]> code.delx.au - refind/blob - docs/refind/secureboot.html
4f27289d360a9abb9f0d57dc76c1278b43a480e1
[refind] / docs / refind / secureboot.html
1 <?xml version="1.0" encoding="utf-8" standalone="no"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
3 "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
4
5 <html xmlns="http://www.w3.org/1999/xhtml">
6 <head>
7 <title>The rEFInd Boot Manager: Managing Secure Boot</title>
8 <link href="../Styles/styles.css" rel="stylesheet" type="text/css" />
9 </head>
10
11 <meta name="viewport" content="width=device-width, initial-scale=1">
12
13 <body>
14 <h1>The rEFInd Boot Manager:<br />Managing Secure Boot</h1>
15
16 <p class="subhead">by Roderick W. Smith, <a
17 href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
18
19 <p>Originally written: 11/13/2012; last Web page update:
20 12/12/2015, referencing rEFInd 0.10.1</p>
21
22
23 <p>This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
24
25 <table border="1">
26 <tr>
27 <td>Donate $1.00</td>
28 <td>Donate $2.50</td>
29 <td>Donate $5.00</td>
30 <td>Donate $10.00</td>
31 <td>Donate $20.00</td>
32 <td>Donate another value</td>
33 </tr>
34 <tr>
35
36 <td>
37 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
38 <input type="hidden" name="cmd" value="_donations">
39 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
40 <input type="hidden" name="lc" value="US">
41 <input type="hidden" name="no_note" value="0">
42 <input type="hidden" name="currency_code" value="USD">
43 <input type="hidden" name="amount" value="1.00">
44 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
45 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
46 <input type="image" src="donate.png" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
47 </form>
48 </td>
49
50 <td>
51 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
52 <input type="hidden" name="cmd" value="_donations">
53 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
54 <input type="hidden" name="lc" value="US">
55 <input type="hidden" name="no_note" value="0">
56 <input type="hidden" name="currency_code" value="USD">
57 <input type="hidden" name="amount" value="2.50">
58 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
59 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
60 <input type="image" src="donate.png" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
61 </form>
62 </td>
63
64
65 <td>
66 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
67 <input type="hidden" name="cmd" value="_donations">
68 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
69 <input type="hidden" name="lc" value="US">
70 <input type="hidden" name="no_note" value="0">
71 <input type="hidden" name="currency_code" value="USD">
72 <input type="hidden" name="amount" value="5.00">
73 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
74 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
75 <input type="image" src="donate.png" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
76 </form>
77 </td>
78
79 <td>
80 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
81 <input type="hidden" name="cmd" value="_donations">
82 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
83 <input type="hidden" name="lc" value="US">
84 <input type="hidden" name="no_note" value="0">
85 <input type="hidden" name="currency_code" value="USD">
86 <input type="hidden" name="amount" value="10.00">
87 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
88 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
89 <input type="image" src="donate.png" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
90 </form>
91 </td>
92
93 <td>
94 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
95 <input type="hidden" name="cmd" value="_donations">
96 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
97 <input type="hidden" name="lc" value="US">
98 <input type="hidden" name="no_note" value="0">
99 <input type="hidden" name="currency_code" value="USD">
100 <input type="hidden" name="amount" value="20.00">
101 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
102 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
103 <input type="image" src="donate.png" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
104 </form>
105 </td>
106
107 <td>
108 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
109 <input type="hidden" name="cmd" value="_donations">
110 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
111 <input type="hidden" name="lc" value="US">
112 <input type="hidden" name="no_note" value="0">
113 <input type="hidden" name="currency_code" value="USD">
114 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
115 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
116 <input type="image" src="donate.png" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
117 </form>
118 </td></tr>
119 </table>
120
121 <hr />
122
123 <p>This page is part of the documentation for the rEFInd boot manager. If a Web search has brought you here, you may want to start at the <a href="index.html">main page.</a></p>
