Unable to chainload Windows 8 and 10 with Secure Boot enabled

Status changed to 'Confirmed' because the bug affects multiple users.

On my Samsung Series 9 device I do have the exactly same behavior.

I documented this in my blog post:
http://falstaff.agner.ch/2012/12/18/ubuntu-12-10-and-windows-8-with-secure-boot-mode/

However, I observed that my original Windows Boot Manager has a slightly different file path:

Boot0008* Windows Boot Manager HD(2,96800,32000,f1fdeac1-d057-4f3b-9f66-6f74eb3b469b)File(\EFI\Microsoft\Boot\bootmgfw.efi)

compared to Grub:
/ACPI(a0341d0,0)/UnknownMessaging(12)/HD(2,fa800,96000,372001a2fb07f544,a3,ff)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi).

However, the same menu entry works if I disable Secure Boot. It looks like this slightly different file path only leads to an error when UEFI tries to check the signature....

I face the same problem on an Ultrabook Series 5 laptop and confirm that items 8 and 9 do work as a workaround as described.

However, after realizing this, I started digging into a riddle why Ubuntu fails to load the 'samsung-laptop' kernel module in the UEFI mode and actually bumped into bug #1040557, a bug that should have been flagged 'nuclear' instead of 'critical,' as comment #114 puts it. Hence I decided to stop at this point for the time being and wait for reports that it is safe to use Ubuntu on my machine.

I have a Lenovo G580 and am experiencing the exact same thing with Ubuntu 12.10.

Disappointed that this hasn't been addressed for 13.04.

I have the same problem with an Acer V5-531. After installing ubuntu 12.04.2 I had to manually install "shim-signed grub-efi-amd64-signed linux-signed-image-generic" and do "sudo grub-install /dev/sda --uefi-secure-boot". I'm able to boot ubuntu either with or without secure boot enabled, but Windows 8 boots only with secure boot disabled, otherways I have this error:
 /EndEntire
file path: /ACPI(a0341d0,0)/PCI(2,1f)/UnknownMessaging(12)
/HD(2,c880,96000,4cb097d41345de45,a6,f8)/File(\efi\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire
error: cannot load image

I have the same error on a Toshiba Satellite S855 S5378 with Windows 8 preinstalled. My workaround is to use a (full install) thumbdrive to boot Ubuntu 12.10 on the hard disk, and to pull the thumbdrive to boot windows -- all in secure mode. Windows boots attempted from the thumbdrive, give the error message. The grub command "ls" will find the files, but chainloader will not succeed in running them.

The same problem on my Lenovo G580, but I can not disable UEFI, beacause BIOS setup entry disappeared from boot list after ubuntu installing in UEFI mode.

Similar issue here too on an Acer V3-571 with Ubuntu 12.04.2 LTS and Windows 8.

A second workaround, more convienent than the USB boot is to invoke the EFI device select menu, select HDD, then select ubuntu or Windows (both of which work). The ubuntu selection starts grub, but from grub, the Windows boot still fails with the above chainloader error.
  With the number of different brands mentioned in this bug, I begin to doubt the problem is vendor related. Maybe something we did caused this, so here's what I did:
  My first install was to a USB stick without ann EFI partition( used HD EFI, booted Ubuntu OK, did not boot Windows, and killed the Windows boot off the hard disk when not present). Installed to (prepared HD) in this condition, worked, but got a grub install error (Windows boot worked again). Installed to USB again after putting on a EFI partition, the install still mounted the HD EFI, which I manually unmounted and replaced with the USB EFI (this worked). At this point, the HD /EFI/ubuntu directory was corrupted, so had to manually delete it and replace the signed binaries. The USB would boot Ubuntu, but not Windows, and the HD would boot Windows (default). Using efibootmgr -v, I could see that the ubuntu boot was set up wrong, trying to boot grub instead of shim -- but much to my surprise, it still booted, so I surmise a silent failure, then a fallback to the /EFI/Boot/bootx64.efi (which was a copy of shim) which succeeded. I manually added (grub-install --uefi-secure-boot /dev/sda) a correct shim boot path, which worked too. I normally now enter F12 to select ubuntu or Windows. Not a totally clean history, but on the other hand, the machine has never been out of secure boot, I have never run boot-repair, and the only EFI variable manipulation I have done is through grub-install.

