Stephen Just

Stephen Just

Fedora Linux on Surface 3


The Surface 3 is a 10-inch 2-in-1 tablet produced by Microsoft. It was one of the first devices to market using the Cherry Trail platform from Intel. This platform has many components built in to a single SoC, but because it was one of the first platforms to introduce many of these features, Linux support for them was severely lacking when the Surface 3 was released. Today, you can get a Surface 3 tablet for approximately $640 CAD, making it a reasonably affordable device to possibly run Linux on.

This document describes the process of installing and configuring Fedora 24 on a Surface 3 using a specially constructed Live image.


  1. Preparation
    1. Download ISO
  2. Installation
  3. Configuration
    1. Prevent suspend when display is powered off
    2. Disable HiDPI mode
    3. Re-enabling secure boot
  4. Usage Tips
    1. Package Management
    2. Bootloader Management
  5. Building Your Own ISO
  6. Known Issues
  7. Other References


It is not strictly necessary, but it is a good idea to find a Type Cover or a USB hub and USB keyboard. This is useful during the install process. You will need a keyboard to navigate the boot menu once your system is installed so that you can select a different kernel or boot Windows in a dual-booting configuration.

If you would like to dual-boot with Windows, then you must first shrink your Windows partition. You can do this from the Disk Management program in Windows. It is recommended that you leave at least 10 GB of space for Linux so that you have room to install applications to use.

Download the Fedora Surface 3 Live Image and write it to a flash drive using your favorite tool. On Linux, the command to do so might look like the following:

# dd if=fedora-surface3.iso of=/dev/<your-flash-drive> bs=4M

where <your-flash-drive> points to a drive, not a partition, i.e. sdb.

Disable Secure Boot on your Surface 3. This can be done by powering off the device, holding the volume-up button, and turning on the device with volume-up held until the Surface logo appears on screen. Change the "Secure Boot Control" option to "Disable". Note: This will make the EFI boot screen a rather annoying red color, but we can turn Secure Boot back on later.


Plug your USB drive into the Surface 3, and turn on the device while the volume-down button is being pressed. Release the volume-down button when the Surface logo appears. If your Live USB was written correctly, a boot menu should appear, and the Fedora system should boot after a few seconds.

You might encounter a minor issue where the live system freezes for several seconds once the desktop starts. I'm not sure why this happens yet, but it does not occur in the installed system. Just wait for the system to become responsive again and continue.

Launch the installer and follow the prompts until you get to disk partition configuration. As usual, how you partition your device is up to personal preference, but it seems very unnecessary to add a swap partition on the 128GB model.

The default partition scheme will use any free space on the disk to install Fedora. Do not reformat the /boot/efi partition as it is shared with Windows. The installer will also configure the grub2-efi bootloader so that you can dual-boot Windows if you desire. I have not attempted this, but the Fedora installer will probably do the right thing automatically if you start with a completely blank disk.

While the installer is running, you can configure the users on your system. It is probably useful to check the "Make this user administrator" box when creating your regular user.

Once the installer completes, you can reboot into your Fedora 24 system.


There are a few configuration tweaks that can be made, depending on your personal preferences, after you have installed Fedora to your SSD. These will be detailed below.

Prevent suspend when display is powered off: In recent versions of Gnome, devices that identify themselves as a tablet (such as the Surface 3) will suspend when the screen turns off. This happens every time the screen locks for example. I personally find this very annoying. You can turn this off by telling the device to pretend it is really a laptop instead of a tablet.

# hostnamectl set-chassis laptop

You can undo this setting by setting the chassis type back to tablet or removing the /etc/machine-info file that this command creates.

Note that right now, the Surface 3 can only be woken from sleep using the Power or Windows buttons on the device, and not a keyboard or mouse.

Disable HiDPI mode: Some people do not like when Gnome automagically kicks in to HiDPI mode when it detects a display with high pixel density. You can turn this off. The easiest way is with from the console.

$ gsettings set org.gnome.desktop.interface scaling-factor 1
$ gsettings set org.gnome.settings-daemon.plugins.xsettings \
      overrides "{'Gdk/WindowScalingFactor': <1>}"

These changes can be easily reverted:

$ gsettings reset org.gnome.desktop.interface scaling-factor
$ gsettings reset org.gnome.settings-daemon.plugins.xsettings overrides

After changing these settings, you will want to restart the shell to clear any graphical glitches. This can be done by pressing Alt+F2 and entering r into the prompt. Alternatively, log out and log back in.

Note that with X, you cannot have a different DPI setting per monitor. There are workarounds for this using xrandr, but those involve scaling up or down the output of one display, resulting in output that may be blurry.

Re-enabling secure boot: Fedora kernel packages are compatible with Secure Boot. Custom kernel packages do not use Fedora's signing key that is validated by Microsoft, so you need to add a custom key / certificate to your device. Secure Boot provides a facility for users to add their own keys, termed "Machine Owner Keys". The following instructions are based on information posted here.

First, download the Red Hat Test CA certificate to your device. Any kernel built from a standard Fedora kernel RPM is signed with this certificate by default. Enabling this particular certificate for Secure Boot does somewhat remove Secure Boot's security advantage of preventing unauthorized software from running on your device because anyone is able to get the signing key for this certificate. A signing key is only secure if it is secret.

