UEFI Boot – How to Create UEFI-Only Bootable USB Live Media

bootlive-usbuefi

Having live media that can boot both ways can be a problem when installing Ubuntu onto currently available Windows 8 computers.

In other words the key advantage to creating UEFI-only bootable USB live media is: You know that it definitely booted and installed via UEFI.

Since Valve has already been doing UEFI-only booting USB installers with their Debian-based Steam OS and UNetbootin — the top voted alternative to Ubuntu's Startup Disk Creator — isn't UEFI compatible and therefore misleading, I think we should have a separate topic for creating UEFI-only bootable USB live media.

Best Answer

Overview

Creating UEFI-only booting USB live media is pretty straight forward. Just copy the files to your FAT32-formatted USB drive. That's it!

Remember that for an installation or booting the media:

  • You may still need to explicitly tell your computer to boot the media via UEFI.
  • A GPT partition table like in preinstallations of Windows 8 and later is recommended.
  • Don't forget to create a partition after you've created the partition table.
  • Use the latest AMD64 (LTS) ISOs, because these definitely contain UEFI bootloaders.

Table of contents

  • Copy files from the ISO method
    1. Example via terminal
    2. Example via GUI
    3. Example on Windows
  • The ISO loopback method (advanced)
    1. Creating the binary
    2. Creating the configuration file
    3. Adding persistency
    4. Checking the integrity
    5. UEFI Secure Boot
  • Review in 2020

1. Copy files from the ISO method

This method also works for other install media that contains EFI loaders, like Windows for example.

1.1. Example via terminal

You can do something like the following if 604A-00EA is your USB drive and you already have p7zip installed:

$ 7z x ubuntu-12.04-desktop-amd64.iso -o/media/$USER/604A-00EA/

You're done if you have only one partition on this USB drive, otherwise you need to flag the partition as bootable e.g. via parted:

# parted /dev/sdX set 1 boot on

Where /dev/sdX would be your USB drive and 1 the partition number that should be used to boot.

1.2. Example via GUI

  1. Mount the .iso-file and copy the contents over to your USB drive. Press Ctrl+H in Nautilus to display and copy hidden files as well.

    nautilus showing Disk Image Mounter in context menu when .iso-file is selected

  2. Add the boot flag via GParted.

    GParted showing how to manage partition flags

1.3. Example on Windows

  1. Same as above, just copy files.
  2. Press Windows/Super+X, go to Disk Management and check if the partition is marked as active. On Windows versions prior to Windows 8, you press Windows/Super+R to open the run menu and open diskmgmt.msc, that would open Disk Management.

2. The ISO loopback method (advanced)

Instead of extracting contents from an ISO image, GRUB and GRUB2 have been able to boot from ISO images directly through a loopback device. Given that the ISO image is UEFI bootable, we can set up a USB drive containing multiple ISOs with different operating systems without creating a mess on the USB drive.

If you want to boot Windows too you might want to look at SARDU. I remember using it with Windows PE around 2005 and it seems to have been updated to support USB drives and UEFI, but remember that this tool also supports legacy booting.

What do we need?

  • Very basic knowledge of GRUB configuration files.
  • Very basic knowledge of UEFI booting and GRUB, as we are going to generate our own GRUB bootloader image with a plenty of modules included.
  • A UEFI bootable ISO image, a FAT formatted USB drive and a machine that runs Linux.
    • No, we don't need a UEFI installation of Linux (which may be a chicken and egg situation), a traditional Linux VM like in VirtualBox is fine.

2.1. Creating the binary

On your Ubuntu machine or VM make sure the package grub-efi-amd64-bin is installed (grub-efi-ia32-bin is also available for 32-bit Intel architectures on newer releases). The package may have a different name on another distribution, you can compare the file listing of the package to find the right package on your distribution.

The following command will generate the GRUB image, in this case an EFI binary that every computer with a UEFI firmware should be able to run:

grub-mkimage -o bootx64.efi -p /efi/boot -O x86_64-efi \
 fat iso9660 part_gpt part_msdos \
 normal boot linux configfile loopback chain \
 efifwsetup efi_gop efi_uga \
 ls search search_label search_fs_uuid search_fs_file \
 gfxterm gfxterm_background gfxterm_menu test all_video loadenv \
 exfat ext2 ntfs btrfs hfsplus udf

Every standard UEFI firmware should look into \EFI\BOOT\ for a file named boot{arch}.efi, so create the folders on the USB drive and copy the image we just created to this location. Other architectures instead of x64 are possible, but let's keep it simple with x64/amd64.

