Super Uefiinsecureboot Disk

Super UEFIinSecureBoot Disk: Boot any OS or .efi file without disabling UEFI Secure Boot
Alternatives To Super Uefiinsecureboot Disk
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
3 days ago477gpl-3.0C
A new bootable USB solution.
2 days ago10gpl-3.0C
The Reliable USB Formatting Utility
25 days ago51gpl-3.0Shell
A Microsoft Windows® USB installation media preparer for GNU+Linux
2 years ago189gpl-2.0Python
Create multiboot live Linux on a USB disk...
2 days ago79other
Raspberry Pi 4 UEFI Firmware Images
Xps9350 Macos934
4 years ago99Shell
macOS patches for Dell XPS 13 9350 (Skylake)
3 years ago2C
DEPRECATED - DO NOT USE | Go here instead ->
5 months ago24gpl-3.0
适用于 Lenovo LEGION Y7000/Y7000P-2018、Y7000/Y7000P-2019、Y7000/Y7000P-2020、Y9000K-2018、Y9000K-2019、Y9000K-2020 系列安装 MacOS(支持MacOS 10.13.6 - MacOS Monterey)For Lenovo LEGION Y530/Y540/Y545/Y730/Y740 series and legion 5i/legion 7 installation MacOS (support MacOS 10.13.6 - MacOS Monterey)
Super Uefiinsecureboot Disk446
a year ago3
Super UEFIinSecureBoot Disk: Boot any OS or .efi file without disabling UEFI Secure Boot
Aio Boot251
3 years ago35Batchfile
AIO Boot is an All-in-One bootable software for USB and HDD. Is one of the best Multiboot USB Creator for Windows.
Alternatives To Super Uefiinsecureboot Disk
Select To Compare

Alternative Project Comparisons

Super UEFIinSecureBoot Disk

Super UEFIinSecureBoot Disk is a proof-of-concept (not actively maintained or enhanced) bootable image with GRUB2 bootloader designed to be used as a base for recovery USB flash drives.

Key feature: disk is fully functional with UEFI Secure Boot mode activated. It can launch any operating system or .efi file, even with untrusted, invalid or missing signature.


  • GRUB2 Bootloader
  • 32-bit (ia32) / 64-bit (x86_64) UEFI (+ Secure Boot) support
  • BIOS / UEFI CSM support
  • Launch any operating system
  • Launch any .efi executable from GRUB2
  • Launch any .efi executable from another .efi application
  • Load any UEFI drivers

Based on:


Secure Boot is a feature of UEFI firmware which is designed to secure the boot process by preventing the loading of drivers or OS loaders that are not signed with an acceptable digital signature.

Most of modern computers come with Secure Boot enabled by default, which is a requirement for Windows 10 certification process. Although it could be disabled on all typical motherboards in UEFI setup menu, sometimes it's not easily possible e.g. due to UEFI setup password in a corporate laptop which the user don't know.

This disk, after being installed on a USB flash drive and booted from, effectively disables Secure Boot protection features and temporary allows to perform almost all actions with the PC as if Secure Boot is disabled. This could be useful for data recovery, OS re-installation, or just for booting from USB without thinking about additional steps.


Download image file from releases page, write it to USB flash using one of the following programs:

WARNING: all your USB flash data will be deleted.

The image contains single FAT32 500MiB partition. Use gparted or similar tool to resize it to get full USB drive space.


First boot on a PC with Secure Boot will show Access Violation message box. Press OK and choose "Enroll cert from file" menu option. Select ENROLL_THIS_KEY_IN_MOKMANAGER.cer and confirm certificate enrolling.

Computers without Secure Boot will boot to GRUB without manual intervention.


  • Does this disk work in Secure Boot?
    Yes, it does. It loads any unsigned or untrusted Linux kernel or .efi file or driver, after first-boot manual key enrolling using MokManager software. You don't need to disable Secure Boot to perform fist-boot key enrolling.

  • Does this disk work on UEFI-based computers without Secure Boot, or with Secure Boot disabled?
    Yes, it would work like a stock GRUB2.

  • Does this disk work on older computers with BIOS?
    Yes, it works just as any other GRUB2 bootloader.

  • Can this disk be used to bypass Secure Boot in UEFI bootkit/virus?
    No, not really. This disk requires manual intervention of a physical user on first boot, which eliminates bootkit purpose to be stealth.

  • Can I replace GRUB with another EFI bootloader (rEFInd, syslinux, systemd-boot)?
    Yes, replace grubx64_real.efi/grubia32_real.efi with your files. The bootloader does not require to be signed and should also start any .efi files thanks for Security Policy installed by grubx64.efi/grubia32.efi (PreLoader), just as GRUB2 included in disk.

Technical information

UEFI boot process of this disk is performed in 3 stages.

bootx64.efi (shim) → grubx64.efi (preloader) → grubx64_real.efi (grub2) → EFI file/OS

Stage 1: motherboard loads shim. Shim is a special loader which just loads next executable, grubx64.efi (preloader) in our case. Shim is signed with Microsoft key, which allows it to be launched in Secure Boot mode on all stock PC motherboards.
Shim contains embedded Fedora certificate (because it's extracted from Fedora repository). If Secure Boot is enabled, since grubx64.efi is not signed with embedded Fedora certificate, shim boots another executable, MokManager.efi, which is a special shim key management software. MokManager asks user to proceed with key or hash enrolling process.
Newer versions of shim install hooks for UEFI LoadImage, StartImage, ExitBootServices and Exit functions to "Harden against non-participating bootloaders", which should be bypassed for this disk use-case. Fedora's shim does not install custom UEFI security policies, that's why it's not possible to load self-signed efi files from second stage bootloader, even if you add their hashes or certificates using MokManager.

Stage 2: preloader is a software similar to shim. It also performs executable validation and loads next efi file. Preloader included in this disk is a stripped down version which performs only one function: install allow-all UEFI security policy. This permits loading of arbitrary efi executables with LoadImage/StartImage UEFI functions even outside GRUB (for example, in UEFI Shell), and bypasses shim hardening.

Stage 3: GRUB2 is a well-known universal bootloader. It has been patched to load Linux kernel without additional vertification (linux/linuxefi commands), load .efi binaries into memory and jump into its entry point (chainloader command), and to mimic "participating bootloader" for shim.

Additional information

Read my article on this topic: Exploiting signed bootloaders to circumvent UEFI Secure Boot (also available in Russian)


Super UEFIinSecureBoot Disk GRUB2 sets suisbd=1 variable. It could be used to detect disk's patched GRUB2 in a grub.conf shared between multiple bootloaders.

Since version 3, GRUB uses stock UEFI .efi file loader, as there are some problems with internal loader implementation. To use internal loader, add set efi_internal_loader=1 into GRUB configuration file. Both methods can load untrusted .efi files.

Popular Uefi Projects
Popular Usb Projects
Popular Hardware Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.