In the first part, I prepared a FAT32 partition on a flash drive named “FLASH”, with room for Grub2. Note that I use Arch Linux' Grub2, which is very recent. You may have to adapt the commands to your situation with older versions of Grub2. I recommend you use at least Grub2 version 2.0, which has support for multiple initrd.

Remember my goals: Among other things, I wish to have a French keyboard layout, and to have boot files hidden from both Windows and Linux. The former is taken care of below (adapt to your own language). The latter, unfortunately, is not entirely possible due to the fact that I must have an EFI folder. As well use it, then, and put all boot files in there, including Grub2. Then, later, while using Windows, you can at least mark the EFI folder as “hidden”, which has no effect on the Linux side, but does hide it from the Windows Explorer (with standard settings).

Last but not least, “Secure Boot” must be accounted for, as it is enforced on a number of computers. The lines below deal with installing the required software; read ArchLinux’ wiki for instructions about usage.

So, next step is to mount the flash drive partition, and run the following commands. Let’s assume the flash drive’s device is /dev/sdb and its partition’s mount point is /media/FLASH:

# grub-install --locales=fr --themes= --target=i386-efi --efi-directory=/media/FLASH --boot-directory=/media/FLASH/EFI --bootloader-id=grub32 --no-nvram --removable /dev/sdb
# grub-install --locales=fr --themes= --target=x86_64-efi --efi-directory=/media/FLASH --boot-directory=/media/FLASH/EFI --bootloader-id=grub64 --no-nvram --removable /dev/sdb
# grub-install --locales=fr --themes= --target=i386-pc --boot-directory=/media/FLASH/EFI --no-nvram --removable /dev/sdb
# grub-kbdcomp -o /media/FLASH/EFI/grub/locale/fr.gkb /usr/share/X11/xkb/symbols/fr
# mv /media/FLASH/EFI/BOOT/BOOTX64.EFI /media/FLASH/EFI/BOOT/loader.efi
# wget -P /media/FLASH/EFI/BOOT/
# wget -O /media/FLASH/EFI/BOOT/BOOTX64.EFI

From the Archlinux wiki, you can see, that the Grub and secure-boot configuration may need to be duplicated inside EFI/Microsoft/Boot/ for some non-standard UEFI implementations.

Also, note the location where Grub2 is installed: it is the whole drive, not the partition.

Now, I want some tools available in my Grub2 menu, namely ntpasswd, and HDT. First ntpasswd:

# wget
# mkdir /media/FLASH/EFI/nt140201
# unzip initrd.cgz scsi.cgz vmlinuz -d /media/FLASH/EFI/nt140201
# rm -f

Now HDT. The easiest way is to simply use the provided ISO file, which can be booted with the memdisk tool from the syslinux package (to be installed on your computer’s Linux OS):

# wget -P /media/FLASH/EFI/hdt
# cp /usr/lib/syslinux/bios/memdisk /media/FLASH/EFI/

Finally, let me create the Grub2 menu. I need to know the UUID for my FAT32 partition. The UUID can be found with the command ls -l /dev/disk/by-uuid/. In my case, I have to find the name of the symbolic link, the target of which is sdb1. Then I can reuse the value (in italics below):

cat >/media/FLASH/EFI/grub/grub.cfg <<-"THEEND"
set menu_color_normal=red/black
set menu_color_highlight=light-red/black
set gfxmode=auto
set gfxpayload=keep
insmod part_msdos
insmod part_gpt
insmod lvm
insmod fat
insmod ntfs
insmod all_video
insmod gfxterm
insmod keylayouts
insmod gettext

search --no-floppy --fs-uuid --set=root XXXX-XXXX
set locale_dir=($root)/EFI/grub/locale
set lang=fr
keymap /EFI/grub/locale/fr.gkb
loadfont /EFI/grub/fonts/unicode.pf2
terminal_input console
terminal_output gfxterm

echo "theYinYeti's Rescue System (FR)"

set timeout=10
set default=0

# … here will come Linux, later …

menuentry "ntpasswd: Windows password recovery" {
linux16 /EFI/nt140201/vmlinuz rw
initrd16 /EFI/nt140201/initrd.cgz /EFI/nt140201/scsi.cgz
menuentry "HDT: Hardware detection tool" {
linux16 /EFI/memdisk iso raw
initrd16 /EFI/hdt/hdt-0.5.2.iso
terminal_input at_keyboard

submenu "Else…" {
insmod regexp
for d in (*); do if [ $grub_platform == "pc" ]; then
menuentry "Chainload $d" "$d" {
set root=$2
chainloader +1
for p in EFI EFI/boot EFI/Microsoft/Boot; do for e in $d/$p/*.efi; do
unset is32; regexp --set is32 '(32)' "$e"
unset is64; regexp --set is64 '(64)' "$e"
unset notfound; regexp --set notfound '(\*)' "$e"
if [ "$notfound" ]; then continue; fi
if [ $grub_cpu == "i386" -a "$is64" ]; then continue; fi
if [ $grub_cpu == "x86_64" -a "$is32" ]; then continue; fi
menuentry "Chainload $e" "$d" "$e" {
set root=$2
regexp --set e '^\([^)]*\)(/.*)$' "$3"
chainloader $e
done; done
fi; done

The end of the menu is about trying to auto-detect bootable partitions (MBR) or kernels (EFI), and proposing them for chain-loading.

The flash drive should now be able to boot and start the above tools. Next blog post will deal with the installation of the Linux operating system.