[arch-general] GRUB doesn't boot Windows behind Secure Boot
Good afternoon, I have been using GRUB for a long time, but I'm having a strange issue. My setup consists of ArchLinux as main OS and Windows 10 and Ubuntu 12.04 as secondary OSes. Turning up Secure Boot in my firmware options results in such an error when chainloading Windows: /EndEntire file path: /ACPI(yadda)/PCI(yadda)/Sata(0,0,0)/HD(yaddayadda)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire error: cannot load image. The strange thing is that disabling Secure Boot make it works. Not really sure what I'm missing here. -- Giovanni Santini My blog: http://giovannisantini.tk My code: https://git{hub,lab}.com/ItachiSan My GPG: 2FADEBF5
On Mon, Nov 28, 2016 at 01:13:10PM +0100, Giovanni Santini via arch-general wrote:
Good afternoon,
Good evening,
/ACPI(yadda)/PCI(yadda)/Sata(0,0,0)/HD(yaddayadda)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire error: cannot load image.
The strange thing is that disabling Secure Boot make it works.
Not strange at all.
Not really sure what I'm missing here.
I'm not familiar with GRUB anymore, but it sounds like perhaps the file bootmgfw.efi has not been signed with a key that is trusted by your board's SecureBoot feature. Hence, booting with SB enabled causes a load failure while booting without SB fixes the problem. Like I said, not familiar with GRUB, so not sure if that file is grub's problem or not. Just a pointer to something for you to investigate. Thanks, David
Il 29/11/2016 10:49, David Phillips ha scritto:
I'm not familiar with GRUB anymore, but it sounds like perhaps the file bootmgfw.efi has not been signed with a key that is trusted by your board's SecureBoot feature. Hence, booting with SB enabled causes a load failure while booting without SB fixes the problem.
Like I said, not familiar with GRUB, so not sure if that file is grub's problem or not. Just a pointer to something for you to investigate.
Thanks, David
Thank you for your reply David. This is strange, as Secure Boot works flawlessly booting directly Windows Boot Manager (that is also the file mentioned above!). So maybe GRUB doesn't like it anyways... I will think about it in next days, as I also broke up Windows Boot Manager (resizing EFI partition is a nope for BCD settings, seems). Will ping here after some progress. -- Giovanni Santini My blog: http://giovannisantini.tk My code: https://git{hub,lab}.com/ItachiSan My GPG: 2FADEBF5
Il 29/11/2016 10:49, David Phillips ha scritto:
I'm not familiar with GRUB anymore, but it sounds like perhaps the file bootmgfw.efi has not been signed with a key that is trusted by your board's SecureBoot feature. Hence, booting with SB enabled causes a load failure while booting without SB fixes the problem.
Hello there, as said previously, I would have posted here after having back a proper setup. I had to fight over a week to set up the EFI partition and Windows Boot Manager properly, but I made it somehow. So, that's what I did: - I've resetted the UEFI firmware, so that everything was clean - I've installed GRUB again and I setted up Preloader and HashTool as stated at [1] - With HashTool, I've enrolled the Grub EFI binary and also the proper Windows EFI binaries. I still face the same error; additionally, also chainloading HashTool from GRUB gives me errors (with Secure Boot, from here SB, on, tried only with SB on as it is useless with SB off). As before, turning off SB allows GRUB to chainload Windows flawlessly. Still, I would like to keep SB on. I'm adding also my grub.cfg file at [2]. Hope to have some feedback soon! Regards [1] https://wiki.archlinux.org/index.php/Secure_Boot#Set_up_PreLoader [2] http://paste.ubuntu.com/23594049/ -- Giovanni Santini My blog: http://giovannisantini.tk My code: https://git{hub,lab}.com/ItachiSan My GPG: 2FADEBF5
participants (2)
-
David Phillips
-
Giovanni Santini