How to re-sign the Windows boot loader to re-enable secure boot on an HP laptop?

Question

I just purchased a "HP Pavilion 15-B055ca (C7C80UA#ABL) Ultrabook" from my local computer store the other day, as well as an SSD hard drive.

I removed the original 500GB HDD, installed a 120GB SSD, loaded an Ubuntu live CD via USB and used "GParted" to first shrink the windows partitions on the 500GB HDD and then copy them onto my SSD, leaving some space to dual boot Ubuntu 12.10 later on...

I had to re-flag my windows partition to "boot", and I wasn't able to copy over a small partition with the drive formatted to "msft" I believe (probably a proprietary Microsoft formatting that GParted couldn't deal with?), as well as enable legacy mode on my UEFI capable motherboard, but I was finally able to run my pre-installed version of Windows 8 on an SSD, after copying it from the HDD originally provided by HP. I felt pretty good about myself after that! It's an appreciably noticeable difference, that's for sure.

I now wish to disable legacy mode and re-enable secure boot, but whenever I do either of those two things I am told that "Selected boot image could not authenticate" by the UEFI Secure Boot app I presume. Which is odd to me, since I am technically using the exact same windows image installed on the computer when it was manufactured, I have only changed the drive type, size, and removed a small msft formatted partition because I couldn't copy it.

My question is: How do I re-sign my Windows boot loaders and/or re-enable Secure Boot on my laptop and be able to boot into Windows 8?

Thank you for reading.

Answer 1

You can't re-sign anything with Microsoft's key -- only Microsoft can do that. Unless you've modified the boot loader binary, it's still signed with Microsoft's key. Thus, the message you're seeing about a failure to authenticate a binary probably applies to some other EFI binary -- perhaps an EFI version of GRUB. It's really hard to tell what's going on from your description, though; there are just too many technical details you haven't specified. Thus, I recommend you download and run the Boot Info Script, which collects these details in a file called RESULTS.txt. Post a link to that file here.

Chances are you can get this working, but you may need to do an MBR-to-GPT conversion and/or use a tool like Linux's efibootmgr or the bcfg command available in an EFI version 2 shell to re-enable the Windows boot loader. You may also need to install shim or PreBootloader if you want to boot Linux with Secure Boot active. I'm not providing details yet because those depend on your current configuration, which I won't know until I see that RESULTS.txt file.

Answer 2

When I received this error on an HP with a bios:

The MSR partition was locked and/or corrupt - this wouldn't allow UEFI to be disabled via BIOS.

The error was: Secure Drive: selected boot image could not authenticate.

We think this was due to a corrupt UEFI key/data being stored / locked and unable to respond or the BIOS unable to write to the MSR drive.

I reformatted the MSR drive (partition 0.. 128MB) to FAT32. I did this using diskpart - select the MSR partition and type clean once you have it

This alone did not resolve the issue. We were able to load into Legacy mode now, however.

Now when I choose Legacy mode enabled it stuck!

This didn't resolve my main problem, but this allowed UEFI to be disabled.

Hope this helps!

The next error was \EFI\Microsoft\Boot\bootmgfw.efi could not be found!

I found that this partition is Partition 3 on all Windows /HP machines and it is hidden without a Drive letter. bcdedit shows the location as Devices\VolumeDisk3 ... I assigned drive letter G: to this partition (still hidden since the MSR partition was still hidden after reformatting)

This changed the bcdedit location to partition G:

This allowed the C:\Windows directory to boot successfully!

i.e. "Start Windows Normally"