Jump to content











Photo
- - - - -

UEFI Bootloader / boot manager signed with Microsoft's Secure Boot Key

uefi

  • Please log in to reply
20 replies to this topic

#1 mihi

mihi

    Newbie

  • Members
  • 29 posts
  •  
    Germany

Posted 19 September 2018 - 01:41 PM

 

I'm looking for a UEFI bootloader / boot manager that is signed with Microsoft's Secure Boot key and that can choose between other (signed) boot loaders.

I believe I read a news article about such a bootloader a few years ago, but now that I need one, I cannot find it any more.

My situation is that I have a USB key that contains both Windows 10 Recovery and a Ubuntu live CD. Both of them support UEFI boot and are signed, and therefore work with Secure Boot when they are the only OS on the drive.

However, multibooting between them does not work when Secure Boot is enabled. I currently have a solution that uses Linux Foundation's PreLoader, but having to confirm the hash on every computer I boot it on is some hassle I'd like to avoid (especially since I use it on most computers only once or rarely more often). I also don't want to turn of Secure Boot since it is easy to forget turning it on again. Also renaming the boot loader every time I want to switch from Ubuntu to Windows or back is not what I'd like to do. (Using multiple partitions on the USB key for Windows and Ubuntu seems to have problems on some UEFI implementations too).

 


  • Brito and devdevadev like this

#2 steve6375

steve6375

    Platinum Member

  • Developer
  • 7566 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films
  •  
    United Kingdom

Posted 19 September 2018 - 02:26 PM

Why not use a signed grub2 version such as used on Ubuntu.
  • Brito and devdevadev like this

#3 mihi

mihi

    Newbie

  • Members
  • 29 posts
  •  
    Germany

Posted 19 September 2018 - 07:03 PM

Good question. Historical answer: Any GRUB version older than 2.02~rc1 was unable to chainload a Windows bootloader when Secure Boot is enabled, on certain firmware versions (including my Lenovo ThinkPad). That's why I made my own little EFI loader to choose. While that bug was fixed in 2016, Ubuntu did not include the patch until 18.04LTS. So that point is moot now and I should reevaluate it now.

 

Two other reasons were:

 

1. Ubuntu's signed GRUB versions had a check to disable chainloader command altogether when Secure Boot is enabled. I just tested 18.04, but that restriction has also been lifted.

 

2. Ubuntu's signed GRUB leaks memory when using the "exit" command. (I like to use that on non-secure-Boot systems which have both UEFI and BIOS boot enabled, since usually it will throw me into BIOS mode then, to boot tools like memtest86 that don't run on UEFI). In combination with an old TianoCore (firmware) bug, when you boot in BIOS mode afterwards, this results in "system reserved memory" to grow by the leaked memory whenever it happens (until you boot into EFI shell and fix the firmware variable manually). Since that bug was also fixed upstream, I should just re-test with latest GRUB and hope it no longer happens (or I no longer run into any system that boots both BIOS and UEFI mode).

 

Anyway, thanks for making me reevaluate that.



#4 steve6375

steve6375

    Platinum Member

  • Developer
  • 7566 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films
  •  
    United Kingdom

Posted 19 September 2018 - 07:46 PM

memtest86 by Passmark is signed and should secure boot OK.



#5 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 19 September 2018 - 11:52 PM

Or.....you could stop stupidly insisting on using Secure Boot. Why not just boot in UEFI but without SB? SB has many security flaws that have been exploited by researchers, so it's not really secure, I'm curious to know why you believe otherwise. By insisting on this you are just making things harder for yourself, creating your own problem, and then asking others here to help. I would say that you should instead take advantage of the legacy BIOS/UEFI booting capabilities of the machines you are using, instead of using something that really doesn't help much anyway. And when you enable SB, legacy BIOS/CSM capabilities become disabled and therefore unusable, since SB and these others can't be on at the same time. I would much rather retain both legacy BIOS and UEFI booting capabilities at the same time, without having to disable one or the other, if that machine's BIOS allows for this.

#6 mihi

mihi

    Newbie

  • Members
  • 29 posts
  •  
    Germany

Posted 20 September 2018 - 08:31 PM

I do not believe (and have never stated) that Secure Boot cannot be circumvented. Just like Antivirus, which can be circumvented very easily and sometimes even adds more attack surface to a system (e. g. in browser plugins). But both Secure Boot and Antivirus help raising the effort an attacker needs to spend to compromise a system or making the compromise persistent (ever tried to clean a PC and found that some malware has disabled the F12 boot menu and replaced it with a software mockup? That kind of things are a lot harder (probably firmware revision specific) when Secure Boot is enabled). And most attackers will go for the low hanging fruit (assuming that they are not after you, but after easy money with botnets or ransomware). So a computer of less tech-savvy people may be better of with Secure Boot and Antivirus enabled.

