Ubuntu 12.10 and Windows 8 with Secure Boot mode

Installing Ubuntu 12.10 on a Samsung Series 9 Notebook has some pitfalls. My goal was to install Ubuntu 12.10 along Windows 8 while using Secure Boot too.

The first challenge is booting from an USB flash drive. You need to enter your BIOS by pressing F2 while booting the system. Change to the “Boot” tab, enter the sub menu “Boot Device Priority”  and move “USB HDD” in front of “SATA HDD” (using F5). Then, curiously, you also need to disable the “Fast BIOS Mode” (tab “Advanced”). You can also use F10 to select the boot device, but “Fast BIOS Mode” still needs to be disabled. Installing Ubuntu should then work as usually.

Even thought Ubuntu 12.10 supports Secure Boot, on my system, the first boot after the installation failed with this Error:

Secure Boot

Image failed to verify with *ACCESS DENIED*.
Press any key to continue.

I think this was because Ubuntu did not recognized my system as a Secure Boot device. The BIOS allows to disable this feature: Enter your BIOS again, switch to the “Boot” tab and change the “Secure Boot” option to “disabled” and set “OS mode selection” to “UEFI OS” (CSM, Compatibility Support Module would allow to boot legancy MBR/DOS partition table OS). By now, Ubuntu and Windows should boot fine.

However, my goal was to run the System with enabled Secure Boot mode. So I had to manually install the signed Grub2 variant and the Secure Boot helper application shim.

$ sudo apt-get install shim-signed grub-efi-amd64-signed linux-signed-image-generic

Since we did not boot using Secure Boot the Grub2 installer won’t install the signed variant of Grub2. We need to force the installer doing this:

$ sudo grub-install /dev/sda --uefi-secure-boot
$ sudo update-grub

Both, the signed variant of shim and Grub2 should end up in /boot/efi/EFI/ubuntu. Since the file names are the same for the signed/unsigned variant, you only can verify this by using md5sum. These are the md5sum’s on Ubuntu 12.10 signed binaries (assuming the packages were not updated since I wrote this post).

$ md5sum /boot/efi/EFI/ubuntu/*.efi
881ac1cca6cc3edd826ea67a6ed8a22e /boot/efi/EFI/ubuntu/grubx64.efi
4ffcb81383a564bbc558fca5b9a6e7a2 /boot/efi/EFI/ubuntu/shimx64.efi

But Windows 8 does not boot, Grub2 shows this error message:

error: can't find command `drivemap`.
error: invalid EFI file path.

Press any key to continue...

This is because Grub2 variant does not support the “drivemap” command. Ubuntu’s OS detection seems to be broken (see Bug #1024383). I created a script which generates UEFI boot entries for Grub2. It’s available on github.com and needs to be in /etc/grub.d in order to get called from grub-update.

$ wget https://gist.github.com/raw/4330598/adaf598a78d568dbfada596441bdfad3b4dd3f97/25_windows_uefi
$ sudo su 
# cp 25_windows_uefi /etc/grub.d
# chmod +x /etc/grub.d/25_windows_uefi
# echo GRUB_DISABLE_OS_PROBER=true >> /etc/default/grub # disable broken os-prober
# update-grub

With Secure Boot disabled, this boot entry works fine. But with enabled Secure Boot option, I get this error:

file path: /ACPI(a0341d0,0)/UnknownMessaging(12)/HD(2,fa800,96000,372001a2fb07f544,a3,ff)/File(\EFI\Microsoft\Boot)/File(bootmgfw.efi)/EndEntire
error: cannot load image.

Press any key to continue….

Well, it seems Grub2 is a dead end here… So far, I did not found a way to boot Windows 8 using Grub2 and Secure Boot. I think Grub2 is not able to load the Windows 8 Bootloader the UEFI way, and therefor it doesn’t work when Secure Boot is enabled…

Update 20.12.2012:
I digged a bit deeper why Grub2 fails to load bootmgfw.efi. The file in question definitely should be signed. Grub2 tries to load it using UEFI boot service “LoadImage“, which seems to fail. This problem is reported as Bug #1091464.

Leave a Comment