Alexander Gromnitsky's Blog :: 2023-01-08 :: Moving an EFI partition to a thumb drive

Moving an EFI partition to a thumb drive

Latest update: 2023-01-08 12:12:00

This is how one can "secure" Windows 11 desktop machine: transfer an EFI system partition from its internal drive to an external one. Then the machine will only function when a thumb drive is physically connected to it.

The closest analogy would be a smart card authentication, but without a PIN.

(This is a comical technique I've accidentally bumped into while trying to recover Windows partitions after a botched Ubuntu installation.)

Requirements:

Windows 11/22h2;
UEFI & GPT;
a bootable live Linux iso with gparted;
a thumb drive.

Modus operandi:

A user is turning a PC on, but its UEFI can't find any EFI partition on the connected drives: no boot. Oh noes, something is broken!
The user is inserting a specially prepared USB flash drive into the PC. UEFI either automatically finds an EFI partition on it, or asks the user to select a device to boot from. If the EFI partition contains a correct entry for a Windows partition, the PC boots into Windows. If the user ejects the flash drive, Windows throws a bsod within a second. (The last one is an interesting bonus I didn't anticipate.)

Here's an example of a partition table of a working Windows intallation before we do anything to it:

$ lsblk -o name,pttype,fstype,size,tran,partlabel | grep nvme
nvme0n1     gpt                 60G nvme
├─nvme0n1p1 gpt    vfat        100M nvme   EFI system partition
├─nvme0n1p2 gpt                 16M nvme   Microsoft reserved partition
├─nvme0n1p3 gpt    ntfs       59.3G nvme   Basic data partition
└─nvme0n1p4 gpt    ntfs        625M nvme

/dev/nvme0n1p1 was automatically made by the Windows setup. We are going to recreate it on a USB flash drive & reformat aftewards.

(In Windows) Insert a thumb drive. If it contains a fs Windows doesn't recognise--format it to fat32 & make sure Windows assigns a drive letter to it. In our example it's the letter D.

Under an administrator account run diskpart, type list disk & observe what number is assigned to the flash drive. (1 in our example.)

The thumb drive must be of GPT layout:

> cat efi.diskpart
select disk 1
clean all
convert gpt noerr
create partition efi

The following steps are destructive:

> diskpart /s efi.diskpart
> format /q /v:elf_boot /fs:fat32 /y d:

Create EFI/Microsoft/Boot directory and copy all required boot-environment files to it:

> bcdboot $env:systemroot /s d: /f uefi

Now you can examine D: drive, reboot, & instruct UEFI to boot from the usb. If all goes well, you'll need to boot from any Linux live .iso & reformat /dev/nvme0n1p1. The filesystem type doesn't matter (fat32 is fine), the only important detail is that you don't remove this partition, otherwise Windows throws IO1 INITIALIZATION FAILED bsod.

Finally, here's an adorable error that appears when you eject the thumb drive after a successfull boot:

Tags: ойті
Authors: ag