124
125 <hr />
126
127 <p class="sidebar"><b>Note:</b> My <a href="http://www.rodsbooks.com/efi-bootloaders/">Managing EFI Boot Loaders for Linux</a> Web page includes a much more detailed description of Secure Boot in two of its subpages. Consult <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html">Dealing with Secure Boot</a> for more information on disabling Secure Boot, using Shim, and using PreLoader; and read <a href="http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html">Controlling Secure Boot</a> for more information on using your own keys instead of or in addition to those that came with your computer.</p>
128
129 <div class="navbar">
130
131 <h4 class="tight">Contents</h4>
132
133 <ul>
134
135 <li class="tight"><a href="#basic">Basic Issues</li>
136
137 <li class="tight"><a href="#shim">Using rEFInd with Shim</a></li>
138 <ul>
139 <li class="tight"><a href="#installation">Installing Shim and rEFInd</a></li>
140 <li class="tight"><a href="#mok">Managing Your MOKs</a></li>
141 </ul>
142
143 <li class="tight"><a href="#preloader">Using rEFInd with PreLoader</a></li>
144
145 <li class="tight"><a href="#caveats">Secure Boot Caveats</a></li>
146
147 </ul>
148
149 </div>
150
151 <p class="sidebar"><b>Note:</b> Macs don't (yet?) support Secure Boot, but
152 as of version 10.11 ("El Capitan"), OS X uses its own new security feature,
153 <i>System Integrity Protection (SIP),</i> which creates its own set of
154 hoops through which rEFInd users must jump. See the <a
155 href="sip.html">rEFInd and System Integrity Protection</a> page for
156 details.</p>
157
158 <p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">Secure Boot basics</a> and two specific ways of using rEFInd with Secure Boot: <a href="#shim">Using the Shim program</a> and <a href="#preloader">using the PreLoader program.</a> (My separate <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html">EFI Boot Loaders for Linux page on Secure Boot</a> covers the additional topics of disabling Secure Boot and adding keys to the firmware's own set of keys.) This page concludes with a look at <a href="#caveats">known bugs and limitations</a> in rEFInd's Secure Boot features.</p>
159
160 <a name="basic">
161 <h2>Basic Issues</h2>
162 </a>
163
164 <p class="sidebar"><b>Note:</b> You don't <i>have to</i> use Secure Boot.
165 If you don't want it, you can <a
166 href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#disable">disable
167 it,</a> at least on <i>x</i>86-64 PCs. If an ARM-based computer ships with
168 Windows 8, this isn't an option for it. Unfortunately, the Shim and PreLoader programs described on this page currently support only <i>x</i>86-64, not <i>x</i>86 or ARM.</p>
169
170 <p>Through 2012, it became obvious that Secure Boot would be a feature that was controlled, to a large extent, by Microsoft. This is because Microsoft requires that non-server computers that display Windows 8 logos ship with Secure Boot enabled. As a practical matter, this also means that such computers ship with Microsoft's keys in their firmware. In the absence of an industry-standard body to manage the signing of Secure Boot keys, this means that Microsoft's key is the only one that's more-or-less guaranteed to be installed on the computer, thus blocking the ability to boot any OS that lacks a boot path through Microsoft's signing key.</p>
171
172 <p>Fortunately, Microsoft will sign third-party binaries with their key&mdash;or more precisely, with a key that Microsoft uses to sign third-party binaries. (Microsoft uses another key to sign its own binaries, and some devices, such as the Microsoft Surface tablet, lack the third-party Microsoft key.) A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) are all using this system to enable their boot loaders to run. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason two separate programs exist that shift the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Both of these programs (Shim and PreLoader) are available in binary form signed by Microsoft's key. Shim enables the computer to launch binaries that are signed by a key that's built into it or that the user adds to a list known as the Machine Owner Key (MOK) list. PreLoader enables the computer to launch binaries that the user has explicitly identified as being OK. Distributions beginning with Ubuntu 12.10 (and 12.04.2), Fedora 18, and OpenSUSE 12.3 use Shim, although the Ubuntu initially shipped with an early version of Shim that's useless for launching rEFInd. (Current versions of Ubuntu ship with more flexible versions of Shim.) PreLoader is used by some smaller and more specialized distributions, such as Arch Linux. You can switch from one to the other if you like, no matter what your distribution uses by default.</p>
173
174 <p>There are three ways to sign a binary that will get it launched on a computer that uses Shim:</p>
175
176 <ul>
177
178 <li><b>Secure Boot keys</b>&mdash;These keys are managed by the EFI
