you are reading "How I managed to boot into other Linux systems on a Secure Boot-only (BIOS locked) machine" written at 2024/10/08First I want to explain how this all started and how I came up with this idea.
The computers at my school are running what appears to be a custom Ubuntu-based Linux distribution focused on education purposes, all of these computers are BIOS locked and has Secure Boot enabled on it. At first I thought, what if I try to boot into some other operating system? Would it be possible? Sounds kinda challenging, isn’t it?
It is possible, indeed it is possible, and I want to explain how was this possible and how I managed to boot into a customized Arch Linux (also called Furreto Linux) hard drive by just tricking the bootloader
The GRUB bootloader
The GRUB bootloader is the most common bootloader used in Linux systems used to load the Linux kernel, along the init system, this way a Linux system can boot properly. GRUB is just not a portal to boot into Linux, it is more than that. You see… GRUB has lots of tools and features, one of them being the command-line. GRUB has, lots of commands, in the command-line. This is what I did:
So, GRUB has a very useful module called “chainloader”, this module allows you to chain other EFI files and boot into them. This can be used to bypass the BIOS lock entirely and boot into another operating system without having to go through the computer’s boot menu (Which in most cases ask you for a password.)
The easiest way (No Secure Boot)
If the computer you’re attempting to boot an operating system on does not have Secure Boot enabled, you’re lucky.
Go to the GRUB command-line, do this by pressing the C key on the GRUB menu
We need to start by loading chainloader and the part_gpt modules:
insmod part_gpt
insmod chainloader
Locate the EFI file from your hard drive, it should be named something like, bootx64.efi or grubx64.efi. You can see the list of your hard drives by just typing ls, the output should be something like this:
grub> ls
(hd0) (hd0,gpt9) (hd0,gpt2) (hd0,gpt1) (memdisk)
The EFI file you’re trying to look for should be on one of the disks that appears when typing ls.
After you’ve located your EFI file, it’s time to chain it:
grub> chainloader (hd0)/EFI/Boot/BOOTX64.efi
/EndEntire
grub> boot
After this, if you’ve done everything correctly, you should see that you’re no longer in the GRUB command-line, and that you booted into your desired OS. Congratulations! You’ve bypassed the BIOS password
The hard way (Secure Boot)
Secure Boot can indeed be pain sometimes, as it restricts you from doing lots of things. One way of achieving this is by just securing your EFI file that you want to boot, this requires some extra steps that I’m not going to be explaining here, but if you know that your EFI is secured, you can just follow the steps from above, as it should work with no issues.
If you try to boot an EFI file that you know that does not have Secure Boot support, if will most likely display something like this:
If you see something like this when trying to boot up the EFI file, then this is a sign that your desired EFI file is not secure. You have one way to get around this very easily. Use a Ventoy disk, you may ask, what is Ventoy?
Ventoy is an open source tool to create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI files. With ventoy, you don’t need to format the disk over and over, you just need to copy the ISO/WIM/IMG/VHD(x)/EFI files to the USB drive and boot them directly.
So, Ventoy supports Secure Boot, meaning that you should be able to boot into the system with no issues. First step is to get your Ventoy USB ready, you can follow some random tutorial online to get it ready, it’s pretty easy, you just have to download it and flash it to your drive.
Okay, you got the USB ready, cool, now, you need to get a Linux distribution on it. It can be whatever, Ubuntu, Linux Mint, anything but it needs to have GRUB
After you’ve placed a random Linux distribution ISO file on your USB, it’s time to get it booted. Follow the steps above, on the No Secure Boot guide. However, make sure that you’re booting to the Ventoy EFI file.
Considering this does have Secure Boot enabled, you should be able to boot to it with no issues, although there’s a chance that you might get a Verification Failed: (0x1A) Security Violation. error. If this happens, you need to enroll the Ventoy key in MOK manager. Look at the GIF below, it explains how to do this carefully.
If you’ve done everything correctly, you’ll have to do the GRUB steps again, but on the second time you try to boot, it should boot you into Ventoy with no issues.
You’re in Ventoy, now what? Just boot to the Linux distribution that you want to use, should boot with no issues
How can we fix this situation and prevent this from happening?
Considering that GRUB is our entry point to do all of this, we need to either get rid of GRUB or configure GRUB in a way that this cannot be abused, there are plenty of ways to prevent this from happening, one of them is to change the GRUB timeout to 0, this way it’ll boot to the operating system directly with no issues. The second way is to use an UKI stub, or also known as a Unified Kernel Image stub. You have to link it to the init system, and once you boot the device, it should boot into the operating system that the computer has, with no issues, this also prevents anyone from attempting to tamper with it.
Conclusion
It is possible to bypass the Secure Boot and BIOS key restrictions by manipulating GRUB into booting other operating systems. Although keep in mind that this is just for educational purposes, if your school doesn’t want you using unauthorized hard drives with other operating systems, then just don’t do it!