UEFI - Secure Boot & System partition

Similar Messages

• MJG's signed Shim for UEFI Secure Boot now available

  There have been a number of posts about EFI and Secure Boot recently, so I thought some people might be interested in this:
  http://mjg59.dreamwidth.org/20303.html
  That's Matthew Garrett's announcement of a signed binary version of his Shim boot loader. Basically, this program will boot on a computer with Secure Boot active in its default mode (with Microsoft's keys in the firmware) and then launch another boot loader (called grubx64.efi, although it could be something other than GRUB in that filename) that you sign with your keys. The end result is something that's more secure than disabling Secure Boot entirely and easier than installing your own Secure Boot keys. I haven't yet tried this version of the binary, so I can't provide help beyond pointing you to MJG's own blog, but I thought some people might want to know about it.
  FWIW, although you could sign and launch my rEFInd boot manager with this version of Shim, the current version (0.4.7) won't be very useful when signed in this way, since it doesn't yet "talk" to Shim. I'm working on changing that, so that rEFInd will launch binaries signed in a way that Shim supports.

  kristof wrote:A signed bootloader is nice, but unless the Arch developers start distributing a version of the kernel that's also signed with a MOK, secure boot isn't being fully utilized.
  Largely true, but:
  Secure Boot is here, and seems likely to stay. Given this fact, all Linux distributions (including Arch) need a way to cope with it. There are basically two choices: Provide instructions on how to deal with it (difficult because of system-to-system differences) or provide signed binaries (a boot loader at a minimum, or preferably a boot loader and kernel).
  It's possible to "provide" a signed binary by generating the key locally and signing it locally. This could be done by scripts in the installation process, for example. Of course, that still leaves a need to get the installer booted on a Secure Boot system, but that could be handled with the Linux Foundation's pre-bootloader.
  To be truly effective, Secure Boot really requires support all the way up the software chain. Signing a kernel does no good if the kernel can load unsigned modules, for instance. Fedora's taking steps to provide such security, but Ubuntu seems to be going with a more relaxed approach. In truth, Linux isn't as bothered by malware as is Linux, so it's unclear that going with a Fedora-esque approach is really helpful; but OTOH, it's conceivable that malware authors will start using Linux as a vector to install boot-time malware if Windows becomes sufficiently locked down, so maybe some paranoia is in order.
  At the moment and as a practical matter, technical Linux users (including most Arch users) will find it quicker and easier to disable Secure Boot than to use shim. As shim and various support tools (signing utilities, boot managers, etc.) mature, though, this may not be the case. It may also be desirable or even necessary to leave Secure Boot enabled, in which case adopting shim now may make sense. Likewise if you want to learn about it now so that you can use it in the future.

• Windows 7 Deployment via PXE to an UEFI + secure boot enabled Lenovo system.

  Hi Everyone,
  I was wondering if above was possible?. I have not yet put much energy this uefi and secure boot thingy - so just told our supporters to change bios settings back to Legacy with secure boot disabled on the pre Windows 8 delivered Lenovo systems.  
  Deployment system :
  SCCM 2012 SP1 is running on a Windows Server 2008R2
  Regards
  Anders Jensen
  Solved!
  Go to Solution.

  Thx

• [Request] UEFI Secure boot Bios for: GTX660

  My old motherboard died so i have replaced my computer, I now have:
  4690K
  32gig ram
  Asus Maximus hero Vii mobo.
  All set to using secure boot / UEFI.
  Have installed windows on a fresh GPT partition with secure boot and Im currently using the On Chip HD4600 graphics.
  My GTX660 is sat beside me on the desk. (It's *waving* , currently feeling neglected)   
  Im unable to boot to Win 8.1 with the card plugged in as the computer complains about a non UEFI device.
  Info from GFX card box:
  912-V287-001
  N660 TF 2GD5/OC
  PCI - E,N660,2G,GDDR5,Twin Frozr,OC,
  DL - DVI - I,DL - DVI - D,HDMI,DP,
  Power Cable,SLI
  S/N:602 - V287 - 04SB120902****
  I do not know the current BIOS on the card.
  1) As im currently unable to boot to windows with the card installed can the entire flash procedure be done from a DOS enviro?
  techpowerup.com/downloads/2257/nvflash-5-136 - I think it can.
  2) Can somone provide me with a suitable bios file please?
  3) Once I perform this flash will I be able to use this GTX660 an old non UEFI system? (I plan to sell this card on , and get a MSI GTX970 next paycheck)

  Use the attached.
  Decompress the provided .rar archive with Winrar: http://www.rarlab.com/download.htm
  Then flash the included file with Nvflash for dos: http://www.guru3d.com/files_details/nvflash_download.html
  To do so rename the included file to .rom and create a dos bootstick (https://forum-en.msi.com/index.php?topic=165175.0)
  Put nvflash and the vbios file on it and boot from the stick. Then type nvflash -4 -5 -6 gop.rom (if renamed vbios that way) and hit enter. Confirm the questions and let the tool flash
  Quote from: farrantcj on 06-June-15, 15:52:09
  3) Once I perform this flash will I be able to use this GTX660 an old non UEFI system? (I plan to sell this card on , and get a MSI GTX970 next paycheck)
  Old boards with a legacy bios will have no problem as the vbios is hybrid and can work in UEFI and legacy mode. Only older boards with a UEFI bios that is not GOP compliant might run into issues.

• UEFI secure boot

  To my great surprise, I have just noticed that Ubuntu use a Microsoft signed version of grub that accept to boot unsigned kernel. https://wiki.ubuntu.com/SecurityTeam/SecureBoot. An attacker can easily use the Ubuntu signed version of grub together with an unsigned kernel to do all the evil things he wants. I don't understand how this has been accepted.
  Moreover it seems that secure boot has already been hacked http://securityaffairs.co/wordpress/254 … -uefi.html .
  Was security the real purpose of secure boot. I can't think so.
  Last edited by olive (2014-10-09 08:15:28)

  olive wrote:An attacker can easily use the Ubuntu signed version of grub together with an unsigned kernel to do all the evil things he wants.
  I always thought that this can be avoided by locking the boot entries and boot order in the UEFI/BIOS settings, and configuring a administrator password in the UEFI/BIOS that protects these settings.
  Even on a computer that does not use SecureBoot setting an administrator password for the UEFI/BIOS is a good idea to keep others from changing the settings.
  The fact that a lot of SecureBoot systems are vulnerable is no surprise to me given the large amount of bugs showing up in the UEFI firmwares. The UEFI bugs can be found in numerous threads on the forums.

• [SOLVED] Board no longer sees uefi as boot option

  Hi,
  I installed Arch on an ssd and was using rEFind to boot the system. It was working fine until I unhooked the ssd from the Mobo to install a hard drive with an old version of arch.( I was going to use the hd for extra space) However, when I hooked my ssd back up the bios did not detect the uefi. It shows the ssd but not the option to boot with uefi.
  When I run lsblk -f from my old installation I can see that the ssd is not mounted to anything. I can mount the ssd with the old installation and see all my files. I just can't boot to the ssd. Any Ideas?
  I have an Asus mobo and a Kingston ssd. Probably not relevant info but thought I would mention it just in-case.
  Last edited by Mgrim (2013-03-08 05:42:47)

  ls -l /dev/disk/by-partuuid/  output
  lrwxrwxrwx 1 root root 10 Mar  4 15:12 0c20bfb2-b03b-467f-9faf-d8f7311027ec -> ../../sdb4
  lrwxrwxrwx 1 root root 10 Mar  4 15:12 38362986-f8ad-416d-86eb-659f7e78f8c3 -> ../../sdb1
  lrwxrwxrwx 1 root root 10 Mar  4 15:12 628b4764-b385-4f6c-a92c-8c1ccc551e19 -> ../../sdb3
  lrwxrwxrwx 1 root root 10 Mar  4 15:12 82e01db0-b264-4555-910d-aa020bccb086 -> ../../sdb2
  -not sure how to do this for sda drive
  refind.conf
  # refind.conf
  # Configuration file for the rEFInd boot menu
  # Timeout in seconds for the main menu screen. Setting the timeout to 0
  # disables automatic booting (i.e., no timeout).
  timeout 20
  # Hide user interface elements for personal preference or to increase
  # security:
  # banner - the rEFInd title banner
  # label - text label in the menu
  # singleuser - remove the submenu options to boot Mac OS X in single-user
  # or verbose modes; affects ONLY MacOS X
  # hwtest - the submenu option to run Apple's hardware test
  # arrows - scroll arrows on the OS selection tag line
  # all - all of the above
  #hideui singleuser
  #hideui all
  # Set the name of a subdirectory in which icons are stored. Icons must
  # have the same names they have in the standard directory. The directory
  # name is specified relative to the main rEFInd binary's directory. If
  # an icon can't be found in the specified directory, an attempt is made
  # to load it from the default directory; thus, you can replace just some
  # icons in your own directory and rely on the default for others.
  # Default is "icons".
  #icons_dir myicons
  # Use a custom title banner instead of the rEFInd icon and name. The file
  # path is relative to the directory where refind.efi is located. The color
  # in the top left corner of the image is used as the background color
  # for the menu screens. Currently uncompressed BMP images with color
  # depths of 24, 8, 4 or 1 bits are supported.
  #banner hostname.bmp
  # Custom images for the selection background. There is a big one (144 x 144)
  # for the OS icons, and a small one (64 x 64) for the function icons in the
  # second row. If only a small image is given, that one is also used for
  # the big icons by stretching it in the middle. If only a big one is given,
  # the built-in default will be used for the small icons.
  # Like the banner option above, these options take a filename of an
  # uncompressed BMP image file with a color depth of 24, 8, 4, or 1 bits.
  #selection_big selection-big.bmp
  #selection_small selection-small.bmp
  # Use text mode only. When enabled, this option forces rEFInd into text mode.
  #textonly
  # Set the screen's video resolution. Pass this option two values,
  # corresponding to the X and Y resolutions. Note that not all resolutions
  # are supported. On UEFI systems, passing an incorrect value results in a
  # message being shown on the screen to that effect, along with a list of
  # supported modes. On EFI 1.x systems (e.g., Macintoshes), setting an
  # incorrect mode silently fails. On both types of systems, setting an
  # incorrect resolution results in the default resolution being used.
  # A resolution of 1024x768 usually works, but higher values often don't.
  # Default is "0 0" (use the system default resolution, usually 800x600).
  #resolution 1024 768
  # Launch specified OSes in graphics mode. By default, rEFInd switches
  # to text mode and displays basic pre-launch information when launching
  # all OSes except OS X. Using graphics mode can produce a more seamless
  # transition, but displays no information, which can make matters
  # difficult if you must debug a problem. Also, on at least one known
  # computer, using graphics mode prevents a crash when using the Linux
  # kernel's EFI stub loader. You can specify an empty list to boot all
  # OSes in text mode.
  # Valid options:
  # osx - Mac OS X
  # linux - A Linux kernel with EFI stub loader
  # elilo - The ELILO boot loader
  # grub - The GRUB (Legacy or 2) boot loader
  # windows - Microsoft Windows
  # Default value: osx
  #use_graphics_for osx,linux
  # Which non-bootloader tools to show on the tools line, and in what
  # order to display them:
  # shell - the EFI shell (requires external program; see rEFInd
  # documentation for details)
  # gptsync - the (dangerous) gptsync.efi utility (requires external
  # program; see rEFInd documentation for details)
  # apple_recovery - boots the Apple Recovery HD partition, if present
  # mok_tool - makes available the Machine Owner Key (MOK) maintenance
  # tool, MokManager.efi, used on Secure Boot systems
  # about - an "about this program" option
  # exit - a tag to exit from rEFInd
  # shutdown - shuts down the computer (a bug causes this to reboot
  # EFI systems)
  # reboot - a tag to reboot the computer
  # Default is shell,apple_recovery,mok_tool,about,shutdown,reboot
  #showtools shell, mok_tool, about, reboot, exit
  # Directories in which to search for EFI drivers. These drivers can
  # provide filesystem support, give access to hard disks on plug-in
  # controllers, etc. In most cases none are needed, but if you add
  # EFI drivers and you want rEFInd to automatically load them, you
  # should specify one or more paths here. rEFInd always scans the
  # "drivers" and "drivers_{arch}" subdirectories of its own installation
  # directory (where "{arch}" is your architecture code); this option
  # specifies ADDITIONAL directories to scan.
  # Default is to scan no additional directories for EFI drivers
  #scan_driver_dirs EFI/tools/drivers,drivers
  # Which types of boot loaders to search, and in what order to display them:
  # internal - internal EFI disk-based boot loaders
  # external - external EFI disk-based boot loaders
  # optical - EFI optical discs (CD, DVD, etc.)
  # hdbios - BIOS disk-based boot loaders
  # biosexternal - BIOS external boot loaders (USB, eSATA, etc.)
  # cd - BIOS optical-disc boot loaders
  # manual - use stanzas later in this configuration file
  # Note that the legacy BIOS options require firmware support, which is
  # not present on all computers.
  # On UEFI PCs, default is internal,external,optical,manual
  # On Macs, default is internal,hdbios,external,biosexternal,optical,cd,manual
  #scanfor internal,external,optical,manual
  # Delay for the specified number of seconds before scanning disks.
  # This can help some users who find that some of their disks
  # (usually external or optical discs) aren't detected initially,
  # but are detected after pressing Esc.
  # The default is 0.
  #scan_delay 5
  # When scanning volumes for EFI boot loaders, rEFInd always looks for
  # Mac OS X's and Microsoft Windows' boot loaders in their normal locations,
  # and scans the root directory and every subdirectory of the /EFI directory
  # for additional boot loaders, but it doesn't recurse into these directories.
  # The also_scan_dirs token adds more directories to the scan list.
  # Directories are specified relative to the volume's root directory. This
  # option applies to ALL the volumes that rEFInd scans. If a specified
  # directory doesn't exist, it's ignored (no error condition results).
  # The default is to scan no additional directories.
  #also_scan_dirs boot,EFI/linux/kernels
  # Directories that should NOT be scanned for boot loaders. By default,
  # rEFInd doesn't scan its own directory or the EFI/tools directory.
  # You can "blacklist" additional directories with this option, which
  # takes a list of directory names as options. You might do this to
  # keep EFI/boot/bootx64.efi out of the menu if that's a duplicate of
  # another boot loader or to exclude a directory that holds drivers
  # or non-bootloader utilities provided by a hardware manufacturer. If
  # a directory is listed both here and in also_scan_dirs, dont_scan_dirs
  # takes precedence. Note that this blacklist applies to ALL the
  # filesystems that rEFInd scans, not just the ESP.
  #dont_scan_dirs EFI/boot,EFI/Dell
  # Files that should NOT be included as EFI boot loaders (on the
  # first line of the display). If you're using a boot loader that
  # relies on support programs or drivers that are installed alongside
  # the main binary or if you want to "blacklist" certain loaders by
  # name rather than location, use this option. Note that this will
  # NOT prevent certain binaries from showing up in the second-row
  # set of tools. Most notably, MokManager.efi is in this blacklist,
  # but will show up as a tool if present in certain directories. You
  # can control the tools row with the showtools token.
  # The default is shim.efi,MokManager.efi,TextMode.efi,ebounce.efi,GraphicsConsole.efi
  #dont_scan_files shim.efi,MokManager.efi
  # Scan for Linux kernels that lack a ".efi" filename extension. This is
  # useful for better integration with Linux distributions that provide
  # kernels with EFI stub loaders but that don't give those kernels filenames
  # that end in ".efi", particularly if the kernels are stored on a
  # filesystem that the EFI can read. When uncommented, this option causes
  # all files in scanned directories with names that begin with "vmlinuz"
  # or "bzImage" to be included as loaders, even if they lack ".efi"
  # extensions. The drawback to this option is that it can pick up kernels
  # that lack EFI stub loader support and other files. Most notably, if you
  # want to give a kernel a custom icon by placing an icon with the kernel's
  # filename but a ".icns" extension in the same directory as the kernel, this
  # option will cause the icon file to show up as a non-functional loader tag.
  # Default is to NOT scan for kernels without ".efi" extensions.
  scan_all_linux_kernels
  # Set the maximum number of tags that can be displayed on the screen at
  # any time. If more loaders are discovered than this value, rEFInd shows
  # a subset in a scrolling list. If this value is set too high for the
  # screen to handle, it's reduced to the value that the screen can manage.
  # If this value is set to 0 (the default), it's adjusted to the number
  # that the screen can handle.
  #max_tags 0
  # Set the default menu selection. The available arguments match the
  # keyboard accelerators available within rEFInd. You may select the
  # default loader using:
  # - A digit between 1 and 9, in which case the Nth loader in the menu
  # will be the default.
  # - Any substring that corresponds to a portion of the loader's title
  # (usually the OS's name or boot loader's path).
  #default_selection 1
  # Sample manual configuration stanzas. Each begins with the "menuentry"
  # keyword followed by a name that's to appear in the menu (use quotes
  # if you want the name to contain a space) and an open curly brace
  # ("{"). Each entry ends with a close curly brace ("}"). Common
  # keywords within each stanza include:
  # volume - identifies the filesystem from which subsequent files
  # are loaded. You can specify the volume by label or by
  # a number followed by a colon (as in "0:" for the first
  # filesystem or "1:" for the second).
  # loader - identifies the boot loader file
  # initrd - Specifies an initial RAM disk file
  # icon - specifies a custom boot loader icon
  # ostype - OS type code to determine boot options available by
  # pressing Insert. Valid values are "MacOS", "Linux",
  # "Windows", and "XOM". Case-sensitive.
  # graphics - set to "on" to enable graphics-mode boot (useful
  # mainly for MacOS) or "off" for text-mode boot.
  # Default is auto-detected from loader filename.
  # options - sets options to be passed to the boot loader; use
  # quotes if more than one option should be passed or
  # if any options use characters that might be changed
  # by rEFInd parsing procedures (=, /, #, or tab).
  # disabled - use alone or set to "yes" to disable this entry.
  # Note that you can use either DOS/Windows/EFI-style backslashes (\)
  # or Unix-style forward slashes (/) as directory separators. Either
  # way, all file references are on the ESP from which rEFInd was
  # launched.
  # Use of quotes around parameters causes them to be interpreted as
  # one keyword, and for parsing of special characters (spaces, =, /,
  # and #) to be disabled. This is useful mainly with the "options"
  # keyword. Use of quotes around parameters that specify filenames is
  # permissible, but you must then use backslashes instead of slashes,
  # except when you must pass a forward slash to the loader, as when
  # passing a root= option to a Linux kernel.
  # Below are several sample boot stanzas. All are disabled by default.
  # Find one similar to what you need, copy it, remove the "disabled" line,
  # and adjust the entries to suit your needs.
  # A sample entry for a Linux 3.3 kernel with its new EFI boot stub
  # support on a filesystem called "KERNELS". This entry includes
  # Linux-specific boot options and specification of an initial RAM disk.
  # Note uses of Linux-style forward slashes, even in the initrd
  # specification. Also note that a leading slash is optional in file
  # specifications.
  menuentry Linux {
  icon EFI/refind/icons/os_linux.icns
  volume KERNELS
  loader bzImage-3.3.0-rc7
  initrd initrd-3.3.0.img
  options "ro root=UUID=5f96cafa-e0a7-4057-b18f-fa709db5b837"
  disabled
  # A sample entry for loading Ubuntu using its standard name for
  # its GRUB 2 boot loader. Note uses of Linux-style forward slashes
  menuentry Ubuntu {
  loader /EFI/ubuntu/grubx64.efi
  icon /EFI/refined/icons/os_linux.icns
  disabled
  # A minimal ELILO entry, which probably offers nothing that
  # auto-detection can't accomplish.
  menuentry "ELILO" {
  loader \EFI\elilo\elilo.efi
  disabled
  # Like the ELILO entry, this one offers nothing that auto-detection
  # can't do; but you might use it if you want to disable auto-detection
  # but still boot Windows....
  menuentry "Windows 7" {
  loader \EFI\Microsoft\Boot\bootmgfw.efi
  disabled
  # EFI shells are programs just like boot loaders, and can be
  # launched in the same way. You can pass a shell the name of a
  # script that it's to run on the "options" line. The script
  # could initialize hardware and then launch an OS, or it could
  # do something entirely different.
  menuentry "Windows via shell script" {
  icon \EFI\refind\icons\os_win.icns
  loader \EFI\tools\shell.efi
  options "fs0:\EFI\tools\launch_windows.nsh"
  disabled
  # Mac OS is normally detected and run automatically; however,
  # if you want to do something unusual, a manual boot stanza may
  # be the way to do it. This one does nothing very unusual, but
  # it may serve as a starting point. Note that you'll almost
  # certainly need to change the "volume" line for this example
  # to work.
  menuentry "My Mac OS X" {
  icon \EFI\refind\icons\os_mac.icns
  volume "OS X boot"
  loader \System\Library\CoreServices\boot.efi
  disabled
  Last edited by Mgrim (2013-03-05 16:07:44)

• Can't activate secure boot after upgrading from Win 7 to Win 8 on a Spectre XT

  Hi everybody,
  my first post here, so please forgive me if the topic has already been discussed
  I did search before posting anyway, but I couldn't found anything addressing this specific point.
  My (small, I must admit) problem is as follows:
  I recently purchased a Spectre XT 13-2005tu (i7 processor, 4Gb RAM, 256Gb SSD) with Windows 7 pre-installed.
  After installing my favourite applications and using it for a few weeks without any trouble, I thought to take the opportunity of the $14.99 upgrade to Win 8, so I downloaded Windows 8 Pro and installed it (as an upgrade, rather than a fresh installation, because I didn't want to loose the customizations I already made).
  I also installed all the updates available on HP website (sp59158 for updated BIOS, sp58404 for UEFI support, ecc.)
  The whole upgrade worked nicely, and the PC is now up and running with Win 8.
  Now, I'm trying to use at best all the possibilities Win 8 has to offer, and among them, the UEFI secure boot.
  I found the "legacy support" option in the BIOS settings, which as I understand must be disabled to activate the UEFI secure boot, but if I do that the PC tells that there's no operating system on the disk and doesn't boot anymore.
  Which was a bit scary by the way, but eventually I could re-enable the legacy support in the BIOS and have the PC working again, but of course with no secure boot.
  I suppose there must be some other re-configuration that should be done before changing the BIOS parameter, but I couldn't find any instruction for that anywhere on the web.
  On the other hand, it would be indeed weird if the secure boot could not be configured AFTER the OS upgrade, and a new fresh installation would be necessary.
  I'd rather part with the secure boot than re-install everything, but that would be a shame... :-(
  I hope someone can explain what should be done, many thanks in advance!

  Thanks for your feedback, but I don't think your issue is the same as the one I previously explained.
  The UEFI/secure boot setting is a basic configuration affecting the way the PC boots, regardless of whether it is connected to a network or not.
  By the way, in the meantime I've seen in a shop exactly the same PC model which I'm using, now sold with Win 8 pre-installed, and it was working with the UEFI enabled (= BIOS "legacy support" disabled).
  Therefore, the configuration I'm interested in has to be feasible, one way or another...!

• Secure boot / win 8 / linux

  Could someone please inform me if it is possible to disable secure boot (to install other OSes) on the HP laptops being sold with win 8.
  Many thanks,
  Graham.

  Yeah, this is a problem:
  http://www.zdnet.com/linux-foundation-uefi-secure-boot-key-for-windows-8-pcs-delays-explained-700000...
  Since I don't have an HP with UEFI and Windows 8 I can't try this out for myself but as I understand it right now the only way to dual boot Windows 8 and Linux on a machine with UEFI is to disable secure boot. I suspect HP laptop BIOS may not have that option. Right now it appears the Linux world is waiting for Microsoft to issue some kind of a key to allow dual booting.
  http://www.zdnet.com/microsoft-explains-windows-8-boot-to-quell-linux-fears-3040094017/

• How to Enable Secure Boot on UEFI Systems?

  SymptomsWhen attempting to enable Secure Boot, the system does not allow you to select the option to enable or disable Secure Boot.  This is due to the way Acer's UEFI implementation requires a Supervisor Password be set in order to access this option.
  UEFI is a newer technology that replaces the older standard BIOS.
  DiagnosisCreating a Supervisor Password in UEFI will allow you to access the Secure Boot options. It is important that you remember this password as it will be required to make any changes in the UEFI interface.
  SolutionCreate a Supervisor Password to gain access to the Secure Boot option. 
  Refer to our FAQ for all the steps on how to access Secure Boot on Desktops, Notebooks, and Tablets:
  Enable or Disable Secure Boot in Windows 8

  Das macht man 2-3 mal und dann ist nix mehr mit Bios. Dann kommt Passwort ist falsch und das war's dann. Hab ich schon auf verschiedenen Lappis gehabt. Sprich TOSHIBA... und Aspire E1-571g. Beim Toshi den Baustein ausgelötet neuen gekauft, beschrieben und wieder eingelötet. Kostet schlappe 150,-€. Mal schauen was beim Acer rauskommt.Vielleicht gibt es ja noch einen Jumper um das UEFI BIOS zurückzusetzen

• Secure boot not working with MSI Z77a-G45 And system reserve not showing

  Ok so i re did my windows after i did a zero fill on my hard drive as it was showing a corrupted sector on my disk that seemed to fix it for now, until it comes back if it does crossing my fingers it gone for good. But now i can't seem to get Secure boot to work i mean i did not have it before as i just slapped the motherboard in with a existing windows, that was to be expected but this is a clean install of windows 8.1 and i even have secure boot on but its not working and reports as off in windows.  Is it because i have my bios set to legacy+UEFI??? would that make secure boot not work??. i even went as far as turning it off and back on again the secure boot setting nothing made a difference.  I mean its not a big deal bit would be nice to know why its not working, also another wired thing and i will post pictures of it, as i cant see my system reserved partition in disk management but diskpart says it there, i will post those pictures any ideas??. 

  fixed it is my legacy+uefi another forum got back to me.

• [SOLVED] UEFI doesn't "see" the 'EFI System' partition

  My BIOS/UEFI stop from "see" the 'EFI System' partition, there's shellx64.efi and a gummiboot installation and when I try to launch the shell only get "Not found" message.
  Here's the GPT:
  $ sudo gdisk -l /dev/sda
  GPT fdisk (gdisk) version 0.8.10
  Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present
  Found valid GPT with protective MBR; using GPT.
  Disk /dev/sda: 625142448 sectors, 298.1 GiB
  Logical sector size: 512 bytes
  Disk identifier (GUID): 8700C28A-71B0-416A-971A-DDAD1961D56E
  Partition table holds up to 128 entries
  First usable sector is 34, last usable sector is 625142414
  Partitions will be aligned on 2048-sector boundaries
  Total free space is 2669 sectors (1.3 MiB)
  Number Start (sector) End (sector) Size Code Name
  1 2048 1640447 800.0 MiB EF00 EFI System
  2 1640448 78815231 36.8 GiB 0700 Basic data partition
  4 111316992 251867135 67.0 GiB 8300 Linux filesystem
  5 251867136 253968383 1.0 GiB 8200
  6 253968384 625141759 177.0 GiB 0700 Microsoft basic data
  7 78815232 111316991 15.5 GiB 8300
  File list:
  $ ls /mnt/boot/efi
  bootx64.efi EFI loader shellx64.efi
  This happened after a unsuccessfully fedora's bootloader installation.
  Last edited by hotvic (2015-02-23 00:34:34)

  I finally managed out what is the problem.
  The problem is that Fedora Installer (anaconda) wrote the MBR code to disk. so the UEFI partition isn't read by BIOS (I think, not sure).
  The solution for me was erase the protective-MBR:
  # dd if=/dev/zero of=/dev/sda bs=512 count=1
  and then fix the GPT:
  # gdisk /dev/sda
  ## just type 'w' and confirm
  after that reinstalled the gummiboot and voila
  Thanks to all and sorry my very bad english.

• Scanning windows boot camp partition for viruses from mac system

  is there any way that i can scan my boot camp partition (windows hard drive)from my mac operating system since i think this will remove more viruses and leave less chance for them to reappear.
  thanks

  I would first buy or find the best malware/spyware AV software and firewall.
  An ounce of prevention costs less than the pound of cure.
  Backup Windows image with WinClone or something.
  ClamXav or Intego AV 5 are two ideas mentioned earlier.
  If you use the web and email you need to install some programs, free or commercial.
  http://www.makeuseof.com/tag/best-programs-to-keep-your-computer-secure/
  My hat goes to Norton 2009 or their Windows 7 beta of Norton 360 v3 after using Kaspersky and AVG Suites.

• How to restore Windows boot after resizing system partition ?

  I have an fairly new HP Pavilion 14-n228ca notebook which I intend to use mostly for Linux, but still wish to occasionally run the WIndows 8.1 that it shipped with.
  I installed CentOS 6.5 using the dual-boot procedure I have used many times in the past with XP and Vista, viz. resize the main NTFS filesystem, delete the partition and recreate it smaller at the exact same start byte.
  Normally (on XP,Vista) Windows boots from GRUB, but here I get an error "file \Boot\BCD - missing or contains errors"
  F9 at boot gets me a hardware boot menu, where I have a choice of "OS boot manager", EFI file, or "notebook hard drive". The last gets me GRUB. The first drops me to a repair menu where I can try autorepair, which fails, or a command
  line.
  The command line allows me to run diskpart and assign a drive letter to the system partition, at which point I can run chkfs successfully and access files.
  If I try "bootrec /rebuildbcd" it finds one valid volume at \\?\GLOBALROOT\Device\HardDiskVolume4\Windows but then says "system cannot find the file specified"
  How can I restore the ability to boot the Windows partition, preferably without messing up the Linux one ?

  I have an fairly new HP Pavilion 14-n228ca notebook which I intend to use mostly for Linux, but still wish to occasionally run the WIndows 8.1 that it shipped with.
  I installed CentOS 6.5 using the dual-boot procedure I have used many times in the past with XP and Vista, viz. resize the main NTFS filesystem, delete the partition and recreate it smaller at the exact same start byte.
  Normally (on XP,Vista) Windows boots from GRUB, but here I get an error "file \Boot\BCD - missing or contains errors"
  F9 at boot gets me a hardware boot menu, where I have a choice of "OS boot manager", EFI file, or "notebook hard drive". The last gets me GRUB. The first drops me to a repair menu where I can try autorepair, which fails, or a command line.
  The command line allows me to run diskpart and assign a drive letter to the system partition, at which point I can run chkfs successfully and access files.
  If I try "bootrec /rebuildbcd" it finds one valid volume at \\?\GLOBALROOT\Device\HardDiskVolume4\Windows but then says "system cannot find the file specified"
  How can I restore the ability to boot the Windows partition, preferably without messing up the Linux one ?
  assuming your recovery partition is still extant, you can run that and go back to factory
  backup files first natually
  use a virtual machine linux or cloud
  Corsair Carbide 300R with TX850V2
  Asus M5A99FX PRO R2.0 CFX/SLI
  AMD Phenom II 965 C3 Black Edition @ 4.0 GHz
  G.SKILL RipjawsX DDR3-2133 8 GB
  EVGA GTX 660 Ti FTW Signature 2 (GK104 Kepler)
  Asus PA238QR IPS LED HDMI DP 1080p
  ST2000DM001 & Windows 8.1 Professional x64
  Microsoft Wireless Desktop 2000 & Wacom Bamboo CHT470M
  Place your rig specifics into your signature like I have, makes it 100x easier to understand!
  Hardcore Games Legendary is the Only Way to Play!

• Windows 8 Installation Disc Won't Load UEFI-only (T420s). Also does T420S support Secure Boot?

  Question 1:
  I am unable to load the Windows 8 Installation DVD in UEFI (only) mode on my T420s. As a result, I can only run the installer in Legacy mode (or both UEFI/Legacy which effectively means the same thing). This in turn means Windows 8 is installed in Legacy BIOS mode.  Any idea how to install it in UEFI mode?
  I am using a DVD burned using the Windows utility from the Windows 8 64-bit ISO and have followed the instructions in HT073269, however I am unable to get to step 1 of the Windows 8 install after updating the BIOS, resetting to defaults, and switching to UEFI-only. On boot, after switching to UEFI-only, I am presented with a bootloader and prompted to select which drive to boot (DVDRAM or SSD). Selecting either makes the screen go blank for a moment and then returns back to the same screen with no result.
  Since then I have searched these forums extensively and Googled Technet, Notebook Review, and other sites to no avail. I've tried several several ideas, including using diskpart > clean to get the SSD in raw status (per HT051844). That did not make a difference. I also tried converting a Legacy-BIOS install of Windows 8 to UEFI using CharlyAR's instructions on TechNet (linked from another thread here). That seemed to get me to a Windows Boot Loader but still errored out and Windows Repair was unable to fix it.
  Any suggestions?
  Also, question 2:  Does anyone know if the T420S support secure boot? If not, any idea if it's slated for a future firmware update?

  nuncio wrote:
  pleon wrote:
  I use Win8 on my T420s in UEFI mode. [...] I do not understand, what do you mean that secure boot does not work? In BIOS there is no special switch for that, but "UEFI only" works without any problems.
  Secure Boot is a certificate-based approach to preventing rootkits, not the same thing as UEFI. Although Secure Boot requires UEFI, having UEFI does not mean having the additional Secure Boot feature. If Secure Boot is available, typically there will be an option to enable it in the firmware configuration. Since the latest firmware for the T420S (ver. 1.35) does not have such an option, I suspect ThorsHammer is correct that Secure Boot is not (yet) supported on the T420S. I'm keeping my fingers crossed that Lenovo will tell us that a firmware update is on its way though.
  My understanding is that it will never support secure boot.  The secure boot support starts at Ivy Bridge and the T430s.

• Upgrading Windows 7 (Legacy BIOS/MBR Disk) to Windows 8 (UEFI/GPT/Secure Boot)

  Hi there,
  I've recently purchased a W530 with Windows 7 pre-installed.  Ultimately, I'd like to replace this with Window 8 + Secure Boot.  I believe I can get Windows 8 via the Microsoft Upgrade offer for a reasonable price, since this was a recent purchase.
  What's the best way to reach my goal?
  The Windows 7 install uses Legacy BIOS to boot with an MBR disk.
  I had a quick look at Acronis, and I can see that it's possible that the "OS will be automatically converted to support UEFI booting" (http://www.acronis.com/support/documentation/ABR11/index.html#14021.html) when using it's tool.
  If I don't use this approach, what can I do?  Can I:
  1. Use Rescue and Recovery in Windows 7 (Legacy BIOS/MBR disk)
  2. Wipe the drive and reformat it with GPT?
  3. Install Windows 7 with UEFI enabled using the Rescue and Recovery made in step 1?
  4. At this point, I would now have UEFI and GPT.
  5. Perform an Upgrade from Windows 7 to Windows 8 and enable Secure Boot?
  Any thoughts as to whether this would work?
  Richard.

  Hi richii,
  The Acronis approach ends up in failure. Didn't give it a second look at the reason, since the tool it's not necessary. I also tried several other "automatic" tools without success.
  The recovery approach will fail because it's tied up to BIOS boot.
  But I've performed the conversion from BIOS to UEFI two times successfully. After some digging, is not SO hard. It's just... "undocumented". Very, very undocumented, hehe. I made a step-by-step guide: http://social.technet.microsoft.com/wiki/contents/articles/14286.converting-windows-bios-installatio...
  Let me know if it helps you...
  Anyway, if you don't have data/software, I would go for the clean install approach.
  Cheers.
  If I helped you, please give me some kudos! ^^