 

That being said, I have made my decisions for myself but I don't force them upon others. Therefore, when helping somebody repair his computer, and he uses Secure Boot, I don't change that (I also don't unhide hidden files or file extensions). So I just want to be able to boot my tools with as little hassle as possible.

 

 

And I got my Ubuntu GRUB loader working as I wanted. There was one more issue, that causes the bootloader to reboot when trying to chainload an unsigned efi binary, so I could not use that to detect whether Secure Boot is enabled. And loading an unsigned GRUB module also fails without error (but is not loading the module, so you can try to rmmod it and if it fails, you know that you have Secure Boot enabled).

 

In case anybody else wants to use it, here is the config file.


Edited by mihi, 20 September 2018 - 08:32 PM.

  • Brito and devdevadev like this

#7 devdevadev

devdevadev

    Silver Member

  • Advanced user
  • 540 posts
  •  
    India

Posted 21 September 2018 - 05:12 PM

Can you please provide working download link for 'module.ubuldr.zip' ?

 

Regards...



#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 21 September 2018 - 05:26 PM

Can you please provide working download link for 'module.ubuldr.zip' ?

 

Regards...

Maybe going to the release might help:

https://github.com/s...odboot/releases

https://github.com/s...dule.ubuldr.zip

 

:duff:

Wonko


  • devdevadev likes this

#9 mihi

mihi

    Newbie

  • Members
  • 29 posts
  •  
    Germany

Posted 21 September 2018 - 05:28 PM

Thanks for reporting, I corrected the link in the README page.


  • devdevadev likes this

#10 devdevadev

devdevadev

    Silver Member

  • Advanced user
  • 540 posts
  •  
    India

Posted 22 September 2018 - 08:39 AM

Is it possible to support chainloading of Akeo's uefi-ntfs.img module through module.ubuldr bootloader in a NTFS + FAT32 partitioned UEFI Bootable USB drive for both Secure Boot On and Off ?

 

 i mean module.ubuldr should chainload .efi bootloaders of Win 10, Ubuntu & UEFI:NTFS for both Secure Boot Systems and Non-Secure Boot systems ? So that i will always be able to UEFI boot all above .efi bootloaders for Secure Boot Disabled systems. And for Secure UEFI systems at least Win 10 & Ubuntu .efi bootloaders will surely boot. 

 

Normally uefi-ntfs.img does not support Secure UEFI boot. Will it secure boot if chainloading through module.ubuldr 



#11 steve6375

steve6375

    Platinum Member

  • Developer
  • 7566 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films
  •  
    United Kingdom

Posted 22 September 2018 - 10:36 AM

@mihi

Sorry, I must be missing something...

I am trying the usb-modboot project but I just get a rescue prompt.

I seem to be missing a bunch of grub files?

[Edit] Not sure what my problem was??? When I opened the usb-modboot zip file there was no install folder and the install files were in the root. Now there is an install folder and everything is OK. 7Zip seemed to have gone crazy?? Same file that I downloaded before now shows correct contents so I really don't know what went wrong. Anyway - it boots OK now. Sorry for false alarm.

 

Also, where should I put payload files like  Ubuntu.iso ???

 

It says to put 'modules' in usb-modboot folder - does this mean ISOs go in here too?

 

ReadMe mentions an 'install' directory but I can't find one (do you mean the files in the root of the USB drive?)

Also it says to edit the menu.ini file - but I can't see one and no mention of what directory it is supposed to be in?

Attached Thumbnails

  • grubusbmodboot.JPG

Edited by steve6375, 22 September 2018 - 11:22 AM.


#12 mihi

mihi

    Newbie

  • Members
  • 29 posts
  •  
    Germany

Posted 22 September 2018 - 12:00 PM

Is it possible to support chainloading of Akeo's uefi-ntfs.img module through module.ubuldr bootloader in a NTFS + FAT32 partitioned UEFI Bootable USB drive for both Secure Boot On and Off ?
 
 i mean module.ubuldr should chainload .efi bootloaders of Win 10, Ubuntu & UEFI:NTFS for both Secure Boot Systems and Non-Secure Boot systems ? So that i will always be able to UEFI boot all above .efi bootloaders for Secure Boot Disabled systems. And for Secure UEFI systems at least Win 10 & Ubuntu .efi bootloaders will surely boot.


Secure boot requires all drivers (including NTFS driver) to be signed (or hash whitelisted). So, as ntfs_x64.efi is not signed, you will not be able to load it in Secure Boot (without manually whitelisting its hash), regardless which loader you use. When Secure Boot is disabled, you can chainload and load everything. So in case your Ubuntu and/or Win10 is on a NTFS drive, you will not be able to load it with Secure Boot enabled (without manually whitelisting the hash of the NTFS driver), since you cannot load the NTFS driver.
 

