Ubuntu

Unable to chainload Windows 8 with Secure Boot enabled

Reported by NeerajC on 2012-12-17
230
This bug affects 41 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Undecided
Unassigned

Bug Description

I've been working with Yannubuntu and he suggested I post a bug here. Here's what I did.

Received a brand new Dell XPS13 laptop with Windows8 pre-installed with both UEFI and SecureBoot enabled. After playing around, decided to wipe everything and create a dual boot configuration with both Windows 8 and Ubuntu 12.10. Steps:

1. Install Windows 8 via Dell supplied recovery media in UEFI mode. The installer will create the /boot/efi, recovery and main partition.
2. Use Windows 8 to resize hard drive down to 50GB. Use the rest for Ubuntu.
3. Verify the computer boots successfully to Windows 8 with UEFI and Secure Boot enabled.
4. Boot with USB Ubuntu install media and select 'do something else' to create partitions and indicate /boot/efi
5. Let the install complete. Normally here, I run boot repair because the signed bootloader doesn't seem to install. In boot repair, I use advance options, indicate where the EFI boot should go, primary OS (ubuntu) and select SecureBoot.
6. Now, everything is configured as I want it. Upon boot up, the computer will boot to grub and then I can go to either Ubuntu or Windows UEFI.
7. Upon selecting Windows UEFI, I get the error:

 /EndEntire
file path: /ACPI(a0341d0,0)/PCI(2,1f)/UnknownMessaging(12)/HD(2,96800,32000,7c043777b8608641,87,f6)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire
error: cannot load image

8. If I swap the order in the BIOS to boot to Windows first (with UEFI and Secure Boot) it directly boots to Windows so I know the EFI boot files are working.
9. If I go back to my original configuration (e.g. Ubuntu first) with UEFI, but Secure Boot disabled, then the system is able to successfully chainload the MSFT boot files.

My gut tells me that grub is unable to chainload to an OS (or maybe just windows 8) which is expecting a secure boot to be initiated from the UEFI bios.

As a work around, I have disabled Secure Boot, but I'd like my ultimate configuration to support Secure Booting to either Ubuntu or Windows 8 via grub.

Thanks,

Neeraj

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu):
status: New → Confirmed
YannUbuntu (yannubuntu) on 2012-12-17
tags: added: secureboot
falstaff (falstaff) wrote :

On my Samsung Series 9 device I do have the exactly same behavior.

I documented this in my blog post:
http://falstaff.agner.ch/2012/12/18/ubuntu-12-10-and-windows-8-with-secure-boot-mode/

However, I observed that my original Windows Boot Manager has a slightly different file path:

Boot0008* Windows Boot Manager HD(2,96800,32000,f1fdeac1-d057-4f3b-9f66-6f74eb3b469b)File(\EFI\Microsoft\Boot\bootmgfw.efi)

compared to Grub:
/ACPI(a0341d0,0)/UnknownMessaging(12)/HD(2,fa800,96000,372001a2fb07f544,a3,ff)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi).

However, the same menu entry works if I disable Secure Boot. It looks like this slightly different file path only leads to an error when UEFI tries to check the signature....

Žygimantas Beručka (zygis) wrote :

I face the same problem on an Ultrabook Series 5 laptop and confirm that items 8 and 9 do work as a workaround as described.

However, after realizing this, I started digging into a riddle why Ubuntu fails to load the 'samsung-laptop' kernel module in the UEFI mode and actually bumped into bug #1040557, a bug that should have been flagged 'nuclear' instead of 'critical,' as comment #114 puts it. Hence I decided to stop at this point for the time being and wait for reports that it is safe to use Ubuntu on my machine.

Corey B. (cbodendein) wrote :

I have a Lenovo G580 and am experiencing the exact same thing with Ubuntu 12.10.

Disappointed that this hasn't been addressed for 13.04.

Renzo Bagnati (renbag) wrote :

I have the same problem with an Acer V5-531. After installing ubuntu 12.04.2 I had to manually install "shim-signed grub-efi-amd64-signed linux-signed-image-generic" and do "sudo grub-install /dev/sda --uefi-secure-boot". I'm able to boot ubuntu either with or without secure boot enabled, but Windows 8 boots only with secure boot disabled, otherways I have this error:
 /EndEntire
file path: /ACPI(a0341d0,0)/PCI(2,1f)/UnknownMessaging(12)
/HD(2,c880,96000,4cb097d41345de45,a6,f8)/File(\efi\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire
error: cannot load image

Ubfan (ubfan1) wrote :

I have the same error on a Toshiba Satellite S855 S5378 with Windows 8 preinstalled. My workaround is to use a (full install) thumbdrive to boot Ubuntu 12.10 on the hard disk, and to pull the thumbdrive to boot windows -- all in secure mode. Windows boots attempted from the thumbdrive, give the error message. The grub command "ls" will find the files, but chainloader will not succeed in running them.

Fpfilko (fpfilko) wrote :

The same problem on my Lenovo G580, but I can not disable UEFI, beacause BIOS setup entry disappeared from boot list after ubuntu installing in UEFI mode.

Similar issue here too on an Acer V3-571 with Ubuntu 12.04.2 LTS and Windows 8.

Ubfan (ubfan1) wrote :

A second workaround, more convienent than the USB boot is to invoke the EFI device select menu, select HDD, then select ubuntu or Windows (both of which work). The ubuntu selection starts grub, but from grub, the Windows boot still fails with the above chainloader error.
  With the number of different brands mentioned in this bug, I begin to doubt the problem is vendor related. Maybe something we did caused this, so here's what I did:
  My first install was to a USB stick without ann EFI partition( used HD EFI, booted Ubuntu OK, did not boot Windows, and killed the Windows boot off the hard disk when not present). Installed to (prepared HD) in this condition, worked, but got a grub install error (Windows boot worked again). Installed to USB again after putting on a EFI partition, the install still mounted the HD EFI, which I manually unmounted and replaced with the USB EFI (this worked). At this point, the HD /EFI/ubuntu directory was corrupted, so had to manually delete it and replace the signed binaries. The USB would boot Ubuntu, but not Windows, and the HD would boot Windows (default). Using efibootmgr -v, I could see that the ubuntu boot was set up wrong, trying to boot grub instead of shim -- but much to my surprise, it still booted, so I surmise a silent failure, then a fallback to the /EFI/Boot/bootx64.efi (which was a copy of shim) which succeeded. I manually added (grub-install --uefi-secure-boot /dev/sda) a correct shim boot path, which worked too. I normally now enter F12 to select ubuntu or Windows. Not a totally clean history, but on the other hand, the machine has never been out of secure boot, I have never run boot-repair, and the only EFI variable manipulation I have done is through grub-install.

Martin Haynes (martin-haynes) wrote :

Confirmed on Samsung Series 7.

I renamed /EFI/Microsoft/Boot/bootmgfw.efi as /EFI/ubuntu/grubx64.efi to confirm that no keystore or signature validation issues were at work during the Secure Boot failures. This worked as expected, booting win2k12 without issue. **Note that this test obviously makes grub unavailable on reboot. I wouldn't suggest anyone attempt this with an in-use install.

I then performed a clean install of 13.04 to backing out the signed grub efi loaders and boot-repair changes, disabled os-probing and did a sudo update-grub to clean up the loader menu.

Finally, my work around was also to rely on the EFI NVRAM configuration but instead of simply relying on shuffling between HDD and "ubuntu", I created new efibootmgr entries for Windows 8 and my recovery partition. So effectively, I am now using the UEFI POST menu as a boot loader.

Hopefully, the Samsung nvram bug and the resulting (unwanted) attention will mean a quick fix.

Roderick Smith (rodsmith) wrote :

I don't have a fix for GRUB, but you *should* be able to work around the problem by using my rEFInd boot manager (http://www.rodsbooks.com/refind/):

1. In Linux, install the rEFInd Debian package.
2. Check the /boot/efi/EFI/refind directory. It should contain *either* a refind_x64.efi file *or* a shim.efi file and a grubx64.efi file.
3. If there's a refind_x64.efi file, rename it to grubx64.efi. That's rEFInd, despite the filename.
4. Download version 0.2 of shim from its download site (http://www.codon.org.uk/~mjg59/shim-signed/). (Note that Ubuntu ships with shim 0.1, which is useless for the procedure I'm describing.) Use either the shim-signed.tgz or shim-signed-0.2.tgz files; they're identical. Alternatively, you could use Fedora's or OpenSuSE's version of shim 0.2.
5. Copy shim.efi from the shim package to /boot/efi/EFI/refind, overwriting shim.efi if it's already present.
6. Copy MokManager.efi from the shim package to /boot/efi/EFI/refind.
7. Use efibootmgr to add shim to the NVRAM boot options, as in "efibootmgr -c -l '\EFI\refind\shim.efi' -L rEFInd". (You *should* be able to skip this step if you installed rEFInd with Secure Boot enabled.)
8. Reboot. You'll see the MokManager menu appear. Use it to add the keys for both rEFInd and Canonical to the MOK list. (If you have the right software installed, the rEFInd installer will re-sign the rEFInd binaries with locally-generated keys, in which case you should enroll your local public key instead of or in addition to the rEFInd key. IIRC, it's called refind_local.cer.) I'm afraid the MokManager user interface is dreadful; it makes an Apple II's UI look advanced. All the keys should be in the EFI\refind\keys directory of the ESP, which is probably the first partition in the list. You need the .der and .cer keys.
9. When you exit MokManager, the computer could boot Windows, launch rEFInd, reboot, or even hang. If it does anything but launch Linux, reboot.
10. When you reboot, rEFInd should come up as your default boot manager, and it should enable you to boot either Linux or Windows with Secure Boot active. You can verify that Secure Boot is active from the rEFInd information screen. (Check the "platform" line.)

