[Bug 1091464] Re: Unable to chainload Windows 8 and 10 with Secure Boot enabled
It does on Fedora. The new problem though is computers with TPM 2 and Windows 10/11 preinstalled are frequently (and increasingly) coming with BitLocker enabled. And the key is predicated on the boot chain being TPM verifiable. By booting shim+grub first, it changes the measurements, and Windows can't be unlocked without the large backup encryption key. But if you use that key following a chainloaded boot, the new measurement should be added by Windows to the TPM making subsequent chainloading possible - but of course if you boot the Windows bootloader directly (via UEFI boot manager menu) the measurement will be off again and boot fails. So it's important to have the BitLocker key available before starting any installation. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1091464 Title: Unable to chainload Windows 8 and 10 with Secure Boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091464] Re: Unable to chainload Windows 8 and 10 with Secure Boot enabled
Chainloading Windows UEFI works fine with the current shim+GRUB I believe. ** Changed in: grub2 (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1091464 Title: Unable to chainload Windows 8 and 10 with Secure Boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091464] Re: Unable to chainload Windows 8 and 10 with Secure Boot enabled
Fedora has fixed this problem differently than SUSE has, so it might be worth Ubuntu devs taking a look at what they did and seeing if it's applicable. This is the complete git log for GRUB2 in Fedora: http://pkgs.fedoraproject.org/cgit/rpms/grub2.git/log/ I think this is the applicable commit: http://pkgs.fedoraproject.org/cgit/rpms/grub2.git/commit/?id=ced107a476b559ab352594d59871605dab6e06b9 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1091464 Title: Unable to chainload Windows 8 and 10 with Secure Boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091464] Re: Unable to chainload Windows 8 and 10 with Secure Boot enabled
Adding myself to this bug. Not being able to do a clean installation of Ubuntu alongside Windows (because then the Windows boot will break) is against the Ubuntu philosophy of accessibility itself, and objectively it is a complete regression in functionality. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1091464 Title: Unable to chainload Windows 8 and 10 with Secure Boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091464] Re: Unable to chainload Windows 8 and 10 with Secure Boot enabled
Hello, GRUB binary doesn't have the cryptos to do the signs verification unlike shim, so the chainload process fails under Secure Boot. As Valmar said, for the OpenSUSE version of GRUB2, Michael Chang came out with a patch on 2012 that make GRUB rely on shim verification to chainload other binaries: https://build.opensuse.org/package/view_file/openSUSE:Factory/grub2/grub2 -secureboot-chainloader.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1091464 Title: Unable to chainload Windows 8 and 10 with Secure Boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091464] Re: Unable to chainload Windows 8 and 10 with Secure Boot enabled
The Asus still boots Windows with secure boot enabled with the default bootloader (/EFI/Boot/bootx64.eri) replaced with a copy of shimx64.efi (and grubx64.efi present). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1091464 Title: Unable to chainload Windows 8 and 10 with Secure Boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091464] Re: Unable to chainload Windows 8 and 10 with Secure Boot enabled
Today I saw a fresh install of the original Ubuntu 16.04 successfully boot Windows 10 on an Asus X200CA, 64 bit (Windows patched to date) with secure boot enabled. This machine had previously been running 14.04, and could not boot Windows with secure boot enabled. The other difference is that the default bootloader in /EFI/Boot/bootx64.efi was still the Windows bootloader, instead of shimx64.efi which I normally use in case a fallback bootloader is needed. I will run further tests to see if making the shim change makes the windows boot fail -- what default bootloader do other have when the grub secure boot of windows works? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1091464 Title: Unable to chainload Windows 8 and 10 with Secure Boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091464] Re: Unable to chainload Windows 8 and 10 with Secure Boot enabled
No, the problem still exists on a Toshiba Satellite S855 UEFI firmware 6.60, with Ubuntu 16.04 fully updated and trying to boot Windows 10 with secure boot enabled. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1091464 Title: Unable to chainload Windows 8 and 10 with Secure Boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091464] Re: Unable to chainload Windows 8 and 10 with Secure Boot enabled
I could not reproduce on a new machine this bug (though this installation guide http://ubuntuforums.org/showthread.php?t=2317843 suggested turning off Secure Boot on Dell XPS 15 9550) Can it be that latest Ubuntu 16.04 has this problem fixed? Or maybe the key-chain is fixed for some hardware and some other doesn't? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1091464 Title: Unable to chainload Windows 8 and 10 with Secure Boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1091464] Re: Unable to chainload Windows 8 and 10 with Secure Boot enabled
** Summary changed: - Unable to chainload Windows 8 with Secure Boot enabled + Unable to chainload Windows 8 and 10 with Secure Boot enabled -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1091464 Title: Unable to chainload Windows 8 and 10 with Secure Boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs