13 replies to this topic

[devdevadev]

Hi...

 

http://bbs.wuyou.net...read&tid=157812

 

http://www.ipauly.co.../11/15/xorboot/

 

Does 'XorBootU_0.22' support 'Secure UEFI Booting' ?

 

How to use 'xorboot.efi' as main UEFI bootloader ? Should I rename 'xorboot.efi' to 'bootx64.efi' and put it within EFI/boot/ folder ?

 

OR It is must to chainload 'xorboot.efi' file via GRUB2 menu system ?

 

Please help me..

 

Regards... 

[alacran]

Hi...
 
http://bbs.wuyou.net...read&tid=157812
 
http://www.ipauly.co.../11/15/xorboot/
 
Does 'XorBootU_0.22' support 'Secure UEFI Booting' ?
 
How to use 'xorboot.efi' as main UEFI bootloader ? Should I rename 'xorboot.efi' to 'bootx64.efi' and put it within EFI/boot/ folder ?
 
OR It is must to chainload 'xorboot.efi' file via GRUB2 menu system ?
 
Please help me..
 
Regards...

 

I do not have an UEFI PC availabe, to try myself.

 

1- I don't think so, info about this is not in those links, please try yourself and let us know.
 
2 - https://translate.go.../11/15/xorboot/

 

Spoiler

UEFI version XORBOOT will execute and file xorboot.efi menu file xorboot.xor designed separately, which may optionally be renamed xorboot.efi, placed anywhere ESP partition (for removable media, should be placed efi \ boot below the file name bootx64.efi, to start on another computer), xorboot.xor not be renamed, should be placed efi \ xorboot below.
First with XORBOOTU.EXE export XORBOOT.EFI using the ESP partition, and set it as the first boot entry. (If you have already set up a good start, you can skip this step) and then use the Edit menu XROBOOTU.EXE file XORBOOT.XOR, menu files should be saved in the ESP partition efi \ xorboot folder. If you use a background image, the background image should also be placed in this folder.
Tips: XORBOOT has built bootmgfw.efi, boot.sdi, start Windows series system (local system, VHD / VHDX / WIM) is no longer needed bootmgfw.efi, BCD, boot.sdi and other supporting documents.

 

3 - Try editing EFI BCD using BootIce and let us know.

 

alacran

[devdevadev]

Thanks for quick reply...Actually I also don't have any UEFI PC

 

Can we chainload 'xorboot.efi' by using EFI BCD ? But how ? In have never done .efi type of chainloading in EFI BCD ?

Can you give me screenshot of what I should edit in EFI BCD by using Bootice ?

 

In above links Instructions are given. But I could not understood translated Steps...It's very confusing...Can anybody please translate Instructions in a bit better English ? 

[wimb]

I can use xorboot as boot menu for booting in UEFI-mode, but then Secure Boot must be disabled.

The procedure that I used is:
1. Download XorBootU_0.22.rar from ​http://www.ipauly.co.../11/15/xorboot/
2. Extract the rar and Run XorBootU.exe
3. Use Manage UEFI boot items and then ExportXorBoot.efi to export existing Windows Boot Manager UEFI item as file xorboot.efi in folder EFI\Boot on FAT32 USB-stick
Click yes to add XorBoot as UEFI Boot entry in BIOS firmware and finally use Close.
4.Use Create Menu and Save as file xorboot.xor in folder EFI\xorboot
5. Reboot from USB-stick (use F8 or F2 to get UEFI Boot Menu) and Select XorBoot from Menu
6. Select desired Boot entry from XorBoot Menu

The bootable FAT32 USB-Stick was made by UFD_FORMAT.exe http://reboot.pro/to...140-ufd-format/

XorBoot Menu does Not support Secure Boot,
whereas Boot Manager Menu as created by UFD_FORMAT does support UEFI Secure Boot !!

So UEFI_MULTI.exe and UFD_FORMAT.exe provide a better solution for having MultiBoot UEFI Secure Boot.
http://reboot.pro/to...boot-usb-drive/

UEFI_MULTI.exe supports UEFI Secure MultiBoot of Win 8/10 x64 OS and Win 8/10 x64 VHD (FileDisk) and Win 8/10 PE boot.wim (booting from Ramdisk).
Also in UEFI_MULTI the provided Grub2 EFI BootManager supports optionally Linux UEFI Secure Boot combined with Windows 10 x64 Secure boot.

[Wonko the Sane]

XorBoot Menu does Not support Secure Boot,
whereas Boot Manager Menu as created by UFD_FORMAT does support UEFI Secure Boot !!

So UEFI_MULTI.exe and UFD_FORMAT.exe provides a better solution for having MultiBoot UEFI Secure Boot.
http://reboot.pro/to...boot-usb-drive/

UEFI_MULTI.exe supports UEFI Secure MultiBoot of Win 8/10 x64 OS and Win 8/10 x64 VHD (FileDisk) and Win 8/10 PE boot.wim (RAMDISK).
Also in UEFI_MULTI the provided Grub2 EFI BootManager supports optionally Linux UEFI Secure Boot combined with Windows 10 x64 Secure boot.