$ wget

Next, use mokutil to install this certificate on your system. Please note that you must provide a password, but you will only need it once so don't worry too much about what you pick as long as you can remember it for a short time.

$ sudo mokutil --import rhca.cer

Reboot your device. It will boot into the "shim" interface, allowing you to enroll your key into the system. Select "Enroll MOK" from the menu, and follow the prompts. Entering 0 to the Key Number prompts should be correct. Enter your key password when prompted, then continue boot.

You can now enable secure boot from your EFI menu.

To remove the key you just added, this can also be done from the EFI menu. It is not possible to remove a single key - you must remove all keys. Removing all keys will not delete Microsoft's Vendor Key.

Usage Tips

Package Management: Fedora might seem a little bit unusual for people used to Ubuntu or other Debian-based distributions. Fedora 24's command-line package manager is called dnf. Basic usage is mostly self-explanatory:

# dnf install inkscape
# dnf remove inkscape
# dnf update --refresh

There is also a "Software" GUI tool to manage packages. You will find it in the Gnome favorites bar.

Users familiar with Ubuntu's PPA system will likely be interested in COPR. This is a system to build and distribute custom packages, and is the platform used to distribute patched kernels and other packages in the supplied Surface 3 live-image.

Bootloader Management: Fedora uses GRUB2 as its bootloader, but managing it might be a little bit different than what you are used to. While Fedora does ship grub2-mkconfig and all of the configuration files it uses, it does not actually use any of them. Instead Fedora essentially does its own thing: each time a kernel is installed or removed, some scripts will read your grub.cfg file and modify it directly. If you want to edit this file yourself, it is helpfully symlinked from /etc/grub2-efi.cfg.

(On a slightly related note, this means that I was unable to "cleanly" modify the kernel command-line to work around hardware quirks as part of a package like you can on Ubuntu, and instead had to ship a file in /lib/modprobe.d/ after demoting a built-in kernel component to a module.)

Building Your Own ISO

Building your own custom ISO is fairly straightforward, if a little bit time consuming and error prone. With a fast network connection and a speedy storage device, a custom live-image can be generated in about an hour. You can find more information about the live-image generation process in the livemedia-creator documentation.

Using your favorite virtual machine hypervisor (i.e. Virtualbox, QEMU, Hyper-V), create a Fedora 24 virtual machine. Give this machine at least 20GB of disk space and plenty of RAM so that it can more easily handle multi-GB disk images. This process should ideally be done in a virtual machine because there is the potential to mess up your install.

Install the prerequisite software in your virtual machine:

# dnf install anaconda lorax

Download my live-media generation script and extract the archive:

$ wget
$ tar -xvf lmc-script.tar.gz

The livemedia-creator program that my scripts wrap requires you to set SELinux to permissive mode. These commands, executed as root, first configure SELinux to be disabled on boot, and then disable SELinux for the current session.

# sed -i -- 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
# setenforce Permissive

Now, you can run the generation script as root:

# ./lmc-script/

When the script completes, your working directory will contain a timestamped folder containing a file named boot.iso in its output subdirectory. This is your live-image that you can write to a flash drive. Logs associated with the script are also located in this folder. If you encounter failures, you may occasionally have to remove lmc-* directories from /var/tmp which are left behind.

To modify the packages that are installed, edit the fedora-surface3.ks Kickstart file packaged with the script. There is a %post section below the %packages section where you can install any packages from other sources once the base system is installed. More details about Kickstart files can be found in the Kickstart documentation.

Known Issues

Spacebar not working: For some unknown reason, sometimes the spacebar can start behaving oddly in the Live environment. Instead of supplying a space character, the spacebar will turn on larger font sizes. As a workaround, either press Shift+Space, or simply log out and back in. Further investigation required to file bug report. Similar report on other devices.

Suspend after log out or switch users: Gnome is being a little bit too aggressive with suspend on tablets, see gnome bug. You can use the workaround noted here.

Some characters missing during gnome-initial-setup: It appears like there is a bug in the i915 driver when there are a large variety of fonts on screen at once. The issue seems to go away once you complete the setup prompts. Driver bug report. I have seen this issue pop up very occasionally afterwards, but restarting X usually resolves it.

Live environment freeze: The live environment can sometimes freeze for about 15 seconds when it first starts up. This does not seem to be reproducible in an installed system. Further investigation required to file bug report.

Cameras do not work: There are no drivers for the cameras on the Surface 3. It is unlikely that there will ever be camera drivers.

Screen rotation does not work: The sensors on the device do not put out good data. There is some discussion happening to determine whether this is due to improper handling of some ACPI code. Relevant patch, which was dismissed by the ACPI maintainers in Bugzilla as being an improper fix.

Headphone hotplug: The audio driver is unable to detect when you plug in headphones to switch output devices. Detection seems to work fine on reboot. As a workaround, you can select the output device to use from Gnome's Sound settings panel. Fixed with kernel update 4.7.0-0.rc5.git1.1

Other References


Copyright © 2016 Stephen Just