UEFI Secure Boot is in chaos!

As you may be aware, the agFM grub2 boot files which are added to the second FAT32 partition when you make an Easy2Boot v2 USB drive uses a Kaspersky shim to load the a1ive grub2 kernel.

Because the Kaspersky shim is signed, it means  that it can load the grub2 kernel which can then effectively disable Secure Boot!

This allows us to boot an insecure grub2 kernel and we can do pretty much anything we like to the system, including booting to non-secure OS's!

This loophole was reported to Microsoft last year (if not before!) and Microsoft tried to fix it using a Windows Update KB which was rolled out to all Windows 10 systems earlier this year. The 'hotfix' added an entry into the UEFI firmware dbx 'blacklist' of the BIOS. Thus the signed Kaspersky shim file was blacklisted by the UEFI BIOS.

Unfortunately, the KB hotfix caused problems with many systems because the same signed Kaspersky shim was used by some OEMs as standard - so these systems suddenly refused to Secure UEFI-boot after the Microsoft Update was applied!

So Microsoft quickly reversed the KB Kaspersky hotfix part in the next hotfix removed the blacklist dbx entry from the UEFI BIOS again. So - assuming you could get your system to non-secure boot by disabling Secure Boot in the BIOS, you could do a Windows Update and then re-enable Secure Boot again. Of course, your system would still be vulnerable though.

Since then it seems Microsoft, Linux developers and grub2 developers have actually bothered to look at and analyse the shims and grub2 code which they are getting signed and have found a large number of other vulnerabilities too!  To me this raises a number of questions about the Microsoft Secure Boot signing process:

1. What did Microsoft actually do when they signed Secure Boot files - just accept a huge amount of $$$ and sign any old boot file without bothering to fully analyse it?
2. Why does everyone insist that Open Source code is so desirable when there has been gaping security holes in grub2 for years?

A recent number of these vulnerabilities have now been fixed in grub2, but updating systems is not going to be easy! We cannot simply blacklist all current and older versions of grub2 by adding entries to the UEFI dbx blacklist. This would prevent any OS on older drives, backups, old install media, USB drives, PXE servers, etc. from Secure Booting because they would still contain the old, blacklisted, grub2 signed UEFI boot files. See the 'mitigation' section of this article for more details.

For the complete picture, read the whole article here.

Note also that very new linux/grub2 OS's (install ISOs and updates) may have these new 'fixes' added and it may prevent them from UEFI Secure booting and in some cases even non-Secure UEFI booting then fails!...

July 30 Important Update

Some of the Linux distribution updates appear to be leading to unsuccessful reboots. The developers and distribution maintainers are working to provide new updates. The maintainers are recommending to avoid installing updates for grub2, shim, and other bootloader-related applications until new packages are available. Some of the issues to watch are listed below:

• https://access.redhat.com/security/vulnerabilities/grub2bootloader
• https://bugzilla.redhat.com/show_bug.cgi?id=1862045
• https://bugzilla.redhat.com/show_bug.cgi?id=1861977
• https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889556
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966554
• https://status.cloud.google.com/incident/compute/20009#20009005

Easy2Boot eBooks (PDFs) are now all $5

The E2B eBooks are now all reduced to only $5 each again. If you have not yet read all of them then now is your chance!

• E2B #1: How to make a multiboot USB drive using Easy2Boot
• E2B #2: How to install Microsoft Windows using Easy2Boot
• E2B #3: How to make a UEFI multi-boot Easy2Boot USB drive
• E2B #4: UEFI-multiboot using the a1ive grub2 File Manager 
• Getting started with grub4dos

There are some user comments\reviews on the E2B sites Guest Book page if you want to see what others thought of them.

Updates are free. Just use the download link that is emailed to you again to check for later versions.

re. Fixing faulty computers

This is just a quick blog post to say 'Hi'. I have been busy doing other things recently (like playing with my new IODD Mini SSD - Amazon link which is performing very well) so I have not been spending much time on E2B.

In my few moments of free time, I have been enjoying watching Adamant IT  repair shop YouTube videos which are quite entertaining. He has videos on 'live' repair and also 'live' PC builds as well as reviews, etc.

Although I have retired from repairing/building/developing PCs and Notebooks now, unless they have changed a lot in the last 6 years or so, I thought I would go through what I tended to do to diagnose and fix PCs\Notebooks.

Add Medicat 2020 to your Zalman\IODD disk

The Medicat 20.05 download comes as a .BIN file which contains a 512-byte header file which is only recognised by a few utilities such as OSFMounter and ImageUSB by Passmark.

Here is how to convert it to a VHD file which is suitable for loading via your Zalman\IODD device.

Note: For medicat.20.06.1.img - from here - I used BitTorrent and then just copied the .img file to my IODD\Zalman and renamed it to medicat.20.06.1.vhd. You can then mount it as a virtual drive.

Instructions for medicat 20.05  .bin file

COMSS 2020-06 multiboot ISO now available (Ru/Eng)

The COMSS 2020-06 multiboot utility ISO is now available. There is a Lite version and a 'full fat' version. The initial menu prompts you to select either Russian or English at the start.

New in version 2020-06:

Add the new 2020 Medicat to your E2B USB drive

The release of Medicat 20.05 is rather odd. It is intended that you make a Medicat 64GB or larger USB drive from it and it is not suitable for multibooting.