2.2. Creating the configuration file

A very basic example for a the grub.cfg configuration file that should be placed in the same directory as bootx64.efi would look like this:

set timeout=3
set color_highlight=black/light-magenta

menuentry 'Boot Ubuntu 14.04.2 LTS from ISO' {
        set isofile="/efi/boot/ubuntu-14.04.2-desktop-amd64.iso"
        loopback loop $isofile
        linux (loop)/casper/vmlinuz.efi boot=casper iso-scan/filename=$isofile noprompt noeject quiet splash persistent --
        initrd (loop)/casper/initrd.lz
}
submenu 'Useful snippets' {
    menuentry 'Ubuntu' {
            chainloader /efi/ubuntu/grubx64.efi
    }
    menuentry 'Windows' {
            chainloader /efi/Microsoft/Boot/bootmgfw.efi
    }
    menuentry 'Firmware Setup' {
            fwsetup
    }
}

The important thing is the configuration block with the title Boot Ubuntu 14.04.2 LTS from ISO. You can change the color and timeout to your preference. I chose black/light-magenta as it still looks a bit Ubuntu-ish but is easily distinguishable when chainloading other configurations. You can find more examples for other distributions in the Arch Wiki and reading the GRUB manual is really worth your time if you want to go beyond that.

Getting back to the configuration block, it should be obvious that the ISO is referenced as /efi/boot/ubuntu-14.04.2-desktop-amd64.iso, so copy your ISO to \EFI\BOOT\ and replace ubuntu-14.04.2-desktop-amd64.iso in the configuration with the actual filename of your ISO.

loopback loop $isofile is the line, that will load our ISO file to a loopback device from which we can boot the Linux kernel directly. This is possible because our EFI GRUB image includes the loopback module. (A bit of trial and error was involved in figuring out which modules are reasonable to include. You shouldn't see any error messages, it's still not perfect though.) Speaking of the kernel you can add kernel parameters like toram, parameters for different languages (example locale=de_DE bootkbd=de) and as in the example: persistent

2.3. Adding persistency

You can add a partition as described in: How do I get a live-USB to use a partition for persistence? Or you can create a casper-rw file and place it at the root of your USB drive.

dd if=/dev/zero of=casper-rw bs=1M count=4094
mkfs.ext4 -m 0 casper-rw

I haven't tested what the absolute maximum is, it should be somewhere between 4094 and 4096 MB. Use a partition if you intend to use more space. Note that every change to the (root) is a modification to the overlay filesystem, even deleting files.

2.4. Checking the integrity

You should look at answers to the following questions to verify that the Live ISO content on the USB drive is in pristine condition:

2.5. UEFI Secure Boot

Secure Boot will become mandatory with Windows 10 machines, I suggest you have a look at the Linux Foundation's PreLoader to add Secure Boot functionality to this setup. Here is some ASCII art illustrating menus of the accompanying HashTool.

3. Review in 2020

I wrote this answer more than 5 years ago. How well does it still work? It works well for Ubuntu. install.wim from latest Windows 10 images however exceeds the FAT32 maximum file size and bigger images like RHEL 8 also don't fit. I tried Rufus yesterday and noticed that it uses GRUB too with NTFS EFI modules to read another NTFS partition where it stored the Windows installation files. It failed to load data from this partition though. Also exFAT is now commonplace.

Windows is picky with drives that have no partition tables. Trying to re-purpose older SSDs as chunky USB thumb drives does not work really well on Windows. Maybe I need to read some Microsoft documentation to find out what the rationale was to make it a bit more complicated than on Linux.

ChromeOS is a different topic, I think it's not possible to create recovery media the way I prefer. Which is cumbersome when you have to use Windows and reformat the entire drive to create media for your Chromebook.

Interesting stuff, let's hope I find time to fix some of this and learn a few more new things.


Congratulations, I'd say you now mastered UEFI booting and shouldn't be afraid anymore.