Confirmed on Samsung Series 7.

I renamed /EFI/Microsoft/Boot/bootmgfw.efi as /EFI/ubuntu/grubx64.efi to confirm that no keystore or signature validation issues were at work during the Secure Boot failures. This worked as expected, booting win2k12 without issue. **Note that this test obviously makes grub unavailable on reboot. I wouldn't suggest anyone attempt this with an in-use install.

I then performed a clean install of 13.04 to backing out the signed grub efi loaders and boot-repair changes, disabled os-probing and did a sudo update-grub to clean up the loader menu.

Finally, my work around was also to rely on the EFI NVRAM configuration but instead of simply relying on shuffling between HDD and "ubuntu", I created new efibootmgr entries for Windows 8 and my recovery partition. So effectively, I am now using the UEFI POST menu as a boot loader.

Hopefully, the Samsung nvram bug and the resulting (unwanted) attention will mean a quick fix.

I don't have a fix for GRUB, but you *should* be able to work around the problem by using my rEFInd boot manager (http://www.rodsbooks.com/refind/):

1. In Linux, install the rEFInd Debian package.
2. Check the /boot/efi/EFI/refind directory. It should contain *either* a refind_x64.efi file *or* a shim.efi file and a grubx64.efi file.
3. If there's a refind_x64.efi file, rename it to grubx64.efi. That's rEFInd, despite the filename.
4. Download version 0.2 of shim from its download site (http://www.codon.org.uk/~mjg59/shim-signed/). (Note that Ubuntu ships with shim 0.1, which is useless for the procedure I'm describing.) Use either the shim-signed.tgz or shim-signed-0.2.tgz files; they're identical. Alternatively, you could use Fedora's or OpenSuSE's version of shim 0.2.
5. Copy shim.efi from the shim package to /boot/efi/EFI/refind, overwriting shim.efi if it's already present.
6. Copy MokManager.efi from the shim package to /boot/efi/EFI/refind.
7. Use efibootmgr to add shim to the NVRAM boot options, as in "efibootmgr -c -l '\EFI\refind\shim.efi' -L rEFInd". (You *should* be able to skip this step if you installed rEFInd with Secure Boot enabled.)
8. Reboot. You'll see the MokManager menu appear. Use it to add the keys for both rEFInd and Canonical to the MOK list. (If you have the right software installed, the rEFInd installer will re-sign the rEFInd binaries with locally-generated keys, in which case you should enroll your local public key instead of or in addition to the rEFInd key. IIRC, it's called refind_local.cer.) I'm afraid the MokManager user interface is dreadful; it makes an Apple II's UI look advanced. All the keys should be in the EFI\refind\keys directory of the ESP, which is probably the first partition in the list. You need the .der and .cer keys.
9. When you exit MokManager, the computer could boot Windows, launch rEFInd, reboot, or even hang. If it does anything but launch Linux, reboot.
10. When you reboot, rEFInd should come up as your default boot manager, and it should enable you to boot either Linux or Windows with Secure Boot active. You can verify that Secure Boot is active from the rEFInd information screen. (Check the "platform" line.)

For more information, as well as variants on this procedure involving the Linux Foundation's PreLoader rather than shim, see the rEFInd page on Secure Boot:

http://www.rodsbooks.com/refind/secureboot.html

Confirmed.

Looking forward to seeing this work, thanks for all the good work on GRUB.

Can launch Ubuntu 13.10 with secure boot with GRUB
Can launch Windows 8 with secure boot by selecting the hard drive to boot first
Can not launch Windows 8 with secure boot from GRUB. Same error as described above.

Same error, Lenovo G580.

This would be especially nice for me mainly because booting off of the Windows partition doesn't work: it can't find the bootloader, and I KNOW grub can.

Same problem with a Lenovo Helix and Ubuntu 13.10. For me, disabling Secure Boot is a workaround.

Just for reference, openSUSE 12.3, which also uses grub2, works flawlessly with secure boot. It would be interesting to understand what they are doing differently and port the same approach to Ubuntu

I have a Dell Inspiron 15R (Ivy Bridge Core i5) and I have the same problem. I'm currently running Ubuntu 13.10 (64 bit) and Windows 8.1. Both will boot with Secure boot disabled. With Secure Boot enabled, I can boot Ubuntu from the Grub2 menu, but not Windows (same type of error as the first post in this thread). Windows will, however boot if I go into the UEFI menu and boot it from there

If I can provide any further info to help on this bug, please let me know.

Since this bug was filed, the shim signed bootloader has been updated several times in Ubuntu. Please test with a clean install from either Ubuntu 13.10, or a daily image of Ubuntu Trusty, to check whether this problem still exists with current versions.

Also, you say the bootloader did not install when you used manual partitioning, and you subsequently used a third-party tool to configure the bootloader. The missing bootloader is probably caused by a wrong partition "usage" choice, and we can't support the output of the third-party recovery tool. Please use the guided partitioner to install Ubuntu side-by-side with Windows 8. If there are bugs in that standard install path, we need to know about them and fix them; and if your manual install went so badly that the bootloader wasn't installed, we need to rule out the possibility that the chainboot problem is related to this.

On a just updated 13.10 (Nov 15) getting shim-signed 1.5 and a new signed grubx64.efi 2.00..-19 I see no change in the error.
The UnknownMessage (hex 12) or decimal 18 is indeed an invalid subtype for the messaging type (last valid subtype is decimal 15), so looks like leftover garbage in the path buffer? Why is grub even in the messaging type anyway for a hard disk boot? The beginning of the reported path looks just like a network boot looks from efibootmgr -v output. Should the valid path start at the /HD...? If someone without the problem could look at what the actual path chainloader is using could confirm that the /ACPI is present and working on their system we could eliminate leftover garbage in the grub path buffer as the problem.

I have a fresh 13.10 installed on my Fujitsu T902 with exactly the same problem. Win8.1. cannot be found as long as SecureBoot is on. When I turn it off, I can boot Win8.1. Reg. shim. Is there a way to fix it? (either Ubuntu or Win)

Installed 13.10 onto a second SSD on a Lenovo Yoga 13. Booting into Win8.1 from grub works when Secure Boot is disabled. Otherwise it reports "cannot load image".

Ok, thanks for confirming. Definitely sounds like we have a bug in the grub2 chainload handling, that doesn't affect SuSE's build.

Confirming the exact same problem: Acer Aspire V5 with Windows 8 pre-loaded and Ubuntu 13.10 installed alongside it. With UEFI Secure Boot, Windows cannot boot from Grub - the error message is the same as described by previous observers.

I'm having the exactly same issue w/ my new ThinkPad L440. I can't seem to be able to disable SecureBoot, so the only way to boot Windows for me is to get directly into boot options in the EFI and boot through Windows Boot Manager.

Confirmed on Lenovo Y410p, Ubuntu 13.4.

Adding a menuentry to grub will boot Windows 8 using Grub2 and Secure Boot. In /etc/grub.d/40_custom, put the following lines:

menuentry 'Windows 8.1 (loader) (on /dev/sda14)' {
 echo "Loading Windows 8.1"
 insmod part_gpt
 insmod fat
 insmod search_fs_uuid
 insmod chain
 search --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 44ED-7819
 chainloader (${root})/EFI/Microsoft/Boot/bootmgfw.efi
}

Notice: "44ED-7819" should be replaced by your own uid of efi partition.

This bug seems to be affected by _os-prober(a utility used by grub to detect any other OSs). For details, see http://lists.debian.org/debian-boot/2012/10/msg00185.html

coiby, I tried your suggestion on my Acer Aspire v5-552p and it will not work. I also tried bootmgr.efi and bootx64.

A forums question http://ubuntuforums.org/showthread.php?t=2197141 indicated that the bug could be made to go away in secure boot by "putting the os I wanted to boot on on the top of the list of bootable drives". Now my UEFI Settings for devices does NOT contain OSes, just devices. When I select the hard disk on the efi menu, I get another window listing the OSes to boot. Maybe this second level of choice has something to do with the source of the bug.

I confirmed this bug for my insprion 15 (3521) with ubuntu 13.10 just instllaed alongisde windows 8.1. Partition for ubuntu has been made by gparted with ubuntu live cd.

I refuse to disable "Secure Boot" for windows.

I work-around the bug by going to "system option" from grub etc ... to find a windows bootable partition in there instead of using grub entry.

Please fix this. I gues it's ubuntu specific.

I also confirm that turning off secure boot on a Toshiba S855 S5378 allows grub to boot Windows 8.1 normally, avoiding the error.

Hello,

Was having exactly this issue: step 7 in the bug description with a Toshiba Satellite C55-A-11Q laptop. Everything was verified, secure boot mode on, UEFI boots shimx64, shimx64 launches grub2, correct UEFI entries (using efibootmgr). Never used boot-repair. The only thing I made: adding a grub2 menu entry in a new /etc/grub.d/50_win8 file as suggested in comment #25. But Windows 8 refused to boot from Grub, only from system setup menu (F12 key).

This was resolved by upgrading the BIOS to the last version (from Toshiba support Web site - e.g. for this laptop from 1.00 to 1.30).
Now the laptop can boot, with secure boot mode on, from Grub menu: Ubuntu, Windows 8, system setup (UEFI) without any problem.

Only my two cents, there is probably a bug in the booting chain, but not only, some buggy BIOS can let you search for days a solution to this problem.

Cordially,

--
NVieville

Hello,

I'm also having the "cannot load image" error with SecureBoot=enabled after the installation of Ubuntu 13.10 on Lenovo ThinkPad Edge E330 (with pre-installed Windows 8).
Windows 8 was booting normally before the installation.
Ubuntu was installed during SecureBoot=enabled from USB key.
Ubuntu is booting normally after the installation.
Windows 8 is not booting from GRUB ("cannot load image") after the installation.
I've "temporarily" disabled SecureBoot, which seems to work (both operating systems are bootable and working).

FWIW, the Ubuntu 13.10 installer did NOT detect Windows8 OS during the installation.

Ivan

Confirmed on Lenovo Yoga 13, Ubuntu GNOME 14.04 beta1

(Disclaimer: I am using Fedora because I couldn't get Ubuntu to install, but I observed the same behavior.)

I have a Toshiba dynabook R734 (I guess it's only available in Japan) and it seems as if Secure Boot seems to be "stricter" on this device than what most people usually observe. With Secure Boot enabled, I can boot neither Windows not Linux and also the approach from #25 does not help. When I disable Secure Boot, I can boot Linux fine, and while the original Grub entry for Windows still doesn't work, the code from #25 allows to boot Windows correctly.

(Also, I can enter the UEFI settings such as "Disable Secure Boot" only when rebooting from Windows or when using a Windows Recovery disk. If I had not created the latter, I had probably made my system unusable forever.)

The same bug happens with Ubuntu 14.04 64-bit and Windows 8.1 on Lenovo Thinkpad X1 Carbon.

Any chance of an update on this? Like the previous poster, I too have 14.04 x64 and Windows 8.1 on an X1 Carbon. And like other posters, without booting via the UEFI menu, the only way of getting into Windows is to disable secure boot.

Hello,

I can also confirm on Ubuntu 14.04 64-bit and Windows 8.1 on Lenovo Thinkpad X1 Carbon

Bass

I have this same problem on a Thinkpad T440 with Xubuntu 14.04.1 and Windows 8.1. It works if I disable SecureBoot.

Same problem on Samsung 550P5C with Windows 8 and Ubuntu 14.04.1.
Config from #25 has no effect, disabling SecureBoot and updating bios too.
rEFInd works great.
I hadn't this problem before upgrading from Ubuntu 12.10.

Encountered the same problem on a Lenovo B590. Fresh install of Ubuntu 14.04.1 besides a preinstalled windows 8.0 machine. Disabling the secure boot "solved" the problem.

I have the same problem with an Dell Inspirion 17 (7737, Type P24E001, Servicetag 7D4h512).

Booting into Windows works direkt from EFI. (ESC in Grub2 and EXIT in console brings me back to EFI-Boot Menu). There I can run Windows 8.1 with Secure Boot on. Also Linux starts with Secure Boot on.
If I turn Secure Boot off I also can boot Win 8 within the Grub Boot Menu. I also tried #25 with no change.

The error message with Secure Boot on keeps: "cannot load image".

There seems to be a difference in the entry from the chainloader call and the one from EFI (read by: sudo efibootmgr -v)
in the error message the call was:
filepath /ACPI(a0341d0,0)/PCI2,1f)/Sata(0,0,0)/HD(1,800,fa000,423835a37539af4a,2,2)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntrie
EFI(sudo efibootmgr -v): HD(1,800,fa000,a3353842-3975-4aaf-a6ed-50d49f811889)File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS....

The order of the HD()-entry seems to be mixed up!
Any idea how to fix it, test an other order?

Same thing happens with my Thinkpad T440s. Fresh install of Ubuntu GNOME 14.04.1 after a fresh install of Windows 8.1.

I receive the exact same error message above when attempting to chainload Windows boot manager from GRUB.

Like the others above, I too can boot directly into either Windows or Ubuntu using my system BIOS to choose a different boot device.

with ubuntu 14.10, the bug is still there. Please fix this

Confirmed using 14.04, same as the others.

Confirmed on a fresh installation of Ubuntu 14.10 on Lenovo Y480.

Error Code is:
/EndEntire
file path: /ACPI(xxxx)/PCI(2,if)/Sata(1,0,0)/HD(2,xxxxx)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire

Problem is persistent after apt-get update && apt-get upgrade && update-grub2 && grub-install /dev/sda.
Disable SecureBoot is a valid walkaround.
Consider shim works pretty well on Fedora 20 and OpenSUSE 13.2, I suggest this is a Ubuntu-specific bug.

I can confim this, too.

Machine is a Toshiba Satellite C850D - 119.
Windows 8 has been pre-installed. The regular user isn't satisfied, so a Linux install was desired. Nevertheless, Windows 8 will still be required. The regular user is of very poor "computer know-how", so dual-booting via the GRUB menu should be fine, while having to perform several steps (going through the UEFI menus) isn't acceptable.

I installed Ubuntu GNOME 14.04.1 after shrinking the windows main partition, left all of the other partitions untouched.
The installation procedure went fine, booting Ubuntu from the GRUB 2 menu works very well.

Booting Windows 8 from the GRUB 2 menu doesn't work unless secure boot is disabled.
The idea of comment #25 also didn't work with secure boot enabled (same error message, as with original os_prober generated menu entry).
Disabling secure boot is however a workaround.
Booting Windows 8 from the UEFI boot menu works regardless of secure boot enabled or disabled.

I didn't try rEFIned yet. I think, GRUB (or os_prober) should be able to handle this by themselves. As the problem doesn't seem to exist for openSuSE, could a comparison of GRUB or os_prober (Ubuntu vs. openSuSE) give more information?

PS: If further information is required or useful, don't hesitate to explicitly tell me what information exactly I should post!

Hello Wolle,

As I explained in comment #31, I had the same issue with a Toshiba laptop, and things were soved with secure boot and GRUB2 after updating the laptop BIOS.

Maybe you should give a try, if your laptop BIOS is not up-to-date, see:

http://www.toshiba.eu/innovation/download_bios.jsp?service=EU

you'll find there a BIOS update from 13/02/14 to version 6.50-WIN:

http://support1.toshiba-tro.de/tedd-files2/0/bios-20130617115713.zip

Hope this will help.

Cordially,

--
NVieville

Hello Nicolas,

thanks for your reply. Of course I read your comment #31 concerning the BIOS update... but regarding the fact, that the device is a) not mine and b) just about 1.5 years old, I have to admit that I'm a little scared about updating the BIOS and possibly damaging the device. From my personal experience, flashing a BIOS is not without risk.

My intention was to provide another "case" and maybe more details. The bug is known for about 2 years now and it seems that nothing has happened so far, although other distros seem to cope with "imperfect" BIOS. This worries me a bit. Dual boot is a very important topic, especially with Ubuntu due to its appealing effect on people that think about switching from Windows. Sometimes I think, the objectives of development are a litte unbalanced...

In the end, I prefer disabling Secure Boot to updating the BIOS. The laptop is intended to be used primarily with Linux (especially dealing with the internet), while Windows should be a "backup for special software" only. For me, possible security risks due to disabled Secure Boot seem less harmful than a) the owner using Windows or b) damaging the device while flashing the BIOS.

After "boot-repair" totally cracked up everything (no more GRUB, whatever I did), the machine now runs 14.10.

Thanks anyway
Wolle

This is still a bug with ubuntu-14.10-desktop-amd64.iso and Dell Inc. XPS13 9333/ , BIOS A06 11/07/2014. This laptop I think is the same thing as the Dell XPS 13 developer edition.

openSuSE 13.2 has an identical version of GRUB and a boot entry for Windows that works, so I don't know what they're doing that's not being done here but this bug is over 2 years old, it's clearly not a firmware problem.

Uhm, could this patch that openSuSE applies to grub have something to do with it?

https://build.opensuse.org/package/view_file/openSUSE:Factory/grub2/grub2-secureboot-chainloader.patch?expand=1

Just saying, I am not expert enough to clearly understand what this patch does...

   Valerio

Hello,

confirmed this bug for a kubuntu 14.10 fresh installation on Acer Aspire e1-570:

        Vendor: Insyde Corp.
        Version: V2.06
        Release Date: 10/08/2013
        Address: 0xE0000
        Runtime Size: 128 kB

I restored the BIOS default settings. After using boot-repair method
grub came up and boots with the problems described by this bug.

What I'm wondering is the root cause of this problem. Is this related
to some missing keys in the PK or db keystore of UEFI?

Is there a way to verify the certificate of the UEFI boot chain?

This bug affects me on my Dell Inspiron 15 7537, running Ubuntu 15.04.

* Secure Boot Enabled
* Grub (at least as configured) can't boot windows
* By switching the primary boot entry in the BIOS (or by using the F-12 boot menu) I can boot to either Windows or Linux
* rEFInd is able to recognize and boot the windows partition

..since my BIOS provides an EFI-Enabled boot menu, this issue doesn't affect me much, as I can skip GRUB. ..but some folks need to go into their BIOS to change the default boot order (or enable/disable secure boot) in order for things to work.

The procedure in comment #11 worked like charm. Great stuff :-)

Confirmed on Lenovo Thinkpad 450s with Ubuntu 14.04.2 LTS x64.

Grub2 version 2.02~beta2-9ubuntu1.1 .

