This makes it extremely frustrating to use the system in tablet mode or tent mode as you cannot scroll through a webpage or a pdf properly.

We can open up the terminal and have a look at:

xinput

In my case I see that my finger touch is called "Wacom HID 4831 Finger Touch" you will have a different finger touch device so amend the snippets of code to match your device.

We can then use a transformation matrix to transform the touchpoints of the screen.

Upright:

xinput set-prop "Wacom HID 4831 Finger touch" --type=float "Coordinate Transformation Matrix" 1 0 0 0 1 0 0 0 1

Counter Clockwise:

xinput set-prop "Wacom HID 4831 Finger touch" --type=float "Coordinate Transformation Matrix" 0 1 0 -1 0 1 0 0 1

Clockwise:

xinput set-prop "Wacom HID 4831 Finger touch" --type=float "Coordinate Transformation Matrix" 0 -1 1 1 0 0 0 0 1

Upside Down:

xinput set-prop "Wacom HID 4831 Finger touch" --type=float "Coordinate Transformation Matrix" -1 0 1 0 -1 1 0 0 1

It can be quite tedious to manually type in the terminal so we can make some custom keyboard shortcuts. Go to settings:

Then keyboard:

To the top select custom shortcuts and then select Add Custom Shortcut:

In this example we will use the upright command and call it start up and paste the appropriate command

Now double click the field to assign a shortcut key:

Repeat for the four directions using a different arrow key for each direction.

This makes the device more usable but it isn't a perfect workaround.

Poor Out of the Box Experience (OOBE) with FireFox

The FireFox browser is terrible with Touchscreen, as the touch input highlights text instead of scrolling.

The main issue is that FireFox uses a terrible input method by default. FireFox has other input methods that actually work with Touchscreen. To switch to the working input method, open up a terminal and type in:

echo export MOZ_USE_XINPUT2=1 | sudo tee /etc/profile.d/use-xinput2.sh

Then restart.

Installing the Chromium Browser

To install software you would normally go to the software store:

Then search for Chromium:

However the Chromium listed is a dummy browser and installing this does… nothing:

Using snapd

The Chromium install requires snapd and there is a small (deliberate) conflict between the Linux Mint team and canonical.

Open up a terminal and type in the following commands to remove the preinstalled preference to block snapd. Then update the Advanced Package Tool, install snapd and then install Chromium. Restart your PC to complete the installation.

sudo rm /etc/apt/preferences.d/nosnap.pref
apt update
apt install snapd
sudo snap install chromium

Remove the preference to block snapd:

Authenticate the action:

Update the advanced package tool:

Select apt install snapd:

Install Chromium:

Install requires a restart:

Go to Start and then select the power button:

Select Restart:

You should now have the Chromium Web Browser:

Commands taken from the Linux Mint documents:

Google Chrome Alternative

You can also install Google Chrome using the Debian/Ubuntu installer:

Select Debian/Ubuntu (Mint is based on Ubuntu) and then Accept and Install:

Select Open with GDebi package manager and select OK:

Select Install Package:

Select Continue to install the perquisite software:

Input your password and select Authenticate:

You will now have Google Chrome:

You should now have Google Chrome which works well with the Touchscreen:

Multiple Monitors with Multiple Panels

If you have multiple monitors plugged in. Go to Settings and Display:

Select your second monitor and turn Active On:

Move to monitor to the desired location, for instance my monitor is to the left of my laptop display:

Right click the existing Panel and select Panel Settings:

Select Add New Panel:

Select the desired location, in my case I will select the bottom left location:

Right click the Panel and select Enable Panel Edit Mode and then select Applets:

Then Add your Desired Applets, they will all appear on the right hand side:

The Menu and Show Desktop are added to the left hand side, we can drag and drop them over to the right hand side:

Once satisfied, right click the Panel and Disable Panel Edit Mode:

You should now have a New Panel on each Display: