Jump to content

- - - - -

Testing Super UEFIinSecureBoot Disk

mbr uefi grub2

  • Please log in to reply
5 replies to this topic

#1 alacran


    Gold Member

  • .script developer
  • 1208 posts

Posted 23 November 2019 - 12:21 AM



Some moths ago Wonko let us know about this project: http://reboot.pro/to...-uefi-bootdisk/


I went again yesterday to the page on GitHub: https://github.com/V...SecureBoot-Disk




Secure Boot is a feature of UEFI firmware which is designed to secure the boot process by preventing the loading of drivers or OS loaders that are not signed with an acceptable digital signature.

Most of modern computers come with Secure Boot enabled by default, which is a requirement for Windows 10 certification process. Although it could be disabled on all typical motherboards in UEFI setup menu, sometimes it's not easily possible e.g. due to UEFI setup password in a corporate laptop which the user don't know.

This disk, after being installed on a USB flash drive and booted from, effectively disables Secure Boot protection features and temporary allows to perform almost all actions with the PC as if Secure Boot is disabled. This could be useful for data recovery, OS re-installation, or just for booting from USB without thinking about additional steps.


On that page there is a link to download page of the project: https://github.com/V...t-Disk/releases


And also there is a link to an article written by the author https://habr.com/ru/post/446238/with additional info.


Last version available is: Super UEFIinSecureBoot Disk v3 released on March 12th 2019, just a few days after Wonko started his thread.



Super UEFIinSecureBoot Disk v3 includes:

  • Signed x86_64 Shim v13 with MokManager v13 from Fedora
  • Signed i386 Shim v15 with MokManager v13 from Fedora
  • Insecure PreLoader
  • Insecure GRUB2


Well, after this long preamble I will comment what I have done so far:




Downloaded the: Super-UEFIinSecureBoot-Disk_v3.zip   (38.5 MB)


Downloaded Balena Etcher: Etcher for Windows (x86|x64) (Portable) v1.5.63 (118 MB) from https://www.balena.io/etcher/(it seems too heavy for a portable version).


Then I used an old 4 GB USB stick to install on it Super UEFIinSecureBoot Disk v3.zip (no need to extract it), by means of Etcher. The install process erased the USB stick and created a 500 MB partition with 42.2 MB used space, partition is: primary partition Fat-32 not Active, no tag (I used GRUB2 for Vol name), MBR is GRUB2 and no PBR code on it. there is only a folder "UFI" and a file ENROLL_THIS_KEY_IN_MOKMANAGER.cer into it.


Into EFI folder I found 4 folders: BOOT, efi, grub and iso. (see attached pictures).


They recommend to enlarge this partition to let us put several Linux Live Isos on \EFI\iso


This is getting too long I better continue on next Post.



Attached Thumbnails

  • GRUB2.png
  • EFI.png

#2 alacran


    Gold Member

  • .script developer
  • 1208 posts

Posted 23 November 2019 - 02:14 AM

Preparation of booting media for tests.


Once open iso folder there are 27 folders into it with different Linux Live distro name each one to put into it the distro



Super-UEFIinSecureBoot-Disk.zip contains everything in minimal + Super Grub2 Disk + GRUB Live ISO Multiboot + One File Linux + a bunch of efi programs and drivers.


Since I assume booting all this distros has been already tested by many people and also because of lack of space on the USB stick and having the main purpose of test other boot options; I decided to not enlarge the first partition and create a second primary partition Fat-32 active, PBR is Bootmanager, on the free space, Vol name used is USB-DISK.


Then just copied from another USB stick Win10XPE_x64 (extracted, not as Iso) to the root of second partition, no need to edit BCDs on it.


Latter I opened G:\EFI\grub\grub.cfg to take a look to boot options already available and see if I was capable to add mine, when opened it with Notepad what i saw was a terrible mess impossible to understand (Linux text format), then I opened it with Notepad++ and all was looking perfectly ordered.  As Notepad is available on any PC I converted it to Windows format, (see attached picture), following is the content of grub.cfg file:




I decided to edit it and add grub4dos too, just to see how it can be done as I don't have experience dealing with grub.cfg


First thing I did was create a Iso folder on second partition (USB-DISK) to latter locate there the Isos I want to boot with grb4dos, (in fact for lack of space only added Win10XPE_x64.ISO).


On first partition (GRUB2) I created a new folder \EFI\g4d and put inside it grub.exe from grub4dos-0.4.6a-2019-09-09


This page from steve6375 has very good info about runing/calling/chainloading syslinux, GRUB2 and grub4dos from each other, it gave me a good idea of how to do it, but latter looking carefully to grub.cfg menuentries i started to have a basic understanding of how it works and added the following menuentries remarked to easy find them and the new grub.cfg is now:




And added files required (for me) to change keyboard layout and my menu.lst on the root of GRUB2 partition:






iftitle [if exist (hd0,1)/bootmgr.efi] UEFI Boot Manager Menu on USB\nFinds and runs bootmgr.efi from USB
root (hd0,1)
chainloader /bootmgr.efi


It's there only for  testing purposes on the very remote case grub.exe (from grub4dos) could run on UEFI environment.


On next post the results gotten when booting this USB stick.



Attached Thumbnails

  • Change format.png

#3 alacran


    Gold Member

  • .script developer
  • 1208 posts

Posted 23 November 2019 - 03:55 AM

Booting from CSM/MBR PC:

On this PC used for testing pourposes (MB is an old Biostar H61MGV3 Versión 7.7), I have CSM enabled and legacy boot mode is first option (but can be dissabled), UEFI boot mode is second option (but can be dissabled), there is no option to enable/dissable Secure Boot, I even don't know if there is Secure boot on this MB or if selecting CSM enabled and/or legacy boot dissables it. But Super UEFIinSecureBoot Disk do not run Mokmanager and try to install the .cer file (ENROLL_THIS_KEY_IN_MOKMANAGER.cer), so it seems Secure boot is not enabled.

When booting and applying F9 key (applicable to this MBR) during seen MBR logo, the small menu with booting options appears, having first a boot option for Boot manager on MBR internal HDD, then an option to boot from USB stick (legacy mode), and two more options for UEFI booting from the USB device, first is for first partition named as GRUB2, and a second is for second partition named as USB-DISK (as latter found during testing).


Selecting to boot from USB stick (legacy mode), shows the grub.cfg menu on screen, having as options:


Super Grub2 Disk

GRUB Live ISO Multiboot

One File Linux
Microsoft Windows Vista/7/8/8.1/10 BIOS
Run grub4dos


All of them working fine, One File Linux loads/runs a Command Line version of Linux.


If I select Microsoft Windows Vista/7/8/8.1/10 BIOS the bootmanager from second partition labeled as USB-DISK is founf first and loads \sources\boot.wim of Win10XPE_x64.


Selecting Run grub4dos opens on screen the menu.lst and all options found are available, just to test I ran Win10XPE_x64.iso from Iso folder on USB-DISK volume.


If during boot after pressing F9 key I select the first UEFI option then the grb.cfg menu appears on screen having following options:


Super Grub2 Disk

GRUB Live ISO Multiboot

One File Linux


Run grub4dos on UEFI

Microsoft Windows Vista/7/8/8.1/10 UEFI/GPT

EFI Tools

EFI Drivers



If selecting Run grub4dos on UEFI the grub.exe is executed and it opens on Command line on a black screen saying can't find menu.lst, if running vol command nothing happends, pressing ESC key it opens grub4dos internal menu.lst with options to find menu.lst, reboot and halt, then rebooted the PC


Again selecting the first UEFI option after boot + F9 and latter selecting Microsoft Windows Vista/7/8/8.1/10 UEFI/GPT it starts loading \sources\boot.wim of Win10XPE_x64 but after a few seconds it faills and BSOD, then is necesary to reboot the PC with the reboot button.

EDIT: Wrong, after looking carefully I was able to determine it found \EFI\Microsoft\Boot\bootmgfw.efi on my internal HDD boot partition from a previous test made with 10x64-WB.vhd (a wimboot VHD), then this is what it was trying to boot unsuccessfully, the mentioned file do not exists on Win10XPE_x64.


If booting + F9 and selecting second UEFI option it starts booting from USB device second partition where Win10XPE_x64 extracted is,  loading \sources\boot.wim of Win10XPE_x64 but after a few seconds it faills and BSOD, then is necesary to reboot the PC with the reboot button just as previous try.



Edited by alacran, 23 November 2019 - 08:51 AM.

  • ReTokener likes this

#4 alacran


    Gold Member

  • .script developer
  • 1208 posts

Posted 23 November 2019 - 08:26 AM

Then I decided to test the USB device booting on another PC, also old but not as much as the one used on previous tests, at least on this MB the UEFI Bios is more modern as it has a nice GUI and is mouse capable, the MB config was similar to previous test but on this MB there is available the option to disable Secure Boot and it is disabled as all my PCs at home are running on CSM/MBR config.


This time I made some pictures, the last one UEFI boot from second partition.png is from Win10XPE-x64 extracted on root of second partition, when selecting the second option to UEFI boot from USB device (booting from the second partition), to make sure it was booting as UEFI, I opened BootIce ans selected UEFI Tab, this do not give any options to edit when on MBR, so this way I made sure it booted as UEFI.


To make the history short almos all worked fine this time, with only two exceptions:

  • Booting Windows from UEFI did not work as there is not any UEFI install on internal disk of this PC.
  • grub.exe from grub4dos-0.4.6a-2019-09-09 behaviour was the same as before.

The respective menuentry on grub.cfg is:


menuentry "Microsoft Windows Vista/7/8/8.1/10 UEFI/GPT" {
        search --no-floppy --file /EFI/Microsoft/Boot/bootmgfw.efi --set temproot
        chainloader "($temproot)/EFI/Microsoft/Boot/bootmgfw.efi"


Then it is trying to find and latter run  \EFI\Microsoft\Boot\bootmgfw.efi but this file is created during UEFI Windows install or by running:


bcdboot C:\Windows /s S: /f ALL        >>>>>    This applies when running it on CSM/MBR (my case on first PC tests).


bcdboot C:\Windows /s S: /f UEFI       >>>>>    This applies when running it on any PC


bcdboot C:\Windows /s S:                  >>>>>    This applies when running it on UEFI PCs


When creating BOOT + EFI files on the boot partition called by MS System partition.



Windows Boot Manager Settings for UEFI

Windows Boot Manager ({bootmgr}) manages the boot process. UEFI-based systems contain a firmware boot manager, Bootmgfw.efi, that loads an EFI application that is based on variables that are stored in NVRAM.

The BCD settings for the device and path elements in Windows Boot Manager indicate the firmware boot manager. The template that is named BCD-template for Windows includes the following settings for Windows Boot Manager.

## Windows Boot Manager

identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
path                    \EFI\Microsoft\Boot\bootmgfw.efi
description             Windows Boot Manager

Source: https://docs.microso...dowsbootmanager


To be honest this is the first time I see this info, I have always edited the BCD located on \EFI\Microsoft\Boot\BCD by means of BootIce removing/adding new entries pointing to \Windows\system32\winload.efi, when dealing with VHDs and WinPEs and never took a look to other files on that folder.


Then I can conclude:

  • To test booting an UEFI install (even with Secure Boot disabled to not be required to install the *.cer), I need to have a real UEFI install on a PC and I don't have any available.
  • grub.exe is not capable to see the disks (and find menu.lst) when booting in UEFI, see attached pictures.

Then to test this on a real UEFI install I need a volunteer, I can't do it as I don't have any UEFI install.



Attached Thumbnails

  • Boot menu.jpg
  • Internal menulst.jpg
  • Vol command.jpg
  • UEFI boot from second partition.png

#5 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15149 posts
  • Location:The Outside of the Asylum (gate is closed)

Posted 23 November 2019 - 12:57 PM

Check this:



You are probably confusing the firmware boot manager (bootmgfw.efi), with the  Windows boot loader (winload.efi)





  • wimb and alacran like this

#6 alacran


    Gold Member

  • .script developer
  • 1208 posts

Posted 25 November 2019 - 06:56 AM

Well, now I know the MB's firmware of the first PC used for testing even if it is the last version is from 2012, and AFAIK Secure Boot was added to UEFI specs. on 2013 so it means that firmware lacks that feature, then now is only good for CSM/MBR booting.


After the last test ran on the second PC wich has proven to be more reliable for this tests, I decided to delete the second partition (labeled USB-DISK) on the USB stick and enlarged the first partition to occupy all available space, and this let my copy linuxmint-19.2-cinnamon-64bit.iso to \EFI\iso\linuxmint folder, just to tray at least a linux distro, it booted fine both ways as MBR or as UEFI as expected.


Taking a closer look to all forders into the iso folder I noticed it seems those distros Isos use syslinux loader as I saw some of them I have installed for testing, and I'm sure they use syslinux loader.


@ Wonko


Thanks for the link, it was very informative.



Also tagged with one or more of these keywords: mbr, uefi, grub2

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users