Surface Go Dual Boot Secureboot

Preface: #

The goal of this guide is to have Windows 10 and Ubuntu installed on a Surface device (I've tested this on the Go and should work the same on the Go2),
with secureboot enabled for both of them.

The version used in this guide are:

Win10 20H2 Pro (Pro has full bitlocker support)
Ubuntu Mate 20.04.1 LTS

Prerequisites: #

disabling Fast Startup:
- in: Control Panel --> hardware and Sound --> Power Options --> System Settings
  select "Choose what the power buttons do"
  and then unlock the buttons on the bottom clicking on "Change Settings that are not curently available"
  and deselect "Turn on gast start-up (recommended)"
  then click on "save changes"
surface Device installed with Win10
usb pen with Ubuntu 20.04 on it:
- you should create the drive downloading the ISO and dd'ing it on the drive:
  dd if=ubuntu.iso of=/dev/sdX bs=1M status=progress,
  in this way you are shure to have a UEFI boot drive
  I've used Ubuntu Mate 20.04.1 LTS
patience

Win10 pre-tasks: #

If enabled, disable bitlocker from Win10 bitlocker menu,
wait for the decryption to finish.

Shrink the windows partition form the disk manager to leave space for ubuntu.

Reboot in advanced mode to boot from the USB drive with ubuntu:
hold "shift" while clicking on "reboot",
you'll be in windows recovery mode, select "other disk" and select "Linpus ..." to boot in ubuntu

Ubuntu Live tasks: #

Shrinking: #

fire up utubntu live and with gparted move Win10's recovery partition back to leave all the empty space in the end:

before:
description

after:
description

Partitioning: #

with gparted create the new partitions as follows:

5: efi partition in fat32, flags boot and esp (will be mounted on /boot/efi)
6: /boot partition in ext2 (will be mounted on /boot)
7: luks partition

Number  Start   End     Size    File system  Name                          Flags
 1      1049kB  274MB   273MB   fat32        EFI system partition          boot, esp
 2      274MB   408MB   134MB                Microsoft reserved partition  msftres
 3      408MB   95,1GB  94,7GB  ntfs         Basic data partition          msftdata
 4      95,1GB  96,1GB  1074MB  ntfs         Basic data partition          hidden, diag
 5      96,1GB  96,7GB  537MB   fat32        EFI System Partition          boot, esp
 6      96,7GB  97,2GB  537MB   ext2
 7      97,2GB  128GB   30,8GB

Luks: #

format the 7th partition that we'll use with luks:

cryptsetup luksFormat /dev/nvme0n1p7
cryptsetup luksOpen /dev/nvme0n1p7 CRY_main

pvcreate /dev/mapper/CRY_main
vgcreate VG_main /dev/mapper/CRY_main

lvcreate -L 15G -n LV_root VG_main
lvcreate -L 2G -C y -n LV_swap VG_main

vgchange -a y

format the EFi partition:

mkfs.vfat /dev/nvme0n1p5

Ubuntu installer: #

now fire up the ubuntu common installer from the desktop icon,
and continue with the normal selection:

minimal installation
download updates while installing ubuntu mate
install third party software...
- configure secureboot
  - choosing a password of your choosing

the last part is very important since it will allow you to enroll the newly created MOK key in the machine's UEFI

in the partitioning part do:

select efi nvme0n1p5 and select "Use as" "EFI System Partition"
select boot nvme0n1p6 and select "Use as" "ext2" and mount on /boot, do format
select /dev/mapper/VG_main-LV_root "Use as" "ext4" and mount on /
select /dev/mapper/VG_main-LV_swap "Use as" swap
select install the bootloader on the efi partition: nvme0n1p5

and continue the installation

DO NOT REBOOT
DO NOT REBOOT
DO NOT REBOOT

Post-installation tasks: #

once finished do not reboot,

mount the newly created system on /mnt creating the environment for chrooting correctly:

mount /dev/mapper/VG_main-LV_root /mnt
mount /dev/nvme0n1p6 /mnt/boot
mount /dev/nvme0n1p5 /mnt/boot/efi

mount --bind /dev /mnt/dev
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys

then chroot in to the newly prepared folder:

chroot /mnt

In the chroot: #

blkid | grep -i luks

take the field "UUID"
ES:

/dev/nvme0n1p7: UUID="11111111-2222-3333-4444-555566667777" TYPE="crypto_LUKS" PARTUUID="aaaaaaaa-bbbb-cccc-dddd-eeeeffffaaaa"

in this case it's: 11111111-2222-3333-4444-555566667777

edit the file /etc/crypttab (if not present create)
and add:

CRY_main UUID=11111111-2222-3333-4444-555566667777 none luks,discard

NOTE: the name shall be the same as you opened the crypt device in steps

then recrate the system boot environment:

grub-install
update-initramfs -u -k all

and exit the chroot with a simple

exit

now you can reboot your system.

be very aware of the next steps!

Enrolling MOK Key to Secureboot: #

you will be greeted by the UEFI Key manager, where you will be able to enroll the new key for secureboot:

choose "Enroll MOK"
description

then "continue"
description

select "Yes"
description

then insert the password you selected during ubuntu installation
description

and then select "reboot"
description

After the reboot: #

now the system should restart and you should be greeted by grub's selection screen,
there you can choose to boot in Ubuntu or in Windows (which has been detected by the installer)

Re-activating bitlocker #

after booting to windows you can re-activate bitlocker,
maybe setting a custom passphrase at boot so your system won't load automatically without your input.
see: Win10 - Surface Go - Bitlocker with TPM and advanced pin

Next: Proxmox cluster with dishomogeneous cpu types
Previous: Debian 9 and 10 unlock luks root at boot via ssh