179 firmware. In a default configuration, Microsoft is the only party
180 that's more-or-less guaranteed to be able to sign boot loaders with
181 these keys; however, it's possible to <a
182 href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#add_keys">replace
183 Microsoft's keys with your own,</a> in order to take full control of
184 Secure Boot on your computer. The trouble is that this process is
185 tedious and varies in details from one computer to another. It's worth
186 noting that many, but not all, computers ship with Canonical's key,
187 which can help slightly when booting Ubuntu; if your computer is so
188 equipped, you can use any Shim you like and not worry about adding
189 Canonical's key to your MOK list, although you must still add a MOK key
190 for rEFInd itself.</li>
191
192 <li><b>Shim's built-in keys</b>&mdash;It's possible, but not necessary, to
193 compile Shim with a built-in public key. Its private counterpart can
194 then be used to sign binaries. In practice, this key type is limited in
195 utility; it's likely to be used by distribution maintainers to sign
196 their own version of GRUB and the Linux kernels that it launches,
197 nothing more. On the plus side, Shim's keys require little or no
198 maintenance by users. One potential complication is that if you swap
199 out one Shim binary for another, its built-in key may change, which
200 means that the replacement Shim might no longer launch its follow-on
201 boot loader or kernels linked to the first Shim.</li>
202
203 <li><b>MOKs</b>&mdash;Versions 0.2 and later of Shim support MOKs, which
204 give you the ability to add your own keys to the computer. If you want
205 to install multiple Linux distributions in Secure Boot mode, MOKs are
206 likely to be helpful. They're vital if you want to launch kernels you
207 compile yourself or use boot managers or boot loaders other than those
208 provided by your distribution.</li>
209
210 </ul>
211
212 <p>All three key types are the same in form&mdash;Shim's built-in keys and MOKs are both generated using the same tools used to generate Secure Boot keys. The keys can be generated with the common <tt>openssl</tt> program, but signing EFI binaries requires either of two rarer programs: <tt>sbsign</tt> or <tt>pesign</tt>. If you use Shim with a distribution that doesn't support Secure Boot, you'll need to either sign the kernels yourself, which can be a hassle, or launch the kernels by way of a boot loader that doesn't check for signatures, such as ELILO.</p>
213
214 <p class="sidebar">Shim's author is working on merging it and PreLoader. Thus, future versions of Shim may provide the advantages of both programs.</p>
215
216 <p>PreLoader is easier to set up on a distribution that doesn't support Shim because PreLoader doesn't rely on keys; instead, you tell it which binaries you trust and it will let you launch them. This works well on a system with boot managers, boot loaders, and kernels that seldom change. It's not a good solution for distribution maintainers, though, because it requires that users manually add binaries to PreLoader's list of approved binaries when the OS is installed and every time those binaries change. Also, PreLoader relies on a helper program, HashTool, to enroll hashes. (This is Geek for "tell the computer that a binary is OK.") Unfortunately, the initial (and, as far as I know, only signed) HashTool can enroll hashes only from the partition from which it was launched, so if you want to use rEFInd to launch Linux kernels directly, it's easiest if you mount your EFI System Partition (ESP) at <tt>/boot</tt> in Linux or copy your kernels to the ESP. Another approach is to copy <tt>HashTool.efi</tt> to the partition that holds your kernel and rename it to almost anything else. rEFInd will then treat it like an OS boot loader and create a menu entry for it, enabling you to launch it as needed.</p>
217
218 <p>Beginning with version 0.5.0, rEFInd can communicate with the Shim system to authenticate boot loaders. If a boot loader has been signed by a valid UEFI Secure Boot key, a valid Shim key, or a valid MOK, rEFInd will launch it. rEFInd will also launch unsigned boot loaders or those with invalid signatures <i>if</i> Secure Boot is disabled in or unsupported by the firmware. (If that's your situation, you needn't bother reading this page.) PreLoader is designed in such a way that it requires no explicit support in rEFInd to work.</p>
219
220 <p>My binary builds of rEFInd version 0.5.0 and later ship signed with my own keys, and I provide the public version of this key with the rEFInd package. This can help simplify setup, since you needn't generate your own keys to get rEFInd working. The rEFInd PPA for Ubuntu ships unsigned binaries, but the installation script that runs automatically when the package is installed signs the binaries with a local key as it installs them. In either case, if you lack public keys for the boot loaders that rEFInd launches, you'll need to sign your boot loaders, as described in the <a href="#mok">Managing Your MOKs</a> section.</p>
