Windows BSOD boot failure

Error on release specified. Problem exist on pre-release 23.10 but when booting the prior replease 23.04 I can install grub and boot both 23.04, 23.10, and Windows.

Status changed to 'Confirmed' because the bug affects multiple users.

Can you try running `rmmod peimage` in the grub console before chainloading to WIndows? e.g.

Press c, enter `rmmod peimage`, enter `normal` to get back to menu and select Windows.

My recommendation would be to avoid booting Windows via grub altogether and boot it via the firmware boot menu ('press ... to select boot device' kind of option), this ensures that everything works correctly - booting via grub is a bit hacky as it messes up the TPM measurements.

With the 'rmmod peimage' in the grub console I could chainloading Windows again successfully.

I can understand your technical position but it isn't very comfortable to get first in the BIOS to start Windows for me. And for all not IT-stuff people it isn't too.
Also it has work fine for all the time and it doesn't start with the Ubuntu Version 23.10.

For the casual Ubuntu/Windows user this problem will be difficult to resolve. Spent time trying to diagnose a Windows error code 0xc0000428 without success. Should have stopped and submitted a bug against grub when I found that booting Windows via bios works but I didn't and rebuilt my Windows system. Waste of time.

On Ubuntu, I have integrated following workaround (ugly, but it works actually).
Edit the file with sudo vim /boot/grub/grub.cfg and insert "rmmod peimage" on the menuentry for booting Windows.

menuentry 'Windows Boot Manager (on /dev/nvme0n1p1)' --class windows --class os $menuentry_id_option 'osprober-efi-8050-6F7A' {
        insmod part_gpt
        insmod fat
        rmmod peimage
        search --no-floppy --fs-uuid --set=root 8050-6F7A
        chainloader /EFI/Microsoft/Boot/bootmgfw.efi
}

Adding rmmod peimage to /boot/grub/grub.cfg work find for me, thanks

I have added the rmmod as a temporary workaround while investigation continues. The bug will be closed when that lands and I will either reopen this or create a new bug to track the proper fix.

Essentially this got delayed because I failed to install Windows 11 in qemu due to some online account requirement that was not possible to work around, and booting Windows setup via chainloader without peimage failed with a different error, I'll try with Windows 10 later.

Note that the workaround only works on systems with secure boot enabled, as I did not want to cause error messages on systems not using peimage and did not find a way to figure out if peimage was actually loaded while hacking this up quickly.

I am experiencing the same issue on the -signed variants as well.

Adding `rmmod peimage` as shown above works as well.

Tracking the workaround here now, the underlying bug is tracked in [Bug 2032294] [NEW] Proper fix for chainloading Windows

This bug was fixed in the package grub2 - 2.12~rc1-4ubuntu2

---------------
grub2 (2.12~rc1-4ubuntu2) mantic; urgency=medium

  * ubuntu-zfs-enhance-support.patch: Adjustments for 2.12 library
    (LP: #2029260)
  * zfs: on_exit: Unmount ${MNTDIR}/boot before ${MNTDIR} (LP: #2031042)
  * Temporarily rmmod peimage for os-prober chainloader entries (LP: #2030810)

 -- Julian Andres Klode <email address hidden> Mon, 21 Aug 2023 14:26:07 +0200

@juliank
This is still happening even after fix. Systems without secure boot enabled still don't boot.

Could you please reopen this bug so that it is obvious?

@petoju As explained, the remaining issue for non-secureboot systems is tracked in bug 2032294. It may have been better to not close this bug and instead just reference it a different way, but what's done is done. I don't want to confuse the bot that syncs launchpad issues into the internal tracker.

still having this issue on mantic. secure boot is not enabled.
```
sudo mokutil --sb-state
SecureBoot disabled
Platform is in Setup Mode
```
```
grub2/mantic,now 2.12~rc1-4ubuntu3 amd64 [installed]
grub-efi-amd64-bin/mantic,now 2.12~rc1-4ubuntu1 amd64 [installed]
grub-efi-amd64-signed/mantic,now 1.194+2.12~rc1-4ubuntu1 amd64 [installed]
```

@juliank

I have secure boot disabled but the -signed package installed. Thus this separate bug https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2032294 does not apply as that is for the -unsigned package.

this if statement needs to be removed and `rmmod peimage` needs to be run in ALL cases

```
        if [ "$shim_lock" = "y" ]; then
                rmmod peimage
        fi
```

No this is distinctly a bug in the -unsigned package which is where the -signed packages are built from.

I have fixed this properly in the meantime in Debian but I haven't managed to rebase and submit for signing yet.

Several more bugs had piled up.

The 'if' is necessary as otherwise you get errors if you haven't loaded peimage.

Well all I can say is that it is not working with the current -signed package installed with secure boot disabled as described above and when I remove the if statement and replace it with `rmmod peimage` it now works.

Hopefully you can get the true fix merged ASAP and these manual workarounds are no longer necessary.