Skip to content

Secure boot on Windows 7

Jump to bottom
Matthijs Lavrijsen edited this page Jun 21, 2023 · 4 revisions

Introduction

This article explains how to get Secure Boot to work on Windows 7 with EfiGuard. This is for all intents and purposes a pointless (and dangerous) exercise unless you are using a locked down device that requires Secure Boot to be enabled. Another use case could be to disable the CSM to get fast boot on Windows 10. In the second case it is only necessary to follow the steps in 'disabling the CSM'. Secure Boot should be left disabled if possible to avoid needing EfiGuard for every boot.

Note that this article will presume Windows 7 to already be installed, which is of course not possible on a Secure Boot-locked device. Extra steps (slipstreaming graphics drivers and registry settings into installation media, ...) are left as an exercise for the reader.

Requirements

  • A BIOS that allows entering Secure Boot Setup Mode (sometimes called 'Audit Mode'), and optionally a 'custom' or 'expert' mode.
  • A Windows 8 or higher boot manager (Windows 10 recommended). Note that you do not need to buy or activate said Windows, only obtain its boot manager files. Example source: Windows 10 Enterprise Evaluation ISOs.
  • A graphics adapter with current drivers installed.
  • A bootable Linux DVD or USB stick with efitools (or at least the option to install it) available. Example: Ubuntu.

Disabling the CSM

Upgrading the boot manager

  1. Run mountvol X: /S to mount the EFI partition at X:.
  2. (After making a backup) Copy and overwrite all files under /EFI, excluding any files starting with BCD, from a newer Windows EFI partiton over to X:\EFI.
  3. Overwrite X:\EFI\Boot\bootx64.efi with X:\EFI\Microsoft\Boot\bootmgfw.efi.
  4. Reboot to see if your system still works.

Windows 7 configuration

WARNING: This will disable all graphical output (other than EfiGuard) during boot, including checkdisk.

  1. Rename %systemroot%\system32\drivers\vgapnp.sys and %systemroot%\system32\drivers\vga.sys to *.bak.sys.

  2. Disable the vga.sys and vgapnp.sys services.

    reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VgaSave" /f /t REG_DWORD /v "Start" /d 4

    reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Vga" /f /t REG_DWORD /v "Start" /d 4

  3. Disable VGA output from winload.efi. The last two commands are optional but highly recommended.

    bcdedit.exe /set {current} novesa on

    bcdedit.exe /set {current} quietboot on

    bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures

    bcdedit.exe /set {current} bootlog yes

  4. Reboot to see if your system still works.

BIOS configuration

  1. If your BIOS has a CSM (sometimes called 'compatibility mode'), disable it. Save.
  2. Reboot to see if your system still works.

Enabling Secure Boot

WARNING: This will make it impossible to boot Windows 7 without EfiGuard.

There are many guides on how to replace your Secure Boot PK, KEK and db contents, but by far the least insane of these is Sakaki's EFI Install Guide. Yes, the least insane. Yes, it's on Linux.

Follow all of the steps up to signing your own kernel (you will be signing EfiGuard instead). After you have created PK.crt, KEK.crt and db.crt, take a break to run openssl pkcs12 -export -out db.p12 -inkey db.key -name "My Certificate Name" -in db.crt to obtain a .p12 private key that can be imported on Windows for later use with signtool.exe.

The depravity of the Windows certificate manager is outside the scope of this article. Since you are on Linux anyway, instead sign EfiGuardDxe.efi and Loader.efi from there:

sbsign --key db.key --cert db.crt --output EfiGuardDxe.efi EfiGuardDxe.efi

sbsign --key db.key --cert db.crt --output Loader.efi Loader.efi

After installing EfiGuard on a secondary boot medium as per the README, enable Secure Boot in the BIOS.

Reboot to see if your system still works.

Clone this wiki locally