 
I guess we could shut down the Internet and just use UEFI_MULTI.exe and UFD_FORMAT.exe. 
 
But on the other hand, I believe that BOTH the previous posters :
 

I do not have an UEFI PC availabe, to try myself.

 
 

Thanks for quick reply...Actually I also don't have any UEFI PC

 
Not only won't  "EFI Secure Boot", they will not "UEFI boot" AT ALL.
 
On a carpenters board:
Q.: Will a Black&Decker power circular saw be able to cut a 2x4 framing lumber?
A1: According to documentation, yes, though I don't own a power saw and don't have any framing, nor I ever attempted to saw a piece of it with a Black&Decker power saw.
A2 (OP): Which is Ok, as I also do not have any 2x4's (nor a power saw) and I have no electricity (and I am not a carpenter).
A3: A Black&Decker power circular saw cannot cut through steel pillars, a DeWalt angle grinder is better and can cut really huge steel frames, I only cut I-beams's with DeWalt angle grinder, nothing can cut through steel as fast as a DeWalt angle grinder, you can also shave yourself and trim your nails with a DeWalt angle grinder, and everyone should have a DeWalt angle grinder and cut large pieces of steel. 
 
Anyway,

Does 'XorBootU_0.22' support 'Secure UEFI Booting' ?

No.
 

How to use 'xorboot.efi' as main UEFI bootloader ? Should I rename 'xorboot.efi' to 'bootx64.efi' and put it within EFI/boot/ folder ?

 
through Gogle Translate from Russian :
http://usbtor.ru/viewtopic.php?p=22964
 

1. Push the button "Create menu", create the menu and save the name xorboot.xor.
2. Push the button "Manage UEFI boot items" and "Export XorBoot.efi" button in the opened window. Save the file.
3. Rename the file to XorBoot.efi BOOTX64.EFI and throw both files (xorboot.xor and renamed bootx64.efi) in the folder efi \ boot \.
Check run. Rejoice.

PS If you are using a graphical menu, back.png / bmp files, hilight.png / bmp (and can xorboot.xor) are efi \ xorboot \ folder.
back.png / bmp - Image Background.
hilight.png / bmp - highlighting the selected row.

 

Wonko

[devdevadev]

OK...Thanks 'Wonko' for better teaching....

 

So following will be folder structure of 'XORBOOTU' for UEFI booting......

------------------------------------------

efi\ boot\bootia32.efi  (xorboot.efi)

efi\ boot\bootx64.efi   (xorboot.efi)

efi\ boot\xorboot.xor

 

efi\xorboot\back.bmp

efi\xorboot\hilight.bmp

efi\xorboot\xorboot.xor

-----------------------------------------

 

AFAIK, we can first UEFI boot by using GRUB2 menu and then chainload to 'xorboot.efi'.

 

Similarly Can we not first Secure UEFI boot to Microsoft Official 'bootx64.efi' and then add EFI boot entries in EFI BCD to chainload 'xorboot.efi' and 'grub64.efi' ?

 

Regards..

[Wonko the Sane]

Similarly Can we not first Secure UEFI boot to Microsoft Official 'bootx64.efi' and then add EFI boot entries in EFI BCD to chainload 'xorboot.efi' and 'grub64.efi' ?

No.
The whole idea of Secure boot is that all elements in the boot chain need to be signed, if you insert in it a non-signed element (like xorboot) the system won't boot.

Various versions of GRUB2 are signed (through a "shim") see for example:
http://www.rodsbooks...secureboot.html
https://fedoraprojec...wiki/Secureboot
https://wiki.ubuntu....Team/SecureBoot

you would have the same issue should you be attempting to use a non-signed version of GRUB2.

Mind you the matter IS very complex , but the above is the base, and at least until it will be possible to disable SecureBoot, staying clear of it (actually also - if possible - staying clear of EFI and any Windows past 7) would be a good idea , see also the conclusions here:
http://www.rodsbooks...html#conclusion

Hopefully before or later someone will come out with actual working EFI/UEFI firmware implementations, the procedure of signing boot time software will become "human" and "doable" .


Wonko

[devdevadev]

From where I can get latest signed version of GRUB2 which will allow me to Secure UEFI boot through a "shim" ?

 

Should I download 'shim-signed_1.13.tar.xz' and rename 'shim.efi.signed' file to 'bootx64.efi' in order to Secure UEFI booting ?

[Wonko the Sane]

From where I can get latest signed version of GRUB2 which will allow me to Secure UEFI boot through a "shim" ?

Good question, most probably from Ubuntu, but you could get it instead from UEFI_MULTI:
http://reboot.pro/to...boot-usb-drive/
maybe it won't be "latest", but if it works what is the need for the "latest"?

BTW (and possbly a bit OT) it seems like "latest-latest" will not be good anymore, an interesting piece of misinformation:
http://www.pcworld.c...indows-pcs.html
though it seems like the good Canonical guys are really going to fix this non-problem (actually most probably creating some new, huge ones) :
https://wiki.ubuntu....Team/SecureBoot
https://bugs.launchp...b2/ bug/1401532
 

Should I download shim-signed_1.13.tar.xz' and rename 'shim.efi.signed' file to 'bootx64.efi' in order to Secure UEFI booting ?

If you think it is a good idea , just do it.

Spoiler

Sometimes senseless random attempts provide interesting information .


Wonko

[devdevadev]

Does 32-bit Signed GRUB2 (Shim based) also exist ?

 

Which OS currently uses both 32-bit and 64-bit Singed GRUB2 bootloader to support Secure UEFI Boot in both 32-bit and 64-bit UEFI machines ?

[Wonko the Sane]

Does 32-bit Signed GRUB2 (Shim based) also exist ?
 
Which OS currently uses both 32-bit and 64-bit Singed GRUB2 bootloader to support Secure UEFI Boot in both 32-bit and 64-bit UEFI machines ?

Generic question:
How many machines do you have that are EFI/UEFI ONLY and 32-bit AND require SecureBoot?

Explanation:
Most (like 99.999%) devices that use EFI/UEFI are 64 bit.
The 0.001% remaining may be 32 bit and requite secure boot, they are generally tablets like (examples) :

 

Dell Venue 8, 11 Pro, Toshiba Encore, Acer w3, w4, Lenovo miix, and the asus transformer a100

It would make more sense to look for a specific model that has already been tested, and start from there:

http://askubuntu.com...fi-boot-support
http://www.jfwhome.c...rmer-book-t100/

http://www.jfwhome.c...he-asus-t100ta/



Wonko

[devdevadev]

OK...Thanks for the useful stuff.I have download 32-bit 'bootia32.efi' from following link but It require to disable Secure Boot ? I think it is not Signed ?

 

https://github.com/j...ot/bootia32.efi

I am looking for a Singed 32-bit GRUB2 'bootia32.efi' which will work on 'Secure UEFI Boot'.....

[Wonko the Sane]

OK...Thanks for the useful stuff.I have download 32-bit 'bootia32.efi' from following link but It require to disable Secure Boot ? I think it is not Signed ?
 
https://github.com/j...ot/bootia32.efi
I am looking for a Singed 32-bit GRUB2 'bootia32.efi' which will work on 'Secure UEFI Boot'.....

 
I understand what you asked, but you did not reply to my questions (you are of course very welcome to ignore them, but the idea of asking question revolves around the expectation that hopefully they are answered. .
 
Which specific make/model of device do you intend to use it for?
Which specific make/model of device do you have handy to actually test it?
Which specific OS do you intend to boot on such devices?
 
Or is it - as often happens with you - a purely theoretical questions and you have not any device to test it on?
 
WHY EXACTLY you cannot disable Secure Boot on the specific device/for the specific OS?
 
Second explanation:
It is extremely rare to find devices that are actually 32 bit (thus needing a 32 bit UEFI loader) that also need Secure Boot (actually I cannot name a single one) and an OS that is built in such a way that it respects the whole Secure Boot chain.
Before looking for a solution to a problem, you should be very sure that the problem actually exists.
 
This said, let me rephrase the answers to your previous questions:
 
 
 

Does 32-bit Signed GRUB2 (Shim based) also exist ?

No.
 
 

Which OS currently uses both 32-bit and 64-bit Singed GRUB2 bootloader to support Secure UEFI Boot in both 32-bit and 64-bit UEFI machines ?

None.
 

Wonko

[devdevadev]

Sorry.....I forget to mention about model...

 

It's 'Asus Transformer a100' of my friend which came with 'Windows 8.1' and he want to dual boot 'Ubuntu' along with 'Windows'. He can boot 'Windows 8.1' without disabling Secure Boot. But if I install 'Ubuntu' in his system then he have to disable Secure Boot in order to boot 'Ubuntu' ??? He prefer to Enable 'Secure Boot'. It's why I am looking for a 32-bit Signed GRUB2 so that I can install Dual boot of 'Ubuntu' and 'Windows' with Secure boot. If any way to do it.....then I was also thinking to install 'Fedora' too....

 

But now It's looking that he had to 'Disable Secure Boot' in order to triple boot 'Ubuntu' , 'Windows ' and 'Fedora' ?

 

I have recently read about 'Fedlet' OS. It's looking It support Secure 32-bit UEFI Booting ?? Is it's bootloader signed ?

 

https://www.happyass...-trail-tablets/