Ubuntu
grub2 package

Bug #1091464
Comment #11

Comment 11 for bug 1091464

Revision history for this message

Rod Smith (rodsmith) wrote on 2013-07-01: Re: Unable to chainload Windows 8 with Secure Boot enabled

#11

I don't have a fix for GRUB, but you *should* be able to work around the problem by using my rEFInd boot manager (http://www.rodsbooks.com/refind/):

1. In Linux, install the rEFInd Debian package.
2. Check the /boot/efi/EFI/refind directory. It should contain *either* a refind_x64.efi file *or* a shim.efi file and a grubx64.efi file.
3. If there's a refind_x64.efi file, rename it to grubx64.efi. That's rEFInd, despite the filename.
4. Download version 0.2 of shim from its download site (http://www.codon.org.uk/~mjg59/shim-signed/). (Note that Ubuntu ships with shim 0.1, which is useless for the procedure I'm describing.) Use either the shim-signed.tgz or shim-signed-0.2.tgz files; they're identical. Alternatively, you could use Fedora's or OpenSuSE's version of shim 0.2.
5. Copy shim.efi from the shim package to /boot/efi/EFI/refind, overwriting shim.efi if it's already present.
6. Copy MokManager.efi from the shim package to /boot/efi/EFI/refind.
7. Use efibootmgr to add shim to the NVRAM boot options, as in "efibootmgr -c -l '\EFI\refind\shim.efi' -L rEFInd". (You *should* be able to skip this step if you installed rEFInd with Secure Boot enabled.)
8. Reboot. You'll see the MokManager menu appear. Use it to add the keys for both rEFInd and Canonical to the MOK list. (If you have the right software installed, the rEFInd installer will re-sign the rEFInd binaries with locally-generated keys, in which case you should enroll your local public key instead of or in addition to the rEFInd key. IIRC, it's called refind_local.cer.) I'm afraid the MokManager user interface is dreadful; it makes an Apple II's UI look advanced. All the keys should be in the EFI\refind\keys directory of the ESP, which is probably the first partition in the list. You need the .der and .cer keys.
9. When you exit MokManager, the computer could boot Windows, launch rEFInd, reboot, or even hang. If it does anything but launch Linux, reboot.
10. When you reboot, rEFInd should come up as your default boot manager, and it should enable you to boot either Linux or Windows with Secure Boot active. You can verify that Secure Boot is active from the rEFInd information screen. (Check the "platform" line.)

For more information, as well as variants on this procedure involving the Linux Foundation's PreLoader rather than shim, see the rEFInd page on Secure Boot:

http://www.rodsbooks.com/refind/secureboot.html

I don't have a fix for GRUB, but you *should* be able to work around the problem by using my rEFInd boot manager (http://www.rodsbooks.com/refind/):

1. In Linux, install the rEFInd Debian package.
2. Check the /boot/efi/EFI/refind directory. It should contain *either* a refind_x64.efi file *or* a shim.efi file and a grubx64.efi file.
3. If there's a refind_x64.efi file, rename it to grubx64.efi. That's rEFInd, despite the filename.
4. Download version 0.2 of shim from its download site (http://www.codon.org.uk/~mjg59/shim-signed/). (Note that Ubuntu ships with shim 0.1, which is useless for the procedure I'm describing.) Use either the shim-signed.tgz or shim-signed-0.2.tgz files; they're identical. Alternatively, you could use Fedora's or OpenSuSE's version of shim 0.2.
5. Copy shim.efi from the shim package to /boot/efi/EFI/refind, overwriting shim.efi if it's already present.
6. Copy MokManager.efi from the shim package to /boot/efi/EFI/refind.
7. Use efibootmgr to add shim to the NVRAM boot options, as in "efibootmgr -c -l '\EFI\refind\shim.efi' -L rEFInd". (You *should* be able to skip  this step if you installed rEFInd with Secure Boot enabled.)
8. Reboot. You'll see the MokManager menu appear. Use it to add the keys for both rEFInd and Canonical to the MOK list. (If you have the right software installed, the rEFInd installer will re-sign the rEFInd binaries with locally-generated keys, in which case you should enroll your local public key instead of or in addition to the rEFInd key. IIRC, it's called refind_local.cer.) I'm afraid the MokManager user interface is dreadful; it makes an Apple II's UI look advanced. All the keys should be in the EFI\refind\keys directory of the ESP, which is probably the first partition in the list. You need the .der and .cer keys.
9. When you exit MokManager, the computer could boot Windows, launch rEFInd, reboot, or even hang. If it does anything but launch Linux, reboot.
10. When you reboot, rEFInd should come up as your default boot manager, and it should enable you to boot either Linux or Windows with Secure Boot active. You can verify that Secure Boot is active from the rEFInd information screen. (Check the "platform" line.)

For more information, as well as variants on this procedure involving the Linux Foundation's PreLoader rather than shim, see the rEFInd page on Secure Boot:

http://www.rodsbooks.com/refind/secureboot.html

Ubuntugrub2 package

Comment 11 for bug 1091464

Ubuntu
grub2 package