221
222 <a name="shim">
223 <h2>Using rEFInd with Shim</h2>
224 </a>
225
226 <p>Because several major distributions support Shim, I describe it first. You may need to adjust the rEFInd installation process to get it working with Shim, especially if you're not using a distribution that uses this software. In addition to installing Shim, you should know how to manage your MOKs, so I describe this topic, too. If you don't want to use Shim, you can skip ahead to <a href="#preloader">the section on PreLoader.</a></p>
227
228 <a name="installation">
229 <h3>Installing Shim and rEFInd</h3>
230 </a>
231
232 <p class="sidebar"><b>Note:</b> rEFInd's <tt>refind-install</tt> script attempts to identify whether your computer was booted with Secure Boot active and, if it was, to locate existing Shim binaries and make use of whatever it finds. Thus, you may not need to explicitly set up Shim after you install rEFInd, although you will probably have to enroll rEFInd's key in your MOK list, as described shortly.</p>
233
234 <p>A working Secure Boot installation of rEFInd involves at least three programs, and probably four or more, each of which must be installed in a specific way:</p>
235
236 <ul>
237
238 <li><b>Shim</b>&mdash;You can use any version of Shim you like. In many cases, one will already be installed on your computer from your distribution, called <tt>shim.efi</tt> or <tt>shimx64.efi</tt> in the distribution's directory on the ESP. If so, it's probably best to use that version, since its built-in key will handle your distribution's kernels. If you don't currently have a Shim installed, you can copy one from another computer, copy the file from a distribution installation disc, or download a version of Shim 0.2 (old, but still usable) signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by Shim's developer, former Red Hat employee Matthew J. Garrett) includes a Shim key that's used by nothing but the <tt>MokManager.efi</tt> program that also ships with the program. No matter what version of Shim you use, you must enroll rEFInd's MOK. Ubuntu 12.10 and 13.04 ship with an earlier version of Shim (0.1) that doesn't support MOKs; avoid Shim 0.1 for use with rEFInd. You should install Shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a> For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
239
240 <li><b>MokManager</b>&mdash;This program is included with Shim 0.2 and later. It presents a user interface for managing MOKs, and it's launched by Shim if Shim can't find its default boot loader (generally <tt>grubx64.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a Secure Boot key or a MOK, but such binaries are usually signed by Shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
241
242 <li><b>rEFInd</b>&mdash;Naturally, you need rEFInd. Because Shim is hard-coded to launch a program called <tt>grubx64.efi</tt>, you must install rEFInd using that name and to the same directory in which <tt>shim.efi</tt> resides. In theory, rEFInd could be signed with a Secure Boot key, a Shim key, or a MOK; however, because Microsoft won't sign binaries distributed under the GPLv3, I can't distribute a version of rEFInd signed with Microsoft's Secure Boot key; and as I don't have access to the private Shim keys used by any distribution, I can't distribute a rEFInd binary signed by them. (If distributions begin including rEFInd in their package sets, though, such distribution-provided binaries could be signed with the distributions' Shim keys.) Thus, rEFInd will normally be signed by a MOK. Beginning with version 0.5.0, rEFInd binaries that I provide are signed by me. Beginning with version 0.5.1, the installation script provides an option to sign the rEFInd binary with your own key, provided the necessary support software is installed.</li>
243
244 <li><b>Your boot loaders and kernels</b>&mdash;Your OS boot loaders, and perhaps your Linux kernels, must be signed. They can be signed with any of the three key types. Indeed, your system may have a mix of all three types&mdash;a Windows 8 boot loader will most likely be signed with Microsoft's Secure Boot key, GRUB and kernels provided by most distributions will be signed with their own Shim keys, and if you use your own locally-compiled kernel or a boot loader from an unusual source you may need to sign it with a MOK. Aside from signing, these files can be installed in exactly the same way as if your computer were not using Secure Boot.</li>
245
246 </ul>
247
248 <p>If you've installed a distribution that provides Shim and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running <tt>refind-install</tt>, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of Shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:</p>
249
250 <ol>
251
252 <li>Boot the computer. This can be a challenge in and of itself. You may
253 need to use a Secure Boot&ndash;enabled Linux emergency disc,
