Installing Fedora Silverblue 36 on a Surface Pro 3

Turning the flagship Windows device into a Linux machine.

Configuring the UEFI for USB boot

With the device powered off, press the power button while holding volume up to access the UEFI setup. In the UEFI setup, make sure “Configure Alternate System Boot Order” is set to include USB, such as the USB -> SSD option. If acceptable for your usecase, I recommend enabling “Battery Limit” under “Kiosk Mode” to set a battery charge limit of 50% (to maximize battery longevity). Then save and exit setup.

Alternatively, press the power button while holding volume down to initiate a single boot from USB. (Boot Surface from a USB device)

Before erasing Windows

Updating firmware

There are 2 ways to update Surface firmware: Windows Update or a set of MSI files provided by Microsoft. In theory it is possible to use the MSI files with fwupd, but you might as well perform the updates the easy way if Windows is still installed (especially since the Surface Pro 3 is EOL and unlikely to receive future updates). One way or another, I recommend manually updating the firmware instead of trusting Windows Update.

Following the links from the Microsoft support page, I downloaded:

  • SurfacePro3_Win10_18362_1902002_0.msi
    • This is the latest version available at the time of writing, which works fine for the Windows 10 build 19042 I have installed.
  • Microsoft_Surface_Pro_3_Tpm_Update_Tool_Setup.msi
    • This is a separate tool for updating the TPM firmware.

Running the main firmware updater is as simple as clicking through the prompts and restarting at the end.

The TPM update, on the other hand, requires its own detailed guide and a spare flash drive. Note that after running the downloaded installer MSI, the actual utility must be launched from C:\Program Files\Microsoft Surface Pro 3 TPM Update Tool\Microsoft.Surface.SP3TpmKey.exe (there is no shortcut).

Secure‑erasing the internal drive (optional)

BitLocker is enabled by default on the Surface Pro 3, so unless it was disabled at some point or data was otherwise stored on the drive unencrypted, secure‑erasing is unnecessary. However, there is no harm in performing a secure erase anyway.

Secure‑erasing must be done with the Microsoft Surface Data Eraser tool. It is not possible to use standard tools (such as hdparm on Linux) due to an ATA security freeze that cannot be lifted by readily apparent means.

Installing Fedora Silverblue

Since this is a Surface device, the linux‑surface wiki is our friend. Fortunately, the Surface Pro 3 is fully supported upstream, so we should expect full functionality without having to install the linux-surface kernel.

Download the Fedora Silverblue x86_64 ISO and checksum file. Verify the download and flash it to a spare drive following my universal disk image procedure.

Boot into the Fedora Silverblue installer and proceed through the installer as usual. In the “Installation Destination” settings, make sure to select “I would like to make additional space available.” and “Encrypt my data.” After clicking Done, set a disk encryption password, then, on the “Reclaim Disk Space” screen, select Delete all to use the entire drive for Fedora Silverblue. Complete the installation and reboot into the OS, then complete the setup as normal.

Post-installation notes

  • The touchpad on the Type Cover only has a single physical button. To be able to right‑click effectively, run: gsettings set org.gnome.desktop.peripherals.touchpad click-method "areas"
    • By default, using 2 fingers will trigger right‑click and 3 middle‑click, but this is an extremely poor experience due in part to the small size of the touchpad.
  • The stylus (Surface Pen) is fully natively supported by libinput, including proximity detection, pressure sensitivity, and the eraser and right‑click buttons. Note that the eraser button requires app support, for example implemented in Xournal++.
    • On Bluetooth-supported versions of the Surface Pen, additional functionality (such as the top button) may be unlocked by Bluetooth pairing, but I do not have one to test.
  • At the time of writing, the GNOME Software store (“Software”) is rather buggy and has a habit of loading indefinitely after certain actions. When that happens, terminate it via System Monitor or pkill gnome-software, after which it should function normally.
  • Flathub is disabled and filtered by default. The simplest way to use unfiltered Flathub is by adding it as a new (distinct) remote: flatpak remote-add flathub-unfiltered
  • Use Flatpak overrides (optionally via Flatseal from unfiltered Flathub) to fine-tune Flatpak app permissions.
    • Since Fedora Silverblue uses Wayland, I recommend globally blocking X11 (XWayland) access and its related IPC permission, only enabling them on a case-by-case basis for apps which are not Wayland-compatible: flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --unshare=ipc