Normally uefi-ntfs.img does not support Secure UEFI boot. Will it secure boot if chainloading through module.ubuldr ?

 

No. That image is not signed either. 

 

@mihi
Sorry, I must be missing something...
I am trying the usb-modboot project but I just get a rescue prompt.
I seem to be missing a bunch of grub files?
[Edit] Not sure what my problem was??? When I opened the usb-modboot zip file there was no install folder and the install files were in the root. Now there is an install folder and everything is OK. 7Zip seemed to have gone crazy?? Same file that I downloaded before now shows correct contents so I really don't know what went wrong. Anyway - it boots OK now. Sorry for false alarm.
 
Also, where should I put payload files like  Ubuntu.iso ???
 
It says to put 'modules' in usb-modboot folder - does this mean ISOs go in here too?
 
ReadMe mentions an 'install' directory but I can't find one (do you mean the files in the root of the USB drive?)
Also it says to edit the menu.ini file - but I can't see one and no mention of what directory it is supposed to be in?

 
 This tells me that my skills for writing README is bad :(  Yes, they go there too.

 

I mentioned 3 times in the README that ISOs of many Linux distributions are valid modules. If you have a suggestion how to make the README clearer, feel free to tell me (or send a pull request).


Edited by mihi, 22 September 2018 - 12:01 PM.


#13 steve6375

steve6375

    Platinum Member

  • Developer
  • 7566 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films
  •  
    United Kingdom

Posted 22 September 2018 - 12:05 PM

I call ISOs, .IMG files, etc.  'payloads' not modules.

You talk about downloading and adding more of your modules  so it sounds like 'modules' are extra files which you add for extra functionality, not bootable files.

Adding modules
Download the modules you like and copy them to usb-modboot directory. Modules available here are .zip files; they need to be extracted to the root of the USB key (but will drop the majority of files in usb-modboot, too). Modules will be automatically picked up when booting, so there is no need to edit menu files (unless you want to add the modules into the favourite modules menu).

 

 

I suggest you add something like:

Payloads
Payload files such as .ISO, .IMG, etc. should all be added to the \usb-modboot folder.


#14 steve6375

steve6375

    Platinum Member

  • Developer
  • 7566 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films
  •  
    United Kingdom

Posted 22 September 2018 - 01:03 PM

Suggestion re .cfg files

If a .cfg file is present, it seems to get added into the menu (as xxxx.cfg), even if the target payload file is not present or if the CPU (e.g. 32-bit) does not support the payload file (e.g. 64-bit ISO).

 

A better way would be to have a .cfg file that contained a complete menuentry  menu and add the whole file into the grub2 menu.

 

Then the .cfg file could contain if statements so that if the payload file was not present or the CPU was incorrect, or UEFI mode was not supported, etc. then the  menu entry would simply not be listed in the menu.

 

Is this something you could add (or maybe use a different file extension for 'included' menu entries)?

 

I use such a scheme in my  E2B grub2 menu system (using .grub2 files) but your linux, bash and scripting skills are clearly way above my (low) level of expertise!



#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 September 2018 - 02:21 PM

I tend to call them what they are: "bootable OS images".

 

Payload has a definite, different meaning in computing, AFAICT:

 

https://en.wikipedia...oad_(computing)

 

And module is confusing in GRUB/GRUB2/grub4dos speak beacause  of .mod files and insmod command:

https://www.gnu.org/...rub.html#insmod

 

The Tower of Babel guys were kids in comparison ;).

 

:duff:

Wonko



#16 mihi

mihi

    Newbie

  • Members
  • 29 posts
  •  
    Germany

Posted 22 September 2018 - 02:45 PM

Suggestion re .cfg files

If a .cfg file is present, it seems to get added into the menu (as xxxx.cfg), even if the target payload file is not present or if the CPU (e.g. 32-bit) does not support the payload file (e.g. 64-bit ISO).

 

A better way would be to have a .cfg file that contained a complete menuentry  menu and add the whole file into the grub2 menu.

 

I guess both ways have advantages and disadvantages. Having to read each .cfg file will make the menu load more slowly. And you cannot that easily rename menu items using menu.ini file (of course you could implement that in every included file yourself). On the other hand, maybe there is not so much need in renaming menu entries anyway.

 

I decided to use .inc as an extension for grub config files that are just included without wrapping them in a menuentry.

 

 

I use such a scheme in my  E2B grub2 menu system (using .grub2 files) but your linux, bash and scripting skills are clearly way above my (low) level of expertise!