254 temporarily disable Secure Boot, or do the work from Windows.</li>
255
256 <li><a href="getting.html">Download rEFInd</a> in binary form (the binary
257 zip or CD-R image file). If you download the binary zip file, unzip it;
258 if you get the CD-R image file, burn it to a CD-R and mount it.</li>
259
260 <li>Download Shim from <a
261 href="http://www.codon.org.uk/~mjg59/shim-signed/">Matthew J. Garrett's
262 download site</a> or from your distribution. (Don't use an early 0.1
263 version, though; as noted earlier, it's inadequate for use with
264 rEFInd.)</li>
265
266 <p class="sidebar"><b>Tip:</b> If you're running Linux, you can save some effort by using the <tt>refind-install</tt> script with its <tt>--shim <tt class="variable">/path/to/shim.efi</tt></tt> option rather than installing manually, as in steps 4&ndash;6 of this procedure. If you've installed <tt>openssl</tt> and <tt>sbsign</tt>, using <tt>--localkeys</tt> will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use <tt>sbsign</tt> and the keys in <tt>/etc/refind.d/keys</tt> to sign your kernels or boot loaders.</p>
267
268 <li>Copy the <tt>shim.efi</tt> and <tt>MokManager.efi</tt> binaries to the
269 directory you intend to use for rEFInd&mdash;for instance,
270 <tt>EFI/refind</tt> on the ESP.</li>
271
272 <li>Follow the installation instructions for rEFInd on the <a
273 href="installing.html">Installing rEFInd</a> page; however, you should
274 normally give rEFInd the filename <tt>grubx64.efi</tt> and register
275 <tt>shim.efi</tt> with the EFI by using <tt>efibootmgr</tt> in Linux or
276 <tt>bcdedit</tt> in Windows. Be sure that rEFInd (as
277 <tt>grubx64.efi</tt>), <tt>shim.efi</tt>, and <tt>MokManager.efi</tt>
278 all reside in the same directory. If you're using Shim 0.7 or later and
279 installing it under Linux, you may optionally keep rEFInd's
280 <tt>refind_x64.efi</tt> name; but you must then tell Shim to use rEFInd
281 by passing an additional <tt>-u "shim.efi refind_x64.efi"</tt> option
282 to <tt>efibootmgr</tt>. Change the filenames to the actual filenames
283 used by Shim and rEFInd, respectively.</li>
284
285 <li>Copy the <tt>refind.cer</tt> file from the rEFInd package to your ESP,
286 ideally to a location with few other files. (The rEFInd installation
287 directory should work fine.)</li>
288
289 <li>Reboot. With any luck, you'll see a simple text-mode user interface
290 with a label of <tt>Shim UEFI key management</tt>. This is the
291 MokManager program, which Shim launched when rEFInd failed verification
292 because its key is not yet enrolled.</li>
293
294 <li>Press your down arrow key and press Enter to select <tt>Enroll key from
295 disk</tt>. The screen will clear and prompt you to select a key, as
296 shown here:
297
298 <br /><img src="MokManager1.png" align="CENTER" width="676"
299 height="186" alt="MokManager's user interface is crude but effective."
300 border=2> <br />
301
302 This user interface was used in early versions of MokManager, but
303 somewhere between versions 0.4 and 0.7, the user interface received an
304 upgrade. If you've got a more recent version, it will look more like
305 this:
306
307 <br /><img src="MokManager2.png" align="CENTER" width="800"
308 height="345" alt="Recent versions of MokManager provide a somewhat more
309 user-friendly user interface." border=2> <br /> </li>
310
311 <li>Each of the lines with a long awkward string represents a disk
312 partition. Select one and you'll see a list of files. Continue
313 selecting subdirectories until you find the <tt>refind.cer</tt> file
314 you copied to the ESP earlier. (Note that in the early user interface
315 the long lines can wrap and hide valid entries on the next line, so you
316 may need to select a disk whose entry is masked by another one!)</li>
317
318 <li>Select <tt>refind.cer</tt>. You can type <tt class="userinput">1</tt>
319 to view the certificate's details if you like, or skip that and type
320 <tt class="userinput">0</tt> to enroll the key.</li>
321
322 <li>Back out of any directories you entered and return to the MokManager
323 main menu.</li>
324
325 <li>Select <tt>Continue boot</tt> at the main menu.</li>
326
327 </ol>
328
329 <p>At this point the computer may boot into its default OS, reboot, or perhaps even hang. When you reboot it, though, rEFInd should start up in Secure Boot mode. (You can verify this by selecting the <i>About rEFInd</i> tool in the main menu. Check the <i>Platform</i> item in the resulting screen; it should verify that Secure Boot is active.) You should now be able to launch any boot loader signed with a key recognized by the firmware or by Shim (including any MOKs you've enrolled). If you want to manage keys in the future, rEFInd displays a new icon in the second (tools) row you can use to launch MokManager. (This icon appears by default if MokManager is installed, but if you edit <tt>showtools</tt> in <tt>refind.conf</tt>, you must be sure to include <tt>mok_tool</tt> as an option in order to gain access to it.)</p>
