Friday, 15 March 2019

Add 'SuperinSecureUEFI-Boot' to your E2B USB drive

There are two projects on GitHub which are of interest to USB-booters.
This was mentioned on reboot.pro recently and also pointed out to me by Alex G.

The first project (by thias) is a multiboot menu system based on grub2 called 'glim'. It automatically detects .iso files and builds a menu each time it boots (does it sound familiar?). It supports UEFI and MBR booting.

The second project (by ValdikSS) includes 'glim' and is a UEFI+MBR multiboot project which allows you to UEFI Secure Boot, UEFI-boot or MBR-boot and then run secure or unsecure payloads from the grub2 menu system.

The downside is that for Secure Boot, you have to register the bespoke grub2 efi file using a certificate that is provided. This adds the certificate into the NVRAM of the system UEFI firmware and so it 'changes' the target system.

Set the timeout so it autoboots if you like!


Use the GRUB Live ISO Multiboot menu entry...

I only added one ISO...

Comparison between UEFIinSecureBoot and E2B grub2 menu system v10


  • E2B grub2 allows Secure Boot without using MokManager and so does not change the target system.
  • Both systems can Secure Boot (using MokManager for insecureBoot) and run both secure and insecure ISOs and other non-EFI payloads.
  • UEFIinSecureBoot should Secure Boot and run non-secure EFI payloads ??? (not tested).
  • UEFIinSecureBoot can Secure Boot and access files on an NTFS partition, when Secure booted however, E2B grub2 can only access a FAT partition.
  • Both systems can be expanded by adding more menu files.
  • UEFISecureBoot uses a graphical grub2 theme menu, this type of menu runs very slowly on some systems (E2B grub2 menu system does not use a theme for this reason).
If you want to try this you can download the ready-made .imgPTN23 file here.

Instructions

1. Add the .imgPTN23 file to your E2B drive (e.g. \_ISO\MAINMENU).

Tip: rename it with a .imgPTN23AUTO file extension to avoid the E2B prompt.

2. Ensure you have a large 2nd Primary partition on your E2B USB drive (can be NTFS or FAT32).

Some ISO payloads do not boot correctly from an NTFS partition, but FAT32 has a 4GB file size limitation (so it is not an easy choice!).

3. Run E2B and switch to the .imgPTN23 file (or use SWITCH_E2B.exe)

4. Copy the \iso folder from the first partition to make a \iso folder on the second partition of your E2B USB stick. To avoid confusion later, delete the \iso folder from the first partition.

5. Now you should be able to MBR and UEFI-boot.

6. If you Secure-Boot, you will need to enroll the \ENROLL_THIS_KEY_IN_MOKMANAGER.cer certificate using MokManager first. MokManager will automatically load on the first Secure Boot.

Once the  certificate is added to that systems' BIOS, you should be able to boot to any secure or insecure ISO or .efi file on that system!

Of course, unless you delete the certificate from the BIOS, the target system is no longer 'secure'.

7. Copy your linux ISOs to the correct subfolder on the 2nd partition under \iso.

e.g. "\iso\clonezilla\clonezilla-live-2.5.6-22-amd64.iso"

Do NOT rename the ISO. You should keep the original name of the ISO or it may not be listed correctly in the menu system.

For more details, see:
https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk
https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk/releases
https://github.com/thias/glim
https://glee.thias.es/GLIM

8 comments:

  1. Hi, I'm testing E2B for special setup in our company, but the anti virus solution detects always the nircmd.exe as spyware.
    Is it possible for you to build a small distribution without automated software installation, just the ISO boot?

    Regards
    Nils

    ReplyDelete
    Replies
    1. Hi
      You can download the .zip file (on a non-company system if necessary) and use 7-zip to delete the "\_ISO\WINDOWS\installs\CONFIGS\SDI_CHOCO\nircmd*.exe" files if you wish.
      Can you explain at what stage you get blocked? Download of .exe, download of .zip, running of exe download, unpacking of zip or what\when?

      Delete
    2. Hi, it depends on how fast I extract the files after downloading. :-) sometimes the anti virus tool is fast enough to detect the nircmd.exe in the zip file and deletes the complete archive. Sometimes I'm faster and extract the archive so just the nircmd.exe is detected and deleted.
      I know the nircmd.exe and used it earlier in some cases, but currently the anti virus settings are configured to remove it. I can't change the corporate settings. For compliance reason it would be easier to download an archive which doesn't need this tool at all. But I also understand if it would be to much effort two manage two archives / distributions. But maybe I'm not alone and some other people may ask for a second solution... :-)

      Delete
    3. P.S. Please try latest E2B v1.B0h version.
      http://tiny.cc/qbz93y

      Delete
    4. Hi, I now have updated the self-extracting exe in v1.B0h. Please re-download v1.B0h again. The file will be automatically copied to the target system and unpacked by SDI_CHOCO.cmd once the target system has booted. Let me know if any problems (I haven't tested the SDI_CHOCO yet!).
      http://tiny.cc/qbz93y

      Delete
    5. Just tested it and it works fine. nircmd.exe is automatically extracted. :-)

      Delete
  2. P.S. Please try latest E2B v1.B0h version.
    http://tiny.cc/qbz93y

    ReplyDelete
    Replies
    1. Using a slef extracting archive is also possible, but you might also just provide the link to the current nirmcd-files. :-)
      Maybe this page contains additional information about how to download files using a script:
      https://stackoverflow.com/questions/28143160/how-can-i-download-a-file-with-batch-file-without-using-any-external-tools

      Delete