Tiny Core Linux

Tiny Core Base => Corepure64 => Topic started by: shuly on May 15, 2023, 03:05:19 AM

Title: loading Corepure64 with GRUB2 and shim under secure boot UEFI
Post by: shuly on May 15, 2023, 03:05:19 AM

Hi,
I couldn't find concrete answer to whether it is possible or not to load Corepure64 with GRUB2 and shim under secure boot enabled UEFI system.
Also, I would like your help to understand if there's an option to load it "out-of-the-box" without self-signing the kernel?

Thx

Title: Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI
Post by: pek on May 15, 2023, 07:15:48 AM

Hi,
Short answer:
1. Loading Corepure64 with GRUB2 works under UEFI without signature check.
2. Loading any OS with GRUB2 does not work under UEFI with signature check.

I don't know the explanation behind it. I just observed through my experiences.
So, I booted many different PCs, Macs, Chromebooks, Surfaces etc over the years and I noticed NO OS can be booted when the secure boot is set to on.
Some not even allow to read the USB stick.

But when I change the secure boot setting, to "allow untrusted devices" everything works. Still in the UEFI mode.

Sorry I'm not familiar with the terms.. But you know there are UEFI settings, to enable secure boot and disable it, but still using UEFI.

Title: Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI
Post by: Juanito on May 15, 2023, 10:34:06 AM

I believe it should be possible, but I’ve never tried.

Title: Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI
Post by: aus9 on May 16, 2023, 12:49:51 AM

some members may have a bios that does not allow them to turn off secure boot.

shuly
Is that the issue for you?

BTW UEFI is not the virtuous saviour  some users might think. malware has been discovered in the EFI/UEFI system example link
https://www.tomshardware.com/news/moonbounce-malware-hides-in-your-bios-chip-persists-after-drive-formats

Quote

Kaspersky has observed the growth of Unified Extensible Firmware Interface (UEFI) firmware malware threats since 2019, with most storing malware on the EFI System Partition of the PC's storage device

I have a W10 drive and still use MBR and W10 installs fine on it without complaining of needing an EFI partition. In case you are interested in preventing EFI/UEFI based malware firmware. I bought a key from some well known companies that do deals for legit keys that other companies no longer need etc

or you can leave W10 un-activated?

Title: Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI
Post by: patrikg on May 16, 2023, 10:06:02 AM

When installing Win11 you can disable the need of tpm and so on.
You can install this reg file if you can make some floppy or cd/dvd drive to get the reg file when installing.
You have to press <SHIFT><F10> to get to the command line in windows setup.
And then type in regedit D:\regfile.reg to import the keys.
File content:

Code: (ini) [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig]
"BypassTPMCheck"=dword:00000001
"BypassSecureBootCheck"=dword:00000001
"BypassRAMCheck"=dword:00000001
"BypassStorageCheck"=dword:00000001

Title: Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI
Post by: patrikg on May 16, 2023, 02:58:04 PM

Quote from: patrikg on May 16, 2023, 10:06:02 AM

When installing Win11 you can disable the need of tpm and so on.
You can install this reg file if you can make some floppy or cd/dvd drive to get the reg file when installing.
You have to press <SHIFT><F10> to get to the command line in windows setup.
And then type in regedit D:\regfile.reg to import the keys.
File content:

Code: (ini) [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig]
"BypassTPMCheck"=dword:00000001
"BypassSecureBootCheck"=dword:00000001
"BypassRAMCheck"=dword:00000001
"BypassStorageCheck"=dword:00000001

Sorry for missing one line:
cat bypass11.reg

Code: (ini) [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig]
"BypassTPMCheck"=dword:00000001
"BypassSecureBootCheck"=dword:00000001
"BypassRAMCheck"=dword:00000001
"BypassStorageCheck"=dword:00000001
"BypassCPUCheck"=dword:00000001
And you can do:

Code: (bash) [Select]

mkisofs -o windows11bypass.iso bypass11.reg
And think of the line endings to be correct as windows needs.
<CR><LF>
CHR(13);CHR(10)
0x0D 0x0A
I think you can use the dos2unix or more unix2dos utility to do the conversion.

Code: (bash) [Select]

cat bypass11unix.reg | unix2dos > bypass11.reg

Title: Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI
Post by: shuly on May 18, 2023, 03:42:45 AM

Hi, thank you for all the replies!
Sadly I don't have any control of the installed Windows (10) installation image, and TPM must be enabled. Currently I'm just targeting loading TinyCore (the smallest available in size) instead of Windows with GRUB and secure boot enabled, while I'm running as SYSTEM on the Windows machine. :/

Title: Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI
Post by: Juanito on May 18, 2023, 03:56:56 AM

If you search these forums on ventoy it appears to be able to load TinyCorePure64 on a secure boot system.

Title: Re: loading Corepure64 with GRUB2 and shim under secure boot UEFI
Post by: Juanito on May 18, 2023, 04:04:51 AM

This might be useful: https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html

..using a signed grub, but not kernel/initrd.