Chainload from windows boot manager to Grub with Secure Boot enabled

dual-boot grub2 uefi windows-10 bootloader

6,875

Boot both Linux and Windows from UEFI. Its that simple, as you can see chainloading either Windows from GRUB or Linux/GRUB from Windows Boot Manager has drawbacks for Secure Boot and Bitlocker.

Many Motherboards give the UEFI boot menu with F11. If that doesn't work try Escape or Delete to either get a functions menu or this might drop right into configuration which might give you a boot order configuration or an option to "instant boot" which is the same thing the boot menu does.

The key is you're selecting the OS you want from UEFI not from a boot loader.

6,875

ejgallego

Updated on September 18, 2022

Comments

ejgallego over 1 year
I have a UEFI laptop with Bitlocker on the Windows partition. This forces the primary bootloader to be Windows Boot Manager with Secure Boot enabled in order for Bitlocker to work properly on Windows. That is to say, with this setup, Windows can only boot if its boot manager was the first thing called by the UEFI, due to the encryption keys used by Bitlocker being stored in the TPM.

Chainloading the Windows Boot Manager from Grub doesn't work [windows does complain about the Secure Boot environment being not safe anymore], so we must do the other way: adding a menu entry for Ubuntu's shimx64.efi to the Windows Boot Manager using bcdedit.exe.

I have tried all kind of tricks with bcdedit /copy bcdedit /create etc... but even if Windows detects the entry, when jumping into it I get a fatal error at boot time:
```
File: \EFI\ubuntu\shimx64.efi
Status: 0xc000007b
Info: The application or operating system couldn't be loaded because a required file is missing or contains errors.
```
Does anyone know what the right bcdedit magic to add an Ubuntu entry is? TIA.

[Note that this answer sadly produces the above]

edit: Note that if I go to my UEFI Bios and select the Ubuntu entry Linux loads properly. So for now I am stuck with going to BIOS and selecting the OS I'd like to boot.

edit2: Bitlocker is not used from Linux nor I do want to do so; its role here is to encrypt the Windows partition.
- ubfan1 about 6 years
  
  Do you have a copy of grubx64.efi in the /EFI/ubuntu directory along with shimx64.efi?
- Panther about 6 years
  
  The command in Windows, for Fedora, is: bcdedit /set {bootmgr} path \EFI\fedora\grubx64.efi You have to update the path to the ubuntu .efi
- ejgallego about 6 years
  
  @ubfan1 yup, /boot/EFI/ubuntu looks all right, I can boot into Linux without problems from the BIOS UEFI menu [but it is very inconvenient]
- ejgallego about 6 years
  
  @Panther, thanks but this solution doesn't work as it will set the primary boot loader to be grub, and then Bitlocker complains if we chainload the windows bootloader.
- jdwolf about 6 years
  
  Do neither of these things. Do not load Windows Boot Manager from GRUB. Do not load GRUB from Windows Boot Manager. Neither are going to work with secure boot. Load BOTH from the UEFI. You then have to pick which to boot with your respective mobos UEFI boot menu. As you noted in your answer this is correct and how you should do it if you want secure boot to work.
- Panther about 6 years
  
  @jdwolf - it is bios dependent. On my laptop I can not chainload and as you describe select which OS to boot . On my desktop I use the command I gave to dual boot Windows 10 and Fedora 27, secure boot enabled, boots to grub and chainloads windows. The OP is adding yet another complexity by using Bitlocker.
- Panther about 6 years
  
  @ejgallego - You should consider updating your question to describe what you are doing. Booting Windows with Bitlocker is another lay of complexity. You should give such details in your question, not the comments.
- jdwolf about 6 years
  
  @Panther I don't understand how Bitlocker keys into this. It should work fine from Windows. i wouldn't expect it to work from Linux and I don't see how chain loading grub from Windows Boot Manager is going to make it any more likely to work.
- ejgallego about 6 years
  
  @Panther I am not sure how should I update my question as Bitlocker is mentioned in the first sentence.
- ejgallego about 6 years
  
  @jdwolf I am talking about Bitlocker working on Windows itself, windows does work well when booted from Grub even with secure boot unless the bitlocker encryption key is need to open C: which is the problem I am facing here. I'll try to update the question a bit.
- jdwolf almost 6 years
  
  @ejgallego Alright then, the solution is pretty simple then. Don't chainload windows. Load Windows from UEFI. Don't load GRUB/Linux (shim.efi is actually linux not Grub) from Windows boot manager. Load it from UEFI.
- ejgallego almost 6 years
  
  Thanks @jdwolf, indeed that's what I'm doing now but it has other drawbacks, so I am interesting in chainloading Grub from WBL which I know it can be done, I just didn't get the right magic yet.
- jdwolf almost 6 years
  
  What drawbacks does it have?
- ejgallego almost 6 years
  
  Hi @jdwolf, it has mainly 3: the window to choose the operating system is very short, so I tend to miss it, b) it does a huge "bleep" when I press Enter + F12 [this is a X1 Yoga 3rd gen] c) it takes a lot of time to arrive to the boot menu. Despite that it is bearable, but I would prefer to have a WBM solution.
- jdwolf almost 6 years
  
  @ejgallego You should take a look at REFInd then. rodsbooks.com/refind wiki.archlinux.org/index.php/REFInd It's a boot manager that is UEFI compatible. You can use it to load GRUB, Windows or EFI-stub (linux directly)