Ask Your Question
0

UEFI GRUB2: Chainloading to W8.1 ONLY Works with Secure Boot Disabled

asked 2015-02-18 01:00:36 -0500

cgonz31 gravatar image

updated 2015-03-22 19:37:01 -0500

Successful dual boot with Fedora 21 and Windows 8.1 Professional. Both are 64-bit editions. Both were installed in UEFI. [Legacy (CSM) mode was completely disabled before installing any OSs]. Disk is partitioned as GPT.

Furthermore, both were installed with Secure Boot enabled from the beginning. F21 was installed first. [I know, W8.1 should have been installed first]. Anyway, both installations went without a hitch. W8.1 used the pre-existing F21 EFI System Partition (/dev/sda1). Both are bootable through the UEFI boot menu (accessed through POST). Surprisingly W8.1 is OK with Fedora as the default boot selection. After installing W8.1 and setting the boot order back to Fedora as first choice, the boot order hasn't been reset by W8.1 or the UEFI firmware.

Now the issue. GRUB correctly adds an entry to W8.1 (through the os_prober). I also added my custom entry (just in case) in the /etc/grub.d/40_custom file as follows:

menuentry 'Microsoft Windows 8.1 Professional' {
set root='hd0,gpt1'
chainloader /EFI/Microsoft/Boot/bootmgfw.efi
boot
}

Both entries appeared in GRUB after running:

sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

Problem is that neither boots W8.1 with Secure Boot enabled. Both give me the following error:

/EndEntire
file path: /ACPI(a0341d0,0)/PCI(2,1f)/UnknownMessaging(12)/HD(2,96800,32000,7c043777b8608641,87,f6)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire
error: cannot load image

Interestingly, if I disable Secure Boot, both entries chainload to W8.1 as intended. Remember, before this point everything was working fine with Secure Boot enabled.

Any suggestions on how to fix this? Besides the trivial solution of disabling Secure Boot.

I have found a thread discussing the exact same issue in Ubuntu:

https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464

No solution yet but it appears to be an issue with their GRUB2 implementation. Maybe that's the issue here as well. They also point out that OpenSUSE does not have this issue due to a patch they implement in their GRUB2 package.

https://build.opensuse.org/package/view_file/openSUSE:Factory/grub2/grub2-secureboot-chainloader.patch?expand=1

Output of sudo parted -l:

Model: ATA Samsung SSD 840 (scsi)
Disk /dev/sda: 250GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system     Name                          Flags
 1      1049kB  269MB   268MB   fat16           EFI System Partition          boot, esp
 2      269MB   806MB   537MB   ext4
 3      806MB   43,8GB  42,9GB  ext4
 4      43,8GB  65,2GB  21,5GB  ext4
 5      65,2GB  86,7GB  21,5GB  ext4
 6      108GB   108GB   134MB                   Microsoft reserved partition  msftres
 7      108GB   151GB   42,9GB  ntfs            Basic data partition          msftdata
 8      151GB   188GB   36,5GB  ntfs                                          msftdata
 9      188GB   241GB   53,7GB  ntfs                                          msftdata
10      241GB   250GB   8590MB  linux-swap(v1)
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2015-03-22 19:35:08 -0500

cgonz31 gravatar image

Apparently this is a known bug in Fedora 19 and later releases:

https://bugzilla.redhat.com/show_bug.cgi?id=1170245

https://bugzilla.redhat.com/show_bug.cgi?id=1144657

https://bugzilla.redhat.com/show_bug.cgi?id=986731

https://bugzilla.redhat.com/show_bug.cgi?id=1180787

It is a bug in Shim and GRUB2. It is not machine-specific. According to 1170245, this will probably be fixed on the next Shim build, even though they have no idea when this will be.

edit flag offensive delete link more
0

answered 2015-02-19 16:15:33 -0500

baoboa gravatar image

secure boot is expecting a signed (by M$ ) boot loader you need the shim

look there ( not tested it myself )

http://docs.fedoraproject.org/en-US/Fedora/18/html/UEFI_Secure_Boot_Guide/sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Shim.html

edit flag offensive delete link more

Comments

Well yeah.. Shim is used by Fedora to load GRUB in Secure Boot. That's working correctly on my PC. But I can't chainload to Window 8 through GRUB. It is supposed to work since the Windows Boot Manager is signed and is also loaded correctly through the POST UEFI boot menu but not through GRUB.

I need a more specific answer. All you posted was the general UEFI Secure Boot documentation published by Fedora.

cgonz31 gravatar imagecgonz31 ( 2015-02-20 00:04:03 -0500 )edit

The same happens with Fedora 22. I can press F12 to choose Windows Boot Manager on my notebook's EUFI boot menu but it shouldn't be necessary.

Hopefully they will release the patched shim mentioned in 1170245 for F23

arehtykitna gravatar imagearehtykitna ( 2015-05-17 04:17:45 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-02-18 01:00:36 -0500

Seen: 3,876 times

Last updated: Mar 22 '15