Original menu entry produced by os-prober:

### BEGIN /etc/grub.d/30_os-prober ###
menuentry 'Windows Boot Manager (on /dev/sda2)' --class windows --class os $menuentry_id_option 'osprober-efi-40BC-A843' {
    insmod part_gpt
    insmod fat
    set root='hd0,gpt2'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 40BC-A843
    else
      search --no-floppy --fs-uuid --set=root 40BC-A843
    fi
    chainloader /EFI/Microsoft/Boot/bootmgfw.efi
}
set timeout_style=menu
if [ "${timeout}" = 0 ]; then
  set timeout=10
fi
### END /etc/grub.d/30_os-prober ###

Custom menu entry which DOES NOT work

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
menuentry 'Windows Boot Manager (on /dev/sda2) [mod]' --class windows --class os $menuentry_id_option 'osprober-efi-40BC-A843' {
    insmod part_gpt
    insmod fat
    insmod search_fs_uuid
    insmod chain
    search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 40BC-A843
    chainloader /EFI/Microsoft/Boot/bootmgfw.efi
}
set timeout_style=menu
if [ "${timeout}" = 0 ]; then
  set timeout=3
fi

Hoping for a resolution to make it into the ubuntu repositories. I've no great desire to flash BIOS, use a different bootloader, or of course change the boot order every time so Windows boots. Happy to provide any and all further info needed!

Same here, I have Sony Vaio SVT131A11V, dualboot Ubuntu 14.04 and rarely Windows 8.1.

With Secure Boot enabled I get the error:

/EndEntire
file path: /ACPI(a0341d0,0)/PCI(2,1f)/SATA(1,8000,0)/HD(....)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire
error: cannot load image.

Confirmed with a fresh install of Ubuntu 15.04 on a Lenovo Flex 3-1470 (with an up-to-date BIOS).

As a workaround, I created the following entry in /etc/grub.d/40_custom:

menuentry 'Exit grub' {
  exit
}

This boots into windows on my Toshiba notebook even with Secure Boot enabled.

That workaround relies on Windows being the next boot entry after Ubuntu in your EFI boot settings. But it should indeed be a reliable workaround.

I can confirm the bug on Dell Inspiron 15R 5520 - Grub is unable to chain load Windows 8.1 but allows me to use the system settings choice to select Windows EFI. Selecting Windows Boot Loader boots Windows without issues.

Would love to see a single choice selection to boot into Ubuntu or Windows. Currently its easier to go into Ubuntu on one click but have to go into myriad settings to load Windows.

Same issue being experienced here on my Lenovo Thinkpad W540 and now i am thinking of deleting the windows partition and run windows as a virtual within Kubuntu for once and for all. This is quiet irritating bug I have to say and to see that it has been around for the past 3 years is not very encouraging for us trying to move into linux fully. I think even the windows update would have resolved it by now, thats if it was a microsoft bug. I am not prepared to mess with the system anyfurther I will just run windows via Virtual Box.

Another subscriber to this bug here. Up until I installed Win 10 I quite happily dual booted Win7 with Trusty and Vivid on my Eufi enabled Lenovo Thinkpad T430s.

But after running the Win 10 upgrade I've had a complete mare getting Grub to do what I want.

The BIOS is up to date and I've tried the 40_custom workaround unsuccessfully. So I'm running in insecure boot mode currently. I don't like i but I'm not going back to Win7 now.

But seeing as how this bug is 3 years old and doesn't seem to have an owner, I'm not holding out much hope that there'll be a fix any time soon.

Same here. Lenovo T450s with Windows 10 (Updated from WIn 8.1 Pro), dual-booting with Ubuntu 15.04

Error message when trying to boot Windows via Grub:

/EndEntire
file path: /ACPI(a0341d0,0)/PCI2(2,1f)/Sata(0,0,0)/HD(2,96800,6097f,b604eba13562464b,2,2)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire
error: cannot load image

Only Ubuntu loads via grub, not any of the other options (including MokManager.efi) work when Secure Boot is enabled. And I want to have it enabled. Now, I have to revert to loading Windows through the UEFI menu.

Hopefully this gets fixed in Ubuntu as well.

This is the first case reported here of the bug in (k)ubuntu 15.10, the newest ubuntu family as of October 2015.

I can confirm the bug exists in a Toshiba Satellite C850-19D laptop, with pre-installed Windows 8, and parallel installation of Kubuntu 15.10 "WIlly Werewolf".

Same as other cases above, Kubuntu 15.10 installed very well and boots OK from Grub2 menu, but Windows 8 does not boot from this menu, showing instead the error
"/EndEntire filepath: /ACPI(a0341d0,0)/PCI(2,1f)/Sata(0,0,0)/HD(2,e1800,82000,cc51b24f9affe111,2,2)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire
Cannot load image"

Note the following:
1. The original workaround of disabling Secure Boot in the BIOS works in this case, and it is very easy to reproduce the issue. I have decided to stay without Secure Boot, as it is the simplest of all the workarounds so far.

2. Following advise from NVieville on post #48, since this is a Toshiba Satellite C850, I did a BIOS upgrade to the latest version for this model: v6.80, from 22-Jan-2014. I repeated the experiments and saw no improvement, i.e., the problem exists exactly the same with the new BIOS and I must disable Secure Boot to get Windows 8 booting.

3. A side note but useful: For those interested in Linux (Ubuntu) support for this Toshiba Satellite model, good news: All hardware is supported and working fine out of the box, no need to do any special or additional procedures: Wi-fi, sound, all FN keys, etc.

I have the same problem on a Lenovo X1 Carbon with Ubuntu 14.04 / Windows 10. Disabling Secure Boot works, but interferes with Windows' BitLocker disk encryption.

Same here: Ubuntu 15.04
Lenovo Yoga 14 laptop.

I'm amazed that this bug was reported in 2012, and is still unfixed. Can there really be so few people who have tried to boot Windows 8 through GRUB while secure boot was enabled?

This also affects me, severely. Because of this bug, I can't use Secure Boot with Windows. I, too, am astonished that this bug receives so little attention.

Lenovo X1 Carbon with Ubuntu 15.10 here.

I could not reproduce on a new machine this bug (though this installation guide http://ubuntuforums.org/showthread.php?t=2317843 suggested turning off Secure Boot on Dell XPS 15 9550)

Can it be that latest Ubuntu 16.04 has this problem fixed? Or maybe the key-chain is fixed for some hardware and some other doesn't?

No, the problem still exists on a Toshiba Satellite S855 UEFI firmware 6.60, with Ubuntu 16.04 fully updated and trying to boot Windows 10 with secure boot enabled.

Today I saw a fresh install of the original Ubuntu 16.04 successfully boot Windows 10 on an Asus X200CA, 64 bit (Windows patched to date) with secure boot enabled. This machine had previously been running 14.04, and could not boot Windows with secure boot enabled. The other difference is that the default bootloader in /EFI/Boot/bootx64.efi was still the Windows bootloader, instead of shimx64.efi which I normally use in case a fallback bootloader is needed. I will run further tests to see if making the shim change makes the windows boot fail -- what default bootloader do other have when the grub secure boot of windows works?

The Asus still boots Windows with secure boot enabled with the default bootloader (/EFI/Boot/bootx64.eri) replaced with a copy of shimx64.efi (and grubx64.efi present).

Hello,

GRUB binary doesn't have the cryptos to do the signs verification unlike shim, so the chainload process fails under Secure Boot.

As Valmar said, for the OpenSUSE version of GRUB2, Michael Chang came out with a patch on 2012 that make GRUB rely on shim verification to chainload other binaries: https://build.opensuse.org/package/view_file/openSUSE:Factory/grub2/grub2-secureboot-chainloader.patch

Adding myself to this bug. Not being able to do a clean installation of Ubuntu alongside Windows (because then the Windows boot will break) is against the Ubuntu philosophy of accessibility itself, and objectively it is a complete regression in functionality.

Fedora has fixed this problem differently than SUSE has, so it might be worth Ubuntu devs taking a look at what they did and seeing if it's applicable.

This is the complete git log for GRUB2 in Fedora:
http://pkgs.fedoraproject.org/cgit/rpms/grub2.git/log/

I think this is the applicable commit:
http://pkgs.fedoraproject.org/cgit/rpms/grub2.git/commit/?id=ced107a476b559ab352594d59871605dab6e06b9