Note: See also https://rmprepusb.blogspot.com/2022/01/quickly-add-medicat-2112-to-easy2boot.html

The new Medicat only supports 64-bit CPUs. It is based on Ventoy which requires two particular partitions in a specific order and the download is a PassMark .bin file which has a 512-byte header portion and so it cannot be treated as a VHD file or normal disk image file which we can use with a Zalman\IODD virtual drive emulator.

The main Medicat ISO is inside the image and contains the WinPE .wim file.
When Medicat boots, it will look for the USB drive and mount the USB drive as Y:.
It then expects to find program folders under Y:\Programs and the PortableApps programs under the Y:\PortableApps folder.

There are other ISOs within the image and Ventoy is used to boot them. We can extract these other ISO files from the .bin image and simply copy them to our E2B USB drive.

Medicat 20.06 is a .img file. It does not have the 512-byte header and can be renamed to .VHD for use with a Zalman\IODD. However it does not boot correctly as a .vhd using E2B and so must also be converted as below if using it on an E2B USB drive.

Medicat 21.01 is in the form of zip files for use with 7Zip and Ventoy. You are supposed to extract the contents to the first partition of a previously-made Ventoy USB disk. Instead, you can extract the files to an empty folder on your Windows hard disk and then decide which ISOs, etc. you want to copy to your E2B USB drive's first NTFS partition and choose the appropriate menu folder. Alternatively, just copy all the files (except \autorun.inf and \autorun.ico) to the root of your E2B first NTFS partition and only use Ventoy to boot to Medicat. It will add lots of folders to the root however and may overwrite the contents of your \ventoy folder which will affect the Ventoy theme and menu settings.

Medicat 21.01 zip file contents

Instructions (v20.06)

E2B reaches 1/2 million downloads per year!

I just noticed today that since I started using Fosshub to host the E2B downloads in June 2019, the download counter for E2B has now reached over 500,000 downloads!

I can also tell that in the last 30 days, the Make_E2B.cmd file that is used to make a new E2B USB drive, has been run over 63,000 times (it downloads a file to notify the user of the latest version of E2B) and that the agFM UEFI files have been downloaded over 19,000 times in 30 days.

Boot any ISO from the IODD Mini USB SSD CD\DVD drive emulator

IODD Mini

The IODD Mini #ad  SSD CD\DVD drive emulator is a solid-state version of the IODD 2531 and 2541.

You can see from the picture below that it is approx 9cm x 4cm in size and will easily fit in a pocket.

Note: This IODD Mini was supplied to me by IODD for evaluation and feedback.

In fact, the white 1m USB 3 cable (micro-B USB 3 to Type A USB 3) that comes with it, is larger and bulkier than the device itself.

Kon-Boot v3.5 now allows us to use larger E2B USB drives

If you buy a licensed version of Kon-Boot v3.5, you can now use it with large USB drives (previously we were limited to drives of 16GB or less).

This means you can now licence a 128GB or 256GB SanDisk USB E2B flash drive or even a 2TB USB Hard Drive.

Once you have installed Kon-Boot, you can backup the files, re-format the drive as an E2B drive and then copy back on the special encrypted USB-drive specific EFI boot file made by the Kon-Boot .exe install process.

If you have already purchased a Kon-Boot licence and have activated it on a small USB flash drive (<16GB) then you cannot switch the licence to a different USB drive - you must purchase a new licence for each drive you want to use Kon-Boot with because the USB Vendor, Product ID and Serial Number of the USB drive is encrypted into the boot file the first time you make a Kon-Boot USB drive. The same USB drive values are recorded on their server for each unique licence number.

Details of how to add the licensed Kon-Boot UEFI boot files to an E2B v2 USB drive are in eBook #4.

You can instead just make a FAT32 .imgPTN or .imgPTN23 file from the files on the Kon-Boot USB drive. Make sure the volume name is KONBOOT once it is switched-in.

Note: E2B+agFM allows you to Secure Boot without needing to purchase the more expensive 'commercial' Kon-Boot licence. However, Windows 10 (UEFI) online account bypass support is only included with the full Kon-Boot commercial licence.

If you see this, the licence details did not match with the USB drive's ID!

Note: For best compatibility, the Kon-Boot files should be within 128 GiB from the start of the USB drive.

agFM v1.55 available

Changes

1. Remove HDCLONE menu from startup_default.cfg menu
2. Improve 'Restore E2B partitions' detection menu entry so does not appear if no valid backup
3. Update to latest a1ive grub2\grubfm version

To download and update run \e2b\Update agFM\Download and update agFM_v2.cmd from the second agFM partition.

IODD Mini SSD 

For simple ISO and VHD booting, this neat little USB 3 SSD AES256-bit encrypted drive is hard to beat! Just select the ISO\VHD on the display and boot. VHD files can be set to emulate a fixed or removable USB drive and you can write-protect it too if you wish. You can also set the whole SSD drive in the same way, so you can have a 512GB Removable USB 3 SSD drive or a write-protected 512GB Fixed disk or any combination thereof.

P.S. I just received an IODD Mini 512GB SSD drive from IODD for evaluation. So please let me know if there is anything in particular you would like me to cover. So far I am impressed! It is quite small, fast and seems to work well.