 

Maybe a good motivation to increase your expertise in that field. On the other hand, your dedication for adding more distros and for testing corner cases in boot menus is a lot higher than mine.

 

As you wrote that your menu system has trouble with spaces in filenames, perhaps it helps if you use the syntax "$foo" instead of $foo more often in your config files, since the latter one will split arguments at spaces, even if the spaces were quoted inside the variable. Not to be confused with $"foo" which will run the string foo through Grub's menu translation system.



#17 steve6375

steve6375

    Platinum Member

  • Developer
  • 7566 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films
  •  
    United Kingdom

Posted 22 September 2018 - 02:50 PM

Thanks, the problem with spaces in filenames is that the Linux kernel parameters cannot handle spaces e.g. in isoscan-filename path cheat code.

#18 devdevadev

devdevadev

    Silver Member

  • Advanced user
  • 540 posts
  •  
    India

Posted 22 September 2018 - 03:23 PM

I want to keep .efi bootloaders of Ubuntu, Win 10, KonBoot and UEFI:NTFS in /EFI/ directory of FAT32 partition 3 of a removable usb drive.

Grub-ubuldr will be default bootloader which will allow me to chainload all above .efi bootloaders when Secure UEFI mode is disabled. 

 

But in case of secure UEFI Boot enabled only Win 10 and Ubuntu bootloaders will be chainloaded.

 

So what exact .efi file and folder structure i should use to implement above scenario. And what grub-ubuldr.cfg file i will have to use so that it will work for both secure boot on/off cases. 

Regards...



#19 mihi

mihi

    Newbie

  • Members
  • 29 posts
  •  
    Germany

Posted 22 September 2018 - 05:32 PM

Thanks, the problem with spaces in filenames is that the Linux kernel parameters cannot handle spaces e.g. in isoscan-filename path cheat code.

 

Ah ok. But that is a limitation on how casper's iso-scan script parses the command line, not of grub2. You have the same behaviour if you use another bootloader (as long as you keep the iso on the disk), e.g. when you extract the kernel/initramfs and use gummiboot for booting it. That's why I was confused that on your page you state it is a disadvantage when using Grub2.

 

 

I want to keep .efi bootloaders of Ubuntu, Win 10, KonBoot and UEFI:NTFS in /EFI/ directory of FAT32 partition 3 of a removable usb drive.

Grub-ubuldr will be default bootloader which will allow me to chainload all above .efi bootloaders when Secure UEFI mode is disabled. 

 

But in case of secure UEFI Boot enabled only Win 10 and Ubuntu bootloaders will be chainloaded.

 

So what exact .efi file and folder structure i should use to implement above scenario. And what grub-ubuldr.cfg file i will have to use so that it will work for both secure boot on/off cases. 

Regards...

 

You will need

/efi/boot/bootx64.efi (Ubuntu's shim)

/efi/boot/grubx64.efi (Ubuntu's grub)

/efi/ubuntu/grub.cfg (the ubuldr script)

/efi/ubuntu/x86_64-efi/hello.mod (in case you want to detect whether you are in secure boot mode or not)

 

Everything else is up to you. I posted a sample script, which checks if secure boot is enabled (by loading and unloading hello.mod), and if not chainloads into loader.efi immediately. Else it shows the menu, where you can decide between Windows, Ubuntu, and preloader.efi.

 

You can if you prefer show the menu always, and use if statements to exclude the non-secure-boot enabled options in case Secure Boot is enabled.



#20 steve6375

steve6375

    Platinum Member

  • Developer
  • 7566 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films
  •  
    United Kingdom

Posted 22 September 2018 - 09:20 PM

That's why I was confused that on your page you state it is a disadvantage when using Grub2.

It is a disadvantage of the E2B grub2 menu system. the E2B grub4dos menu system can directly boot from any linux ISO even with spaces in the filename because it does not use cheat codes to specify the ISO filepath, instead it uses the partnew technique (for MBR-booting) which can boot almost any linux ISO in a generic manner.



#21 devdevadev

devdevadev

    Silver Member

  • Advanced user
  • 540 posts
  •  
    India

Posted 07 October 2018 - 05:20 PM

And I got my Ubuntu GRUB loader working as I wanted. There was one more issue, that causes the bootloader to reboot when trying to chainload an unsigned efi binary, so I could not use that to detect whether Secure Boot is enabled. And loading an unsigned GRUB module also fails without error (but is not loading the module, so you can try to rmmod it and if it fails, you know that you have Secure Boot enabled).

 

In case anybody else wants to use it, here is the config file.

 

Can anybody provide me config file containing menu entries for 'Windows' , 'Memtest' , 'KonBoot' (will work when secure boot disable) and 'Ubuntu'.    







Also tagged with one or more of these keywords: uefi

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users