loading Corepure64 with GRUB2 and shim under secure boot UEFI

[shuly]

Hi,
I couldn't find concrete answer to whether it is possible or not to load Corepure64 with GRUB2 and shim under secure boot enabled UEFI system.
Also, I would like your help to understand if there's an option to load it "out-of-the-box" without self-signing the kernel?

Thx

[pek]

Hi,
Short answer:
1. Loading Corepure64 with GRUB2 works under UEFI without signature check.
2. Loading any OS with GRUB2 does not work under UEFI with signature check.

I don't know the explanation behind it. I just observed through my experiences.
So, I booted many different PCs, Macs, Chromebooks, Surfaces etc over the years and I noticed NO OS can be booted when the secure boot is set to on.
Some not even allow to read the USB stick.

But when I change the secure boot setting, to "allow untrusted devices" everything works. Still in the UEFI mode.

Sorry I'm not familiar with the terms.. But you know there are UEFI settings, to enable secure boot and disable it, but still using UEFI.

[Juanito]

I believe it should be possible, but I’ve never tried.

[aus9]

some members may have a bios that does not allow them to turn off secure boot.

shuly
Is that the issue for you?

BTW UEFI is not the virtuous saviour  some users might think. malware has been discovered in the EFI/UEFI system example link
https://www.tomshardware.com/news/moonbounce-malware-hides-in-your-bios-chip-persists-after-drive-formats

Kaspersky has observed the growth of Unified Extensible Firmware Interface (UEFI) firmware malware threats since 2019, with most storing malware on the EFI System Partition of the PC's storage device

I have a W10 drive and still use MBR and W10 installs fine on it without complaining of needing an EFI partition. In case you are interested in preventing EFI/UEFI based malware firmware. I bought a key from some well known companies that do deals for legit keys that other companies no longer need etc

or you can leave W10 un-activated?

[patrikg]

When installing Win11 you can disable the need of tpm and so on.
You can install this reg file if you can make some floppy or cd/dvd drive to get the reg file when installing.
You have to press <SHIFT><F10> to get to the command line in windows setup.
And then type in regedit D:\regfile.reg to import the keys.
File content:

Code: (ini) [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig]
"BypassTPMCheck"=dword:00000001
"BypassSecureBootCheck"=dword:00000001
"BypassRAMCheck"=dword:00000001
"BypassStorageCheck"=dword:00000001

[patrikg]

When installing Win11 you can disable the need of tpm and so on.
You can install this reg file if you can make some floppy or cd/dvd drive to get the reg file when installing.
You have to press <SHIFT><F10> to get to the command line in windows setup.
And then type in regedit D:\regfile.reg to import the keys.
File content:

Code: (ini) [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig]
"BypassTPMCheck"=dword:00000001
"BypassSecureBootCheck"=dword:00000001
"BypassRAMCheck"=dword:00000001
"BypassStorageCheck"=dword:00000001

Sorry for missing one line:
cat bypass11.reg

Code: (ini) [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig]
"BypassTPMCheck"=dword:00000001
"BypassSecureBootCheck"=dword:00000001
"BypassRAMCheck"=dword:00000001
"BypassStorageCheck"=dword:00000001
"BypassCPUCheck"=dword:00000001
And you can do:

Code: (bash) [Select]

mkisofs -o windows11bypass.iso bypass11.reg
And think of the line endings to be correct as windows needs.
<CR><LF>
CHR(13);CHR(10)
0x0D 0x0A
I think you can use the dos2unix or more unix2dos utility to do the conversion.

Code: (bash) [Select]

cat bypass11unix.reg | unix2dos > bypass11.reg

[shuly]

Hi, thank you for all the replies!
Sadly I don't have any control of the installed Windows (10) installation image, and TPM must be enabled. Currently I'm just targeting loading TinyCore (the smallest available in size) instead of Windows with GRUB and secure boot enabled, while I'm running as SYSTEM on the Windows machine. :/

[Juanito]

If you search these forums on ventoy it appears to be able to load TinyCorePure64 on a secure boot system.

[Juanito]

This might be useful: https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html

..using a signed grub, but not kernel/initrd.