Super UEFIinSecureBoot Disk
Super UEFIinSecureBoot Disk is a unique bootable image crafted as a proof-of-concept for use primarily with recovery USB flash drives. This powerful tool is equipped with the GRUB2 bootloader and is notable for its ability to function effectively even with UEFI Secure Boot mode activated. Secure Boot typically prevents the loading of components without valid signatures, but this disk bypasses such restrictions, enabling it to launch any operating system or .efi file irrespective of signature issues.
Features
- GRUB2 Bootloader: Controls booting of operating systems.
- UEFI Secure Boot Support: Works with both 32-bit and 64-bit systems.
- Compatibility: Supports BIOS and UEFI CSM.
- Versatile Boot Options: Can start any operating system or .efi executable from GRUB2 or another .efi application.
- Driver Loading: Capable of loading any UEFI drivers.
Dependencies
The Super UEFIinSecureBoot Disk leverages several components to achieve its functionality:
- Red Hat Shim: Signed with a Microsoft key, sourced from Fedora, facilitating the initial boot process.
- Linux Foundation PreLoader: Modified to navigate UEFI Security Policies.
- Patched GRUB2: Includes patches to security bypass to ensure smooth operation with Linux and shim.
Description
Secure Boot is a built-in security feature in modern computers that restricts the loading of unsanctioned drivers or OS loaders. Such protection is especially prevalent because of Windows 10 certification requirements. This disk, once booted from a USB flash drive, temporarily disables Secure Boot protections, allowing users to perform functions like data recovery or an OS reinstall that may require Secure Boot to be turned off.
Installation
To use the Super UEFIinSecureBoot Disk, download the image from the releases page and write it to a USB drive using programs like Rosa ImageWriter or Etcher. Note that this process will erase existing data on the USB drive. The image includes a FAT32 partition that can be expanded using partition tools like gparted.
Usage
Upon first boot on a computer with Secure Boot, users will encounter an Access Violation message. They will need to press OK, select "Enroll cert from file," and confirm the enrollment of ENROLL_THIS_KEY_IN_MOKMANAGER.cer. On computers without Secure Boot, the boot progresses directly to GRUB without intervention.
Frequently Asked Questions
-
Does it work with Secure Boot enabled?
- Yes, the disk can load unsigned or untrusted files after initial manual key enrollment using the MokManager software.
-
Is it compatible with UEFI computers without Secure Boot?
- Absolutely, it functions equivalently to a standard GRUB2 bootloader.
-
Does it support older BIOS systems?
- Yes, it functions effectively on older systems, much like any GRUB2 bootloader.
-
Can it bypass Secure Boot for unauthorized software?
- No, it requires user intervention at first boot, negating stealthy bootkit purposes.
-
Can GRUB be replaced with another bootloader?
- Yes, GRUB can be substituted with another EFI bootloader, and it does not need a signature to launch .efi files due to the disk's preloader setup.
Technical Information
The Super UEFIinSecureBoot Disk operates in three stages during the UEFI boot process:
- Stage 1: Uses Shim, signed with a Microsoft key, for initial execution. If lacking a matching signature, it boots MokManager for key management.
- Stage 2: Utilizes a modified preloader to apply an open UEFI security policy, allowing arbitrary .efi executables to run.
- Stage 3: Employs GRUB2, modified to load OS kernels and executables without further checks.
Additional Information
For in-depth technical insights, you can refer to the article: Exploiting signed bootloaders to circumvent UEFI Secure Boot.
Notes
The disk includes a unique GRUB2 setting, suisbd=1, which can help in identifying this particular tool within shared bootloader configurations. Since version 3, the disk also incorporates both stock and internal UEFI file loaders to accommodate untrusted file loading.