Use agFM for UEFI64 Secure Boot
You can directly Secure UEFI64-Boot to the agFM grub2 boot files on the FAT32 Partition 2. Simply use your BIOS Boot Selection function key (e.g. F8 or F12, etc.) to select the USB HDD EFI boot option for Partition 2 of the USB drive.
The initial UEFI 64-bit boot file is actually a special signed Kaspersky shim file which allows us to load an unsigned version of a1ive grub2.
If you see a security-related error message, this may be due to the Kaspersky shim being specifically blocked by a database entry which has been installed into your UEFI BIOS settings (typically by recent Windows update). In this case you have three choices:
- Go into the BIOS settings and disable Secure Boot
- Go into the BIOS settings and clear the DBx UEFI database blacklist to allow the Kaspersky shim to load
- Convert your Secure Boot signed payload files (e.g. Windows Install ISOs, Ubuntu ISOs, Red Hat ISOs, etc.) to Partition Image files (.imgPTN23 files).
Note: Directly Secure UEFI32-booting to the agFM menu is not supported.
Note: If you have successfully Secure-booted to the agFM menu system, then you can boot to any secure or insecure payload or load the Ventoy menu system.
Secure Boot using Partition Images
You can convert an ISO or folder containing Secure-bootable files to a Partition Image using the Windows script MakePartImage.cmd (typically drag-and-drop onto the MPI_FAT32 Desktop shortcut).
Add the resultant .imgPTN23 file to your E2B USB drive. This file can be used to completely replace Partition #1 of the E2B USB drive.
You can ‘switch-in’ the .imgPTN23 file in a number of ways:
- Run \_ISO\SWITCH_E2B,exe
- Legacy\MBR boot to the E2B menu and select the .imgPTN23 file
- UEFI-boot to agFM Partition 2 (on another system) and select the .imgPTN23 file
- Add a FAT32 Partition #3 to your E2B USB drive and place a bootable copy of WinPE on it. You can then Secure Boot to WinPE on the 3rd partition and run SWITCH_E2B.exe to switch in the desired .imgPTN23 image file.
Once the new partition image is ‘switched-in’, you can Secure UEFI-boot to Partition #1.
Note that not all ISOs contain signed secure boot files.