The Kasperksy .EFI boot file is signed by Microsoft and allows us to boot to agFM which then temporarily disables Secure Boot, thus allowing us to run agFM grub2 and boot from both signed and unsigned (insecure) ISOs and other boot files.
However, some systems will not UEFI64 boot to the Kaspersky+agFM boot files (even if Secure Boot is disabled in the BIOS). The reason for this is unknown.
Another problem with the Kaspersky shim is that it may be blacklisted by a Linux or Windows update which can add an entry into the BIOS's DBx blacklist EEPROM firmware list. This means that if Secure Boot is enabled in your BIOS on your system, it will not allow the Kaspersky EFI boot file to load and you may see some sort of 'Security Violation' error from the BIOS on boot. You can check your BIOS DBx list to see if has any entries (and clear the list).
The solution to both these issues is to remove the Kaspersky shim and this process is documented on this page in the Troubleshooting sections and in the FAQ page.
In these latest Beta versions, I have modified the E2B and agFM menu system so that you can enable or disable the Kaspersky shim by using a menu entry. If you remove the Kaspersky Secure Boot EFI file, you will not have the ability to secure boot to the agFM menu.
Update Instructions
See the link in the left-hand column for the Alternate Download Areas.
1. Download the current E2B Beta .zip file and extract the contents to a new folder on your system disk (e.g. Desktop) - then run UPDATE_E2B_DRIVE.cmd to update your E2B partition
2. Download the current E2B UEFI File Manager .zip file and extract the contents directly to Partition 2 of your E2B USB drive (the agFM FAT32 partition).
You can MBR\Legacy boot or UEFI64-boot to change the Kaspersky Secure Boot file. Note that booting using QEMU under Windows will probably not work due to snapshotting of the filesystem by QEMU - use a real system or VBox+VMUB which has drive locking (or use the QEMU which is in RMPrepUSB.exe which will lock the drive and so disable snapshot mode in QEMU).
Details
The \EFI\BOOT\BOOTX64.EFI file is the defined location for the default Intel x86 UEFI64 EFI boot file.
In the default agFM installation, this file is actually the Microsoft-signed Kaspersky shim file. This allows us to load a special 'policy' module into the signed grub2 kernel (due to a bug) and then to load a1ive's unsigned grub2 and grubfm kernel/modules.
\EFI\BOOT\BOOTX64.EFI --> \boot\grub\grub.cfg --> \grubfmx64.efi
The 'fix' to prevent it loading the Kaspersky EFI file is to simply copy the unsigned EFI file \grubfmx64.efi to \EFI\BOOT\BOOTX64.EFI and thus replace the Kaspersky EFI file with grubfm.
Note: The file \EFI\BOOT\BOOTX64.KAS is a copy of the Kaspersky EFI file which must be present for the menu entry to be displayed in the E2B or agFM menu system.
Note that if you update agFM in future, the Kasperksy shim file will be restored, so you must disable it again if you don't want to use it.
- \_ISO\MAINMENU\DisableKasperskyShim.mnu has been added to E2B (English only).
- \boot\grubfm\startup_menu.txt and the SAMPLE menu files now have a new menu entry added (agFM partition 2).
Feedback please
At the moment, the 'default' is to install the Kaspersky shim and thus allow most systems to Secure Boot to agFM and boot insecure payloads as well as secure payloads.
We obviously have the choice to make the default install so that it does NOT use the Kaspersky shim - this means that the user will have to disable Secure Boot in the BIOS before they can UEFI64-boot to agFM.
If this 'black screen' bug is a common issue, I can change the default to not support Secure Boot. Please let me know which you prefer as follows:
- Funny = Do not use Kaspersky Shim (blank screen is common bug - prefer to always disable Secure Boot in BIOS).
- It worked for me = Keep defaults as they are (use Kaspersky shim).
Debugging/Troubleshooting
The Kaspersky EFI file is actually a small, Microsoft-signed version of grub2. It does not support many common grub2 commands (modules) such as echo or read or sleep. However, because it loads a menu file at \boot\grub\grub.cfg, we can add a command to the top of this file such as 'help' which is supported by the Kaspersky grub2. This means that we can easily tell if the Kaspersky EFI file is being booted to, because we can see a load of help text displayed on the screen before it loads grubfm...
help
insmod /boot/grub/sbpolicy.mod
sbpolicy --install
chainloader /grubfmx64.efi
boot
No comments:
Post a Comment