For more information, as well as variants on this procedure involving the Linux Foundation's PreLoader rather than shim, see the rEFInd page on Secure Boot:

http://www.rodsbooks.com/refind/secureboot.html

Diesel (erickit) wrote :

Confirmed.

Looking forward to seeing this work, thanks for all the good work on GRUB.

Can launch Ubuntu 13.10 with secure boot with GRUB
Can launch Windows 8 with secure boot by selecting the hard drive to boot first
Can not launch Windows 8 with secure boot from GRUB. Same error as described above.

Jim Read (15jread) wrote :

Same error, Lenovo G580.

This would be especially nice for me mainly because booting off of the Windows partition doesn't work: it can't find the bootloader, and I KNOW grub can.

Donn Morrison (donn-morrison) wrote :

Same problem with a Lenovo Helix and Ubuntu 13.10. For me, disabling Secure Boot is a workaround.

valmar (valmar-lp) wrote :

Just for reference, openSUSE 12.3, which also uses grub2, works flawlessly with secure boot. It would be interesting to understand what they are doing differently and port the same approach to Ubuntu

Andy Bovett (abovett) wrote :

I have a Dell Inspiron 15R (Ivy Bridge Core i5) and I have the same problem. I'm currently running Ubuntu 13.10 (64 bit) and Windows 8.1. Both will boot with Secure boot disabled. With Secure Boot enabled, I can boot Ubuntu from the Grub2 menu, but not Windows (same type of error as the first post in this thread). Windows will, however boot if I go into the UEFI menu and boot it from there

If I can provide any further info to help on this bug, please let me know.

Steve Langasek (vorlon) wrote :

Since this bug was filed, the shim signed bootloader has been updated several times in Ubuntu. Please test with a clean install from either Ubuntu 13.10, or a daily image of Ubuntu Trusty, to check whether this problem still exists with current versions.

Also, you say the bootloader did not install when you used manual partitioning, and you subsequently used a third-party tool to configure the bootloader. The missing bootloader is probably caused by a wrong partition "usage" choice, and we can't support the output of the third-party recovery tool. Please use the guided partitioner to install Ubuntu side-by-side with Windows 8. If there are bugs in that standard install path, we need to know about them and fix them; and if your manual install went so badly that the bootloader wasn't installed, we need to rule out the possibility that the chainboot problem is related to this.

Steve Langasek (vorlon) on 2013-11-15
Changed in grub2 (Ubuntu):
status: Confirmed → Incomplete
Ubfan (ubfan1) wrote :

On a just updated 13.10 (Nov 15) getting shim-signed 1.5 and a new signed grubx64.efi 2.00..-19 I see no change in the error.
The UnknownMessage (hex 12) or decimal 18 is indeed an invalid subtype for the messaging type (last valid subtype is decimal 15), so looks like leftover garbage in the path buffer? Why is grub even in the messaging type anyway for a hard disk boot? The beginning of the reported path looks just like a network boot looks from efibootmgr -v output. Should the valid path start at the /HD...? If someone without the problem could look at what the actual path chainloader is using could confirm that the /ACPI is present and working on their system we could eliminate leftover garbage in the grub path buffer as the problem.

maria_Ub (a-ubuntu-m) wrote :

I have a fresh 13.10 installed on my Fujitsu T902 with exactly the same problem. Win8.1. cannot be found as long as SecureBoot is on. When I turn it off, I can boot Win8.1. Reg. shim. Is there a way to fix it? (either Ubuntu or Win)

Installed 13.10 onto a second SSD on a Lenovo Yoga 13. Booting into Win8.1 from grub works when Secure Boot is disabled. Otherwise it reports "cannot load image".

Steve Langasek (vorlon) wrote :

Ok, thanks for confirming. Definitely sounds like we have a bug in the grub2 chainload handling, that doesn't affect SuSE's build.

Changed in grub2 (Ubuntu):
status: Incomplete → Confirmed
Val (vk1266) wrote :

Confirming the exact same problem: Acer Aspire V5 with Windows 8 pre-loaded and Ubuntu 13.10 installed alongside it. With UEFI Secure Boot, Windows cannot boot from Grub - the error message is the same as described by previous observers.

