Author Topic: loading Corepure64 with GRUB2 and shim under secure boot UEFI (Read 2515 times)

shuly · « **on:** May 15, 2023, 03:05:19 AM »

Hi,
I couldn't find concrete answer to whether it is possible or not to load Corepure64 with GRUB2 and shim under secure boot enabled UEFI system.
Also, I would like your help to understand if there's an option to load it "out-of-the-box" without self-signing the kernel?

Thx

pek · « **Reply #1 on:** May 15, 2023, 07:15:48 AM »

Hi,
Short answer:
1. Loading Corepure64 with GRUB2 works under UEFI without signature check.
2. Loading any OS with GRUB2 does not work under UEFI with signature check.

I don't know the explanation behind it. I just observed through my experiences.
So, I booted many different PCs, Macs, Chromebooks, Surfaces etc over the years and I noticed NO OS can be booted when the secure boot is set to on.
Some not even allow to read the USB stick.

But when I change the secure boot setting, to "allow untrusted devices" everything works. Still in the UEFI mode.

Sorry I'm not familiar with the terms.. But you know there are UEFI settings, to enable secure boot and disable it, but still using UEFI.

Juanito · « **Reply #2 on:** May 15, 2023, 10:34:06 AM »

I believe it should be possible, but I’ve never tried.

aus9 · « **Reply #3 on:** May 16, 2023, 12:49:51 AM »

some members may have a bios that does not allow them to turn off secure boot.

shuly
Is that the issue for you?

BTW UEFI is not the virtuous saviour some users might think. malware has been discovered in the EFI/UEFI system example link
https://www.tomshardware.com/news/moonbounce-malware-hides-in-your-bios-chip-persists-after-drive-formats

Quote

Kaspersky has observed the growth of Unified Extensible Firmware Interface (UEFI) firmware malware threats since 2019, with most storing malware on the EFI System Partition of the PC's storage device

I have a W10 drive and still use MBR and W10 installs fine on it without complaining of needing an EFI partition. In case you are interested in preventing EFI/UEFI based malware firmware. I bought a key from some well known companies that do deals for legit keys that other companies no longer need etc

or you can leave W10 un-activated?

patrikg · « **Reply #4 on:** May 16, 2023, 10:06:02 AM »

When installing Win11 you can disable the need of tpm and so on.
You can install this reg file if you can make some floppy or cd/dvd drive to get the reg file when installing.
You have to press <SHIFT><F10> to get to the command line in windows setup.
And then type in regedit D:\regfile.reg to import the keys.
File content:

Code: (ini) [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig]
"BypassTPMCheck"=dword:00000001
"BypassSecureBootCheck"=dword:00000001
"BypassRAMCheck"=dword:00000001
"BypassStorageCheck"=dword:00000001

patrikg · « **Reply #5 on:** May 16, 2023, 02:58:04 PM »

Quote from: patrikg on May 16, 2023, 10:06:02 AM

When installing Win11 you can disable the need of tpm and so on.
You can install this reg file if you can make some floppy or cd/dvd drive to get the reg file when installing.
You have to press <SHIFT><F10> to get to the command line in windows setup.
And then type in regedit D:\regfile.reg to import the keys.
File content:
Code: (ini) [Select]
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig] "BypassTPMCheck"=dword:00000001 "BypassSecureBootCheck"=dword:00000001 "BypassRAMCheck"=dword:00000001 "BypassStorageCheck"=dword:00000001

Sorry for missing one line:
cat bypass11.reg

Code: (ini) [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig]
"BypassTPMCheck"=dword:00000001
"BypassSecureBootCheck"=dword:00000001
"BypassRAMCheck"=dword:00000001
"BypassStorageCheck"=dword:00000001
"BypassCPUCheck"=dword:00000001

And you can do:

Code: (bash) [Select]

mkisofs -o windows11bypass.iso bypass11.reg

And think of the line endings to be correct as windows needs.
<CR><LF>
CHR(13);CHR(10)
0x0D 0x0A
I think you can use the dos2unix or more unix2dos utility to do the conversion.

Code: (bash) [Select]

cat bypass11unix.reg | unix2dos > bypass11.reg

shuly · « **Reply #6 on:** May 18, 2023, 03:42:45 AM »

Hi, thank you for all the replies!
Sadly I don't have any control of the installed Windows (10) installation image, and TPM must be enabled. Currently I'm just targeting loading TinyCore (the smallest available in size) instead of Windows with GRUB and secure boot enabled, while I'm running as SYSTEM on the Windows machine. :/

Juanito · « **Reply #7 on:** May 18, 2023, 03:56:56 AM »

If you search these forums on ventoy it appears to be able to load TinyCorePure64 on a secure boot system.

Juanito · « **Reply #8 on:** May 18, 2023, 04:04:51 AM »

This might be useful: https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html

..using a signed grub, but not kernel/initrd.

Tiny Core Linux

News:

Author Topic: loading Corepure64 with GRUB2 and shim under secure boot UEFI (Read 2515 times)

shuly

loading Corepure64 with GRUB2 and shim under secure boot UEFI

pek

Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI

Juanito

Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI

aus9

Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI

patrikg

Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI

patrikg

Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI

shuly

Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI

Juanito

Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI

Juanito

Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI