Query on "Add standard EFI Boot for Win8PE or Win7PE x64"

Can you boot the stick in legacy boot mode? Do you have this option in the F9 bootmenu?
Are there any Bios-Settings for UEFI?
e.g. 'enable legacy boot' or 'enable CSM' etc.

Has this NoteBook the Secure Boot Option?
If you enable Secure Boot then the Shim UEFI key management should start instead rEFInd with this CSM support error message.

In the Shim UEFI key management select "Enroll key from disk"
select the ACPI string which contains a 'Usb' substring.
navigate to EFI\boot and accept 'refind.cer' with <enter>
enter '0' and enter 'y' to enroll the key
type <enter> on '..' until you see 'Return to filesystem list', type <enter>
type <enter> for 'Exit'
type <enter> for 'Continue boot'

Reboot the Laptop
From now you should get the rEFInd CSM support error message also in Secure Boot mode
(or the rEFInd menu, if the CSM can be enabled).

btw: i have updated my thread in the rEFInd forum: https://sourceforge.net/p/refind/discussion/general/thread/ed079cc8/

fuwi

Yes, when I turn on CSM in the BIOS, I can boot the USB. Actually, this is the first time I boot a Grub4dos USB in a UEFI system, so already it's a great learning experience for me. Win8PESE is working beautifully in this CSM mode, I can copy files from the GPT disk, etc. Already "worth the price of admission"!!!!

But as we want to boot the Grub4Dos USB (with 32bit Win8PESE) also in UEFI mode, let's go on to the tests, and your other questions:

Yes, there are "BIOS" settings for UEFI. Boot with esc (repeatedly), press F10 for BIOS setup (that's what it says!!, on a UEFI system)/ System configuration/ Boot options/ Legacy support: I set this to "enabled" for this test. ("Secure boot" is automatically turned off when you select Legacy support). After a reboot, there are two more setting in the F9 Boot device screen, selecting the USB successfully boots the Grub4dos USB, from which Win8PESE runs perfectly.

With Secure boot on (and Legacy support off), I indeed got the UEFI key management screen yesterday. I managed to enroll the key, and as you said, now I also get the CSM support error in Secure boot mode.

So with that out of the way, do you think there will be a way to start the USB key in UEFI mode with rEFInd?

Thanks again for all your help...

As I only have the UEFI test PC for one more day, I decided to make a "normal" 64bit Win8PESE that runs on UEFI with Secure boot. I must say this has its charmes too, because it runs very nice. Of course I had to make some changes to my portable aps here and there. And no multiboot of course 
I'm still interested in rEFInd etc, but the more I read about it, the more I get the impression that this route is full of potholes. I believe in C't or Com! they talked about three groups of UEFI firmware, each with their own level of BIOS emulation level, etc. It sure doesn't sound very convincing that this will work in 100% of the cases (I could not get it working on the Sleekbook yet).
Still, as I said, I'm still very interested in rEFInd, and if there are new developments, I would love to test them (might even ask for the UEFI notebook back for a couple of days).

With Secure boot on (and Legacy support off), I indeed got the UEFI key management screen yesterday. I managed to enroll the key, and as you said, now I also get the CSM support error in Secure boot mode.

So with that out of the way, do you think there will be a way to start the USB key in UEFI mode with rEFInd?

It seems that CSM cannot be used in UEFI Secure Boot, see here: http://www.911cd.net/forums//index.php?s=&showtopic=25329&view=findpost&p=174138

Also here (Manufacturing Requirements): http://technet.microsoft.com/en-us/library/hh824987.aspx

And here (Windows Hardware Certification Requirements (PDF) - Windows 8 System Requirements - page 119/120: http://msdn.microsoft.com/en-us/library/windows/hardware/hh748188.aspx

3. Mandatory. When Secure Boot is Enabled, Compatibility Support Modules (CSM) must NOT be loaded. Compatibility Support Modules are always prohibited on Connected Standby systems.

fuwi

OK, I understand about CSM not being available with Secure Boot.

But it seems that even with Secure Boot off, there are still some (lots of?) problems and compatibily issues (different UEFI versions, etc., this is what c't was talking about when they said "there seem to be 3 types of UEFI, etc", see previous post).

But I'm still interested!

Ok, here my new approach for booting a USB-Stick in UEFI mode with Secure Boot enabled.
The goal is (instead booting Win8PE x64 only) that we have a boot menu, from where we can boot
Win8PE x64 + other tools like the new UEFI-version of Memtest86, Linux distributions like Parted Magic etc.
As i said before, with secure boot enabled and without enrolling keys to the UEFI-System.
The boot sequence is: Shim from ubuntu 12.04.3 (signed by Microsoft) -> Grub2 from ubuntu 12.04.3 (signed by Canonical) -> rEFInd
If i understand correctly, Shim is validated by the Microsoft machine key, after that Shim is validating Grub2 with a built in Canonical certificate,
after that we can boot unsigned kernels and tools from grub.cfg (in my case rEFInd).

Because i don't have a UEFI-Machine with Secure Boot, it would be glad if someone can make some test with a Win8PE_x64 USB-Stick
on a UEFI-Machine with Secure Boot enabled, and post the results.
All necessary files are in the attached Win8x64SecureBoot.zip -> unpack to the USB-Stick root.

Preconfigured in rEFInd:
- boot Win8PEx64 from USB-Stick
- boot Memtest86 (UEFI-Version) from USB-Stick
- boot Parted Magic x64 from USB-Stick (if you have it)
- start EFI-Shell  from USB-Stick (terminate with <exit>)

Hint: after Secure Boot of Win8PEx64 run msinfo32.exe in a command window.
Here you can see the actual boot mode:



fuwi

Thank you Fuwi for your continued research. I will check up on it and maybe next weekend I can do some testing, or maybe the weekend after that. I think it's a bit sad that there's not more discussion on this board. I think this is a great discussion forum, with lots of brilliant and friendly people and it deserves a bit more attention. (Or maybe not...)

I'm certainly interested, I just don't have anything to contribute.

Thanks Fuwi for your work on this subject and your clear explanations  .
I do not have the hardware so I can not give much.

For those who have secure boot,
I hope it's a good forward and avoids to turn off the secure boot in UEFI at startup and once completed to put it back.

Yes, I got a new computer a few months ago and I had to turn on legacy booting to be able to boot from a stick.

Today i had the chance to test my USB-Stick UEFI Secure Boot solution (see Reply #25) on 2 new laptops, both 2013 models:
Laptop #1 = HP EliteBook folio 9470m
Laptop #2 = Lenovo ThinkPad X1 Carbon

On laptop #1 i turned on the Secure Boot, laptop #2 has a Windows 8 sticker, so Secure Boot was already on. 

Results:
Laptop #1 boots my USB-Stick in UEFI-Secure Boot mode flawlessly directly to the rEFInd menu without any user intervention, without any certificate- or validation errors.
In rEFInd i can boot Win8PE_x64, Memtest86 UEFI version, Parted Magic 64bit, EFI-Shell without any problem (as expected) 

Laptop #2 boots my USB-Stick in UEFI-Secure Boot mode to the grub2 menu, but from here rEFInd doesn't start, only a cryptic message is visible.   
After turn off Secure Boot, everything works like in laptop #1.

I'm not sure, if it would work if we enroll the rEFInd certificate to the UEFI NV store, so i have updated Win8x64SecureBoot.zip (attached to this post).
Now we can start the 'Shim UEFI key management' from  the grub2 menu (if rEFInd is not starting) and enroll the rEFInd certificate the UEFI NV store for testing:

In the Shim UEFI key management select "Enroll key from disk"
select the ACPI string which contains a 'Usb' substring.
navigate to EFI\boot\CERTIFICATES and accept 'REFIND.CER' with <enter>
enter '0' and enter 'y' to enroll the key
reboot

Other testers would be appreciated ...

fuwi

In my Win8pe_se x64 Winbuilder under FINALS > CREATE ISO there is an option:-
"Add standard EFI Boot for Win8PE or Win7PE x64".

If this option is enabled AND I burn the created ISO to a DVD Disc, it will not boot in two of my older computers. But, it does boot on another slightly newer computer and it also boots successfully within VirtualBox which is hosted on one of the computers that does not boot the DVD Disc.

This got a little off-topic with the recent responses, resulting in the original problem still existing in the most recent releases of Win7PE and Win8PE.

To recap: Symptoms are that the hybrid-boot BIOS/UEFI CD created with oscdimg only boots on some BIOSes, while simply hanging or error-beeping with a black screen on others. (Booting the UEFI part of the CD always works.)

The problem is that on the oscdimg command line there is no possibility to enter a switch like "-boot-load-size 4" as in mkisofs. This results in oscdimg automatically setting boot-load-size in the resulting iso image to the whole size of the grldr file, instead of only 4 sectors like mkisofs. This apparently leads to some BIOSes refusing to boot from the CD.

The fix is rather simple: changing the two bytes in the iso which specify the boot load size ("16 02" for the current grldr) back to "04 00", which instructs BIOS only to load the first 2048 bytes of grldr - just as it would when created with mkisofs, and which is also the reason why this problem only occurs with oscdimg and not with mkisofs.

Fixing these two bytes made the BIOS part of the iso bootable on my two test systems where it did not work before.

I'm not sure how this can be implemented in the iso build script, however.

Thanks for the info LarsH,

I'm not sure how this can be implemented in the iso build script, however.

As Chris stated here at reply 1
http://theoven.org/index.php?topic=839.0

If you can figure out how to implement, Chris would add to iso plugin. 

ps: Our hoby time limits our tasks (We are not commercial forum like others), We focus on core builds, forum support and distribution (+ and things that take our attention if we have time...), For improvements there need to be direct end user support.

Hi LarsH!

Interesting, thank you for this finding 
You know better than me, do you have an idea on how to do this with gsar, already present in tools folder. Or other tools to patch the ISO. There must be a lot of occurrence of "16 02".

You know better than me, do you have an idea on how to do this with gsar, already present in tools folder. Or other tools to patch the ISO. There must be a lot of occurrence of "16 02".

Hello Chris,
attached is a small patcher which does the job. It verifies that the ISO is valid and bootable, then modifies the boot load size value at the correct offset. Delphi source and readme are included.
This should be easy to include in the script and execute after image creation with oscdimg.

Hello LarsH,

Great, it works fine 
Create ISO script with your program and your source is on server.
Thank you very much 

This works with mkisofs for windows bios and efi

Code: [Select]

mkisofs.exe -iso-level 4 -force-uppercase -volid "SIW2" -b BOOT/ETFSBOOT.COM -no-emul-boot -boot-load-size 8 -eltorito-alt-boot -b BOOT/EFISYS.BIN -no-emul-boot -boot-load-size 8 -hide boot.catalog -duplicates-once -o "%TP%\%WIMOS%PE%TAG%.iso" "%TP%\ISO"

So I expect this will be fine for grub4dos and efi

Code: [Select]

mkisofs.exe -iso-level 4 -force-uppercase -volid "SIW2"  -b "BOOT/GRLDR" -no-emul-boot -boot-load-size 4 -hide boot.catalog -duplicates-once -eltorito-alt-boot -b BOOT/EFISYS.BIN -no-emul-boot -boot-load-size 8 -hide boot.catalog -duplicates-once -o "%TP%\%WIMOS%PE%TAG%.iso" "%TP%\ISO"

Hi SIW2
I have not tried yet mkisofs with -eltorito-alt-boot switch for the dual boot.
It seemed to me easier to use oscdimg which has much less parameters.
I saw that on the latest versions of mkisofs there is also the switch "-eltorito-platform efi".
As soon as I have some time, I'll try to test.
Thanks

Which new version do you mean?

Apparently:


 

    -eltorito-alt-boot
          Start with a new set of "El  Torito"  boot  parameters.
          This  allows  to have more than one El Torito boot on a
          CD.  A maximum of 63 El Torito boot entries may be  put
          on a single CD

I don't think this page is very recent, but if it is still the case, it could be very useful

http://cdrecord.berlios.de/private/man/mkisofs-2.0.html

I currently use mkisofs 2.01-bootcd.ru (i686-pc-mingw32) here http://fy.chalmers.se/~appro/linux/DVD+RW/tools/win32/
No need of Cygwin, It is lighter but it has not the latest developments which may be useful for UEFI.