330
331 <p>If you're using rEFInd to boot multiple Linux versions, chances are you'll need to add the keys for the distributions whose Shim you're not using as MOKs. rEFInd ships with a selection of such keys and copies them to the <tt>keys</tt> subdirectory of the rEFInd installation directory on the ESP as a convenience. Note that you must enroll keys with <tt>.cer</tt> or <tt>.der</tt> filename extensions. Although <tt>.crt</tt> files contain the same information, their format is different and they cannot be used by MokManager.</p>
332
333 <a name="mok">
334 <h3>Managing Your MOKs</h3>
335 </a>
336
337 <p>The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: <tt>sbsigntool</tt> and <tt>pesign</tt>. Both are available in binary form from <a href="https://build.opensuse.org/project/show?project=home%3Ajejb1%3AUEFI">this OpenSUSE Build Service (OBS)</a> repository, and many distributions ship with at least one of them. The following procedure uses <tt>sbsigntool</tt>. To sign your own binaries, follow these steps (you can skip the first five steps if you've successfully used <tt>refind-install</tt>'s <tt>--localkeys</tt> option):</p>
338
339 <ol>
340
341 <li>If it's not already installed, install OpenSSL on your computer. (It
342 normally comes in a package called <tt>openssl</tt>.)</li>
343
344 <li>If you did <i>not</i> re-sign your rEFInd binaries with
345 <tt>refind-install</tt>'s <tt>--localkeys</tt> option, type the
346 following two commands to generate your public and private keys:
347
348 <pre class="listing">
349 $ <tt class="userinput">openssl req -new -x509 -newkey rsa:2048 -keyout refind_local.key \
350 -out refind_local.crt -nodes -days 3650 -subj "/CN=Your Name/"</tt>
351 $ <tt class="userinput">openssl x509 -in refind_local.crt -out refind_local.cer -outform DER</tt>
352 </pre>
353
354 Change <tt>Your Name</tt> to your own name or other identifying
355 characteristics, and adjust the certificate's time span (set via
356 <tt>-days</tt>) as you see fit. If you omit the <tt>-nodes</tt> option,
357 the program will prompt you for a passphrase for added security.
358 Remember this, since you'll need it to sign your binaries. The result
359 is a private key file (<tt>refind_local.key</tt>), which is highly
360 sensitive since it's required to sign binaries, and two public keys
361 (<tt>refind_local.crt</tt> and <tt>refind_local.cer</tt>), which can be
362 used to verify signed binaries' authenticity. The two public key files
363 are equivalent, but are used by different
364 tools&mdash;<tt>sbsigntool</tt> uses <tt>refind_local.crt</tt> to sign
365 binaries, but MokManager uses <tt>refind_local.cer</tt> to enroll the
366 key. If you used <tt>refind-install</tt>'s <tt>--localkeys</tt> option,
367 this step is unnecessary, since these keys have already been created
368 and are stored in <tt>/etc/refind.d/keys/</tt>.</li>
369
370 <li>Copy the three key files to a secure location and adjust permissions
371 such that only you can read <tt>refind_local.key</tt>. You'll need
372 these keys to sign future binaries, so don't discard them.</li>
373
374 <li>Copy the <tt>refind_local.cer</tt> file to your ESP, ideally to a
375 location with few other files. (MokManager's user interface becomes
376 unreliable when browsing directories with lots of files.)</li>
377
378 <li>Download and install the <tt>sbsigntool</tt> package. Binary links for
379 various distributions are available from the <a
380 href="https://build.opensuse.org/package/show?package=sbsigntools&project=home%3Ajejb1%3AUEFI">OpenSUSE
381 Build Service</a>, or you can obtain the source code by typing <tt
382 class="userinput">git clone
383 git://kernel.ubuntu.com/jk/sbsigntool</tt>.</li>
384
385 <li>Sign your binary by typing <tt class="userinput">sbsign --key
386 refind_local.key --cert refind_local.crt --output <tt
387 class="variable">binary-signed.efi binary.efi</tt></tt>, adjusting the
388 paths to the keys and the binary names.</li>
389
390 <li>Copy your signed binary to a suitable location on the ESP for rEFInd to
391 locate it. Be sure to include any support files that it needs,
392 too.</li>
393
394 <li>Check your <tt>refind.conf</tt> file to ensure that the
395 <tt>showtools</tt> option is either commented out or includes
396 <tt>mok_tool</tt> among its options.</li>
397
398 <li>Reboot. You can try launching the boot loader you just installed, but
399 chances are it will generate an <tt>Access Denied</tt> message. For it
400 to work, you must launch MokManager using the tool that rEFInd presents
401 on its second row. You can then enroll your <tt>refind_local.cer</tt>
402 key just as you enrolled the <tt>refind.cer</tt> key.</li>
403
404 </ol>
405
406 <p>At this point you should be able to launch the binaries you've signed. Unfortunately, there can still be problems; see the upcoming section, <a href="#caveats">Secure Boot Caveats,</a> for information on them. Alternatively, you can try using PreLoader rather than Shim.</p>
407
408 <a name="preloader">
409 <h2>Using rEFInd with PreLoader</h2>
410 </a>
411
412 <p>If you want to use Secure Boot with a distribution that doesn't come with Shim but the preceding description exhausts you, take heart: PreLoader is easier to set up and use for your situation! Unfortunately, it's still not as easy to use as not using Secure Boot at all, and it's got some drawbacks, but it may represent an acceptable middle ground. To get started, proceed as follows:</p>
413
414 <ol>
415
416 <li>Boot the computer. As with Shim, this can be a challenge; you may need
417 to boot with Secure Boot disabled, use a Secure Boot&ndash;enabled live
418 CD, or do the installation from Windows.</li>
419
420 <li><a href="getting.html">Download rEFInd</a> in binary form (the binary
421 zip or CD-R image file). If you download the binary zip file, unzip it;
422 if you get the CD-R image file, burn it to a CD-R and mount it.</li>
423
424 <li>Download PreLoader from <a
425 href="http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/">its
426 release page</a> or by clicking the following links. Be sure to get
427 both the <tt><a
428 href="http://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi">PreLoader.efi</a></tt>
429 and <tt><a
430 href="http://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi">HashTool.efi</a></tt>
431 files.</li>
432
433 <li>Copy the <tt>PreLoader.efi</tt> and <tt>HashTool.efi</tt> binaries to
434 the directory you intend to use for rEFInd&mdash;for instance,
435 <tt>EFI/refind</tt> on the ESP.</li>
436
437 <li>Follow the installation instructions for rEFInd on the <a
438 href="installing.html">Installing rEFInd</a> page; however, give rEFInd
439 the filename <tt>loader.efi</tt> and register <tt>PreLoader.efi</tt>
440 with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt>
441 in Windows. Be sure that rEFInd (as <tt>loader.efi</tt>),
442 <tt>PreLoader.efi</tt>, and <tt>HashTool.efi</tt> all reside in the
443 same directory.</li>
444
445 <li>Reboot. With any luck, you'll see HashTool appear with a warning
446 message stating that it was unable to launch <tt>loader.efi</tt> and
447 declaring that it will launch <tt>HashTool.efi</tt>. Press the Enter
448 key to continue.</li>
449
450 <li>HashTool should now appear. It should give you three or four options,
451 including <tt>Enroll Hash</tt>, as shown here. Select this option</li>
452
453 <br /><img src="HashTool1.png" align="CENTER" width="641" height="459"
454 alt="HashTool provide a somewhat nicer user interface than
455 MokManager's." border=2> <br />
456
457 <li>You can now select the binary you want to authorize. You should first
458 select <tt>loader.efi</tt>, since that's rEFInd. The program presents
459 the hash (a very long number) and asks for confirmation. Be sure to
460 select <tt>Yes</tt>.</li>
461
462 <br /><img src="HashTool2.png" align="CENTER" width="638" height="455"
463 alt="Be sure to select the right binary when you enroll its hash."
464 border=2> <br />
465
466 <p class="sidebar"><b>Note:</b> Unfortunately, the initial version of HashTool's file selector can't change filesystems. Thus, if you want to boot a Linux kernel using rEFInd and PreLoader, you'll need to copy the kernel to the ESP, at least temporarily. Alternatively, as noted earlier, you can copy <tt>HashTool.efi</tt> to the directory that holds the kernels or to another directory on that partition that rEFInd scans&mdash;but be sure to rename <tt>HashTool.efi</tt> or rEFInd will ignore it. You'll then see a boot loader entry for HashTool. More recent versions of HashTool can access multiple partitions, but I have yet to find a pre-signed version, so if you want to use it, you'll need to compile it yourself and then register its hash with an earlier version (or with Secure Boot temporarily disabled).</p>
467
468 <li>Repeat the preceding two steps for any additional binaries you might
469 want to enroll. These include any EFI filesystem drivers you're using,
470 any boot loaders you're launching from rEFInd (other than those that
471 are already signed, such as Microsoft's boot loader), and possibly your
472 Linux kernel.</li>
473
474 <li>At the HashTool main menu, select <tt>Exit</tt>. rEFInd should
475 launch.</li>
476
477 </ol>
478
479 <p>If you did everything right, rEFInd should now launch follow-on boot loaders and kernels, including both programs signed with the platform's Secure Boot keys and binaries that you've authorized with HashTool. If you need to authorize additional programs, you can do so from rEFInd by using the MOK utility tool icon that launches <tt>HashTool.efi</tt> from the second row of icons. (This icon should appear by default, but if you uncomment the <tt>showtools</tt> token in <tt>refind.conf</tt>, be sure that <tt>mok_tool</tt> is present among the options.)</p>
480
481 <p>Although PreLoader is easier to set up than Shim, particularly if you need to launch programs or kernels that aren't already signed, it suffers from the problem that you must register every new program you install, including Linux kernels if you launch them directly from rEFInd. This need can be a hassle if you update your kernels frequently, and every new registration chews up a little space in your NVRAM. Nonetheless, PreLoader can be a good Secure Boot solution for many users or if you want to build a portable Linux installation that you can use on any computer with minimal fuss.</p>
482
483 <a name="caveats">
484 <h2>Secure Boot Caveats</h2>
485 </a>
486
487 <p>rEFInd's Secure Boot originated with version 0.5.0 of the program, and was revamped for version 0.6.2, both released in late 2012. It's worked well for myself and several others with whom I've corresponded; but you might still run into problems. Some issues you might encounter include the following:</p>
488
489 <ul>
490
491 <li>rEFInd uses the same EFI "hooks" as PreLoader. This method, however, is
492 part of an optional EFI subsystem, so in theory some EFIs might not
493 support it. For months, I knew of no such implementation, but <a
494 href="http://superuser.com/questions/615142/uefi-failed-to-install-override-security-policy">this
495 SuperUser question</a> indicates that at least one such implementation
496 exists. Subsequent discussions on the site imply that the computer
497 doesn't support Secure Boot at all. The bottom line: If you encounter
498 the error message <tt>Failed to install override security policy,</tt>
499 try removing PreLoader from your boot path.</li>
500
501 <li>Under certain circumstances, the time required to launch a boot loader
502 can increase. This is unlikely to be noticeable for the average small
503 boot loader, but could be significant for larger boot loaders on slow
504 filesystems, such as Linux kernels on ext2fs, ext3fs, or ReiserFS
505 partitions.</li>
506
507 <li>rEFInd's own Secure Boot support is theoretically able to work on
508 non-<i>x</i>86-64 platforms; however, to the best of my knowledge, Shim
509 and PreLoader both work only on <i>x</i>86-64, and rEFInd is dependent
510 upon these tools. In principle, you should be able to <a
511 href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#add_keys">replace
512 your computer's standard Secure Boot keys</a> to use Secure Boot on
513 these platforms with rEFInd, but this approach will require either
514 built-in key-modification tools in the computer's setup utility or a
515 build of <tt>LockDown.efi</tt> for your platform. I've not tested this
516 approach on <i>x</i>86 or ARM, so I can't say whether it would actually
517 work.</li>
518
519 <li>In theory, signing Microsoft's boot loader with a MOK should work. This
520 might be handy if you want to replace your computer's built-in keys
521 with your own but still boot Windows&mdash;but be aware that if Windows
522 replaces its boot loader, it will then stop working.</li>
523
524 </ul>
525
526 <p>If you launch a boot loader or other program from rEFInd that relies on the EFI's standard program-launching code, that program should take advantage of Shim and its MOKs. For instance, if you launch <a href="http://freedesktop.org/wiki/Software/gummiboot">gummiboot</a> from rEFInd (and rEFInd from Shim), gummiboot should be able to launch Shim/MOK-signed Linux kernels. This is not currently true if you launch gummiboot directly from Shim. (You can launch gummiboot from PreLoader and it should work, though, because of technical differences between how Shim and PreLoader work.)</p>
527
528 <p>My focus in testing rEFInd's Secure Boot capabilities has been on getting Linux kernels with EFI stub loaders to launch correctly. I've done some minimal testing with GRUB 2, though. I've also tested some self-signed binaries, such as an EFI shell and MokManager. (The EFI shell launches, but will not itself launch anything that's not been signed with a UEFI Secure Boot key. This of course limits its utility.)</p>
529
530 <p>Some of the awkwardness of using rEFInd with Secure Boot is due to the need to manage MOKs (either keys with Shim or hashes with PreLoader). Such problems would evaporate if you could get a copy of rEFInd signed with your distribution's Secure Boot key. Thus, if you're annoyed by such problems, try filing a feature request with your distribution maintainer to have them include rEFInd (and sign it!) with their official package set.</p>
531
532 <hr />
533
534 <p>copyright &copy; 2012&ndash;2015 by Roderick W. Smith</p>
535
536 <p>This document is licensed under the terms of the <a href="FDL-1.3.txt">GNU Free Documentation License (FDL), version 1.3.</a></p>
537
538 <p>If you have problems with or comments about this Web page, please e-mail me at <a href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com.</a> Thanks.</p>
539
540 <p><a href="index.html">Go to the main rEFInd page</a></p>
541
542 <p><a href="revisions.html">Learn about rEFInd's history</a></p>
543
544
545 <p><a href="http://www.rodsbooks.com/">Return</a> to my main Web page.</p>
546 </body>
547 </html>