Closed icedterminal closed 1 year ago
sylveon
commented
1 year ago Windows will eventually show you a "Unsupported hardware" message.
This message is for machines which don't support Secure Boot at all. Machines which support Secure Boot, but with it disabled, are supported and won't show this message.
icedterminal
commented
1 year ago This message is for machines which don't support Secure Boot at all. Machines which support Secure Boot, but with it disabled, are supported and won't show this message.
Disabling TPM or Secure Boot after installing Windows with them on will get you this message on the desktop after time has passed. It was covered multiple times on reddit in a handful of subs. I have verified this myself after users commented they started seeing it after disabling secure boot to use other operating systems ("hackintosh" macOS, and various Linux distros).
My1
commented
1 year ago interesting question is if really only SB was disabled or CSM was also enabled, because with CSM active windows actually thinks SB is not supported. you iirc can even install win11 without a secureboot bypass on a board that can SB but has it off as long as the CSM is also off.
cheesethesylveon
commented
1 year ago 👀
Metabolix
commented
1 year ago Thanks for gathering all this information, but Issues is not really the best place for this. 1 => Please update the signed fork. Also, any help with building a shim-compatible version is appreciated. 3 => Version 2.0.0 has support for proper EFI boot entries. 5 => With a proper EFI boot entry, there's also a proper fallback to regular boot loader. 7 => Now it's not dead anymore. :smile:
Metabolix
commented
11 months ago Support for Secure Boot was added in version 2.2.0, with detailed installation instructions. For security reasons, you should not install any Secure Boot certificates found online, not my own and not @icedterminal's.
BitLocker is not supported. Apparently it can be enabled with very careful manual setup but I can't help with that. The installer shows a warning if BitLocker is detected.
Not anymore unless you explicitly select the Lecagy mode. Now, if HackBGRT doesn't work for some reason, it should either fallback to normal Windows boot, or you can enter your computer boot menu or setup ("BIOS") and choose the normal Windows Boot Manager and uninstall HackBGRT.
Apparently not yet. :smiley:
1. Do I have to disable secure boot?
Not with the digitally signed fork. Before you use HackBGRT, import the certificate. The process varies by motherboard vendor. Computers from OEMs like Dell, HP, Lenovo, etc. may lock you out of this option or not accept the certificate. If you built your computer yourself, DIY motherboards almost always you to modify the Signature DB. A while ago I signed this tool to work with Secure Boot. Users would have to add the certificate to their motherboard Signature DB store for the computer to boot Windows.
2. Should I disable secure boot?
If you want to. However, this puts you between a rock and a hard place. Windows will eventually show you a "Unsupported hardware" message. Microsoft states this may put you at risk of not receiving updates. Secure Boot is a requirement of Windows 11 and later. Microsoft is enforcing the same security standards that has been present on ChromeOS, macOS, iOS and Android for quite a long time. All of these operating systems use their own Secure Boot and TPM security.
3. The boot image keeps reverting / doesn't work. Why?
Windows detects the boot file as "corrupted" and repairs it. This file is located at
EFI\Microsoft\Boot\bootmgfw.efiof the EFI partition. It is a protected, hidden system partition. Windows does a better job at detecting boot process errors these days and has a lot of automatic repair functions that take care of stuff without your interaction or you knowing. There is a possibility that HackBGRT is incompatible with your motherboard firmware and is unable to override the supplied ACPI table. It's not unheard of for OEM computers to have unique, non-standard functions in their firmware.4. Can I use this with BitLocker?
BitLocker has a very specific restriction for boot execution. PCR7 binding happens when the entire boot chain has been authenticated using Microsoft's CA. Third party binaries (rEFInd, Shim/MOK) and self-signed bootloaders that execute the Windows Bootloader break this chain of trust and will cause PCR7 to fail. This has the potential to cause problems with BitLocker Automatic Device Encrpytion on computers running Windows 10 or 11 Home edition. There is no way around this. For PCR7 binding to succeed, you must boot the Windows Bootloader directly from the motherboard firmware. If BitLocker is on and you modify the boot process, please make sure you have either disabled encryption or have the decryption key handy. Otherwise you may be locked out of your data and must a different computer to retrieve your decryption key.
5. After installing, I can't boot! Help!
You need to use second computer to create a Windows bootable install USB. You can attempt automatic repairs or repair the EFI partition manually with Command Prompt.
6. Can I replace the ACPI BGRT instead?
In most cases, the answer is No. Motherboard firmwares are digitally singed. It will only accept firmware updates that have been signed by vendor who made it. If you modify your firmware and attempt to flash it, there is a 99% chance it will fail validation and halt updating. Attempting to bypass this mechanism without knowing what you are doing could result in a bricked motherboard/computer. This is the reason for the HackBGRT project.
7. Is this project dead?
The original developer has not touched this software in a long time. Typically GitHub repos that don't receive any activity by contributors is regarded as abandoned. Try viewing the forks for this repo to see if someone else has picked up the project to fix bugs or address compatibility. Here is one such example: https://github.com/samueldr/HackBGRT/commits/wip