Yonsung Lee (ys9607) wrote :

I'm having the exactly same issue w/ my new ThinkPad L440. I can't seem to be able to disable SecureBoot, so the only way to boot Windows for me is to get directly into boot options in the EFI and boot through Windows Boot Manager.

Coiby Xu (coiby) wrote :

Confirmed on Lenovo Y410p, Ubuntu 13.4.

Coiby Xu (coiby) wrote :

Adding a menuentry to grub will boot Windows 8 using Grub2 and Secure Boot. In /etc/grub.d/40_custom, put the following lines:

menuentry 'Windows 8.1 (loader) (on /dev/sda14)' {
 echo "Loading Windows 8.1"
 insmod part_gpt
 insmod fat
 insmod search_fs_uuid
 insmod chain
 search --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 44ED-7819
 chainloader (${root})/EFI/Microsoft/Boot/bootmgfw.efi
}

Notice: "44ED-7819" should be replaced by your own uid of efi partition.

Coiby Xu (coiby) wrote :

This bug seems to be affected by _os-prober(a utility used by grub to detect any other OSs). For details, see http://lists.debian.org/debian-boot/2012/10/msg00185.html

pauls (paulatgm) wrote :

coiby, I tried your suggestion on my Acer Aspire v5-552p and it will not work. I also tried bootmgr.efi and bootx64.

Ubfan (ubfan1) wrote :

A forums question http://ubuntuforums.org/showthread.php?t=2197141 indicated that the bug could be made to go away in secure boot by "putting the os I wanted to boot on on the top of the list of bootable drives". Now my UEFI Settings for devices does NOT contain OSes, just devices. When I select the hard disk on the efi menu, I get another window listing the OSes to boot. Maybe this second level of choice has something to do with the source of the bug.

zebul666 (zebul666) wrote :

I confirmed this bug for my insprion 15 (3521) with ubuntu 13.10 just instllaed alongisde windows 8.1. Partition for ubuntu has been made by gparted with ubuntu live cd.

I refuse to disable "Secure Boot" for windows.

I work-around the bug by going to "system option" from grub etc ... to find a windows bootable partition in there instead of using grub entry.

Please fix this. I gues it's ubuntu specific.

Ubfan (ubfan1) wrote :

I also confirm that turning off secure boot on a Toshiba S855 S5378 allows grub to boot Windows 8.1 normally, avoiding the error.

NVieville (nicolas-vieville) wrote :

Hello,

Was having exactly this issue: step 7 in the bug description with a Toshiba Satellite C55-A-11Q laptop. Everything was verified, secure boot mode on, UEFI boots shimx64, shimx64 launches grub2, correct UEFI entries (using efibootmgr). Never used boot-repair. The only thing I made: adding a grub2 menu entry in a new /etc/grub.d/50_win8 file as suggested in comment #25. But Windows 8 refused to boot from Grub, only from system setup menu (F12 key).

This was resolved by upgrading the BIOS to the last version (from Toshiba support Web site - e.g. for this laptop from 1.00 to 1.30).
Now the laptop can boot, with secure boot mode on, from Grub menu: Ubuntu, Windows 8, system setup (UEFI) without any problem.

Only my two cents, there is probably a bug in the booting chain, but not only, some buggy BIOS can let you search for days a solution to this problem.

Cordially,

--
NVieville

Ivan Noris (deja-vix) wrote :

Hello,

I'm also having the "cannot load image" error with SecureBoot=enabled after the installation of Ubuntu 13.10 on Lenovo ThinkPad Edge E330 (with pre-installed Windows 8).
Windows 8 was booting normally before the installation.
Ubuntu was installed during SecureBoot=enabled from USB key.
Ubuntu is booting normally after the installation.
Windows 8 is not booting from GRUB ("cannot load image") after the installation.
I've "temporarily" disabled SecureBoot, which seems to work (both operating systems are bootable and working).

FWIW, the Ubuntu 13.10 installer did NOT detect Windows8 OS during the installation.

Ivan

Major Grubert (majorgrubert) wrote :

Confirmed on Lenovo Yoga 13, Ubuntu GNOME 14.04 beta1

(Disclaimer: I am using Fedora because I couldn't get Ubuntu to install, but I observed the same behavior.)

I have a Toshiba dynabook R734 (I guess it's only available in Japan) and it seems as if Secure Boot seems to be "stricter" on this device than what most people usually observe. With Secure Boot enabled, I can boot neither Windows not Linux and also the approach from #25 does not help. When I disable Secure Boot, I can boot Linux fine, and while the original Grub entry for Windows still doesn't work, the code from #25 allows to boot Windows correctly.

(Also, I can enter the UEFI settings such as "Disable Secure Boot" only when rebooting from Windows or when using a Windows Recovery disk. If I had not created the latter, I had probably made my system unusable forever.)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers