href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 11/13/2012; last Web page update:
-12/30/2012, referencing rEFInd 0.6.2</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p class="sidebar"><b>Note:</b> My <a href="http://www.rodsbooks.com/efi-bootloaders/">Managing EFI Boot Loaders for Linux</a> Web page includes a much more detailed description of Secure Boot in its <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html">Dealing with Secure Boot</a> sub-page. You should consult this page if you want to disable Secure Boot, generate your own keys, or perform other such tasks.</p>
+<div class="navbar">
+
+<h4 class="tight">Contents</h4>
+
+<ul>
+
+<li class="tight"><a href="#basic">Basic Issues</li>
+
+<li class="tight"><a href="#installation">Installation Issues</a></li>
+
+<li class="tight"><a href="#mok">Managing Your MOKs</a></li>
+
+<li class="tight"><a href="#caveats">Secure Boot Caveats</a></li>
+
+</ul>
+
+</div>
+
<p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">secure boot basics</a> and two specific aspects of rEFInd and its interactions with Secure Boot: <a href="#installation">installation issues</a> and <a href="#mok">MOK management.</a> It concludes with a look at <a href="#caveats">known bugs and limitations</a> in rEFInd's Secure Boot features.</p>
<a name="basic">
<p>Through 2012, it became obvious that Secure Boot would be a feature that was controlled, to a large extent, by Microsoft. This is because Microsoft requires that non-server computers that display Windows 8 logos ship with Secure Boot enabled. As a practical matter, this also means that such computers ship with Microsoft's keys in their firmware. In the absence of an industry-standard body to manage the signing of Secure Boot keys, this means that Microsoft's key is the only one that's more-or-less guaranteed to be installed on the computer, thus blocking the ability to boot any OS that lacks a boot path through Microsoft's signing key.</p>
-<p>Fortunately, Microsoft will sign third-party binaries with their key. A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) have all announced plans to take advantage of this system. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason Red Hat has developed a program that it calls <i>shim</i> that essentially shifts the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Shim is signed by Microsoft and redirects the boot process to another boot loader that can be signed with keys that the distribution maintains and that are built into shim. Fedora 18 is expected to use this system. SUSE has announced that it will use the same system, as does Ubuntu with version 12.10 and later. SUSE has contributed to the shim approach by providing expansions to shim that support a set of keys that users can maintain themselves. These keys are known as Machine Owner Keys (MOKs), and managing them is described later, in <a href="#mok">Managing MOKs.</a> To reiterate, then, there are potentially three ways to sign a binary that will get it launched on a computer that uses shim:</p>
+<p class="sidebar"><b>Note:</b> The <a href="http://www.linuxfoundation.org">Linux Foundation</a> is on the verge of releasing a signed version of their <a href="http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source">PreBootloader,</a> which will function something like shim; however, where shim requires signing all binaries that don't already have valid Secure Boot keys and managing a small number of keys, PreBootloader requires registering every authorized binary. I'll update this documentation when PreBootloader is released in a signed form.</p>
+
+<p>Fortunately, Microsoft will sign third-party binaries with their key—or more precisely, with a key that Microsoft uses to sign third-party binaries. (Microsoft uses another key to sign its own binaries, and some devices, such as the Microsoft Surface tablet, lack the third-party Microsoft key.) A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) have all announced plans to take advantage of this system. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason Red Hat has developed a program that it calls <i>shim</i> that essentially shifts the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Shim is signed by Microsoft and redirects the boot process to another boot loader that can be signed with keys that the distribution maintains and that are built into shim. Fedora 18 also uses this system. SUSE has announced that it will use the same system, as does Ubuntu with version 12.10 and later. SUSE has contributed to the shim approach by providing expansions to shim that support a set of keys that users can maintain themselves. These keys are known as Machine Owner Keys (MOKs), and managing them is described later, in <a href="#mok">Managing MOKs.</a> To reiterate, then, there are potentially three ways to sign a binary that will get it launched on a computer that uses shim:</p>
<ul>
<ul>
-<li><b>shim</b>—You can download a version of shim signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by shim's developer, former Red Hat employee Matthew J. Garrett) includes a shim key that's used by nothing but the <tt>MokManager.efi</tt> program that also ships with the program. Thus, to use this version of shim, you must use MOKs.
Ubuntu 12.10 ships with its own shim, but that version doesn't support MOKs and so is useless for launching rEFInd. Future versions of Fedora, SUSE, and probably other distributions will come with their own variants of shim, most of which will no doubt support their own shim keys as well as MOKs. You should install shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a> For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
+<li><b>shim</b>—You can download a version of shim signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by shim's developer, former Red Hat employee Matthew J. Garrett) includes a shim key that's used by nothing but the <tt>MokManager.efi</tt> program that also ships with the program. Thus, to use this version of shim, you must use MOKs.
Fedora 18's version of shim includes its own key but can also use MOKs; but to use it with rEFInd, you must still enroll rEFInd's MOK. Ubuntu 12.10 ships with its own shim, but that version doesn't support MOKs and so is useless for launching rEFInd. Future versions of SUSE and probably other distributions will come with their own variants of shim, most of which will no doubt support their own shim keys as well as MOKs. You should install shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a> For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
<li><b>MokManager</b>—This program is included with shim 0.2 and later. It presents a crude user interface for managing MOKs, and it's launched by shim if shim can't find its default boot loader (generally <tt>grubx64.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a Secure Boot key or a MOK, but the binary in Garrett's shim 0.2 is signed with a shim key, and I expect that versions distributed with most Linux distributions will also be signed by their respective shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
href="http://www.codon.org.uk/~mjg59/shim-signed/">Matthew J. Garrett's
download site</a> or from your distribution. (Don't use Ubuntu 12.10's
version, though; as noted earlier, it's inadequate for use with
- rEFInd.) The most recent beta versions of Fedora 18 reportedly ship
- with a signed shim, but I've not yet tested them.</li>
+ rEFInd.) Fedora 18 ships with a signed shim, but I've not yet tested
+ it.</li>
<p class="sidebar"><b>Tip:</b> If you're running Linux, you can save some effort by using the <tt>install.sh</tt> script with its <tt>--shim <tt class="variable">/path/to/shim.efi</tt></tt> option rather than installing manually, as in steps 4–6 of this procedure. If you've installed <tt>openssl</tt> and <tt>sbsign</tt>, using <tt>--localkeys</tt> will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use <tt>sbsign</tt> and the keys in <tt>/etc/refind.d/keys</tt> to sign your kernels or boot loaders.</p>
have to wait for future shim developments if you want to use Secure
Boot on <i>x</i>86 or ARM computers.</li>
-<li>I currently lack a Windows 8 installation with which to test, so I can't
- even be 100% positive that rEFInd will launch Windows 8 in Secure Boot
- ode. (It should, though, since it can launch other boot loaders that have
- been signed with Microsoft's keys.) In theory, signing Microsoft's boot
- loader with a MOK should work. This might be handy if you want to replace
- your computer's built-in keys with your own but still boot Windows—but
- be aware that if Windows replaces its boot loader, it will then stop
- working.</li>
+<li>In theory, signing Microsoft's boot loader with a MOK should work. This
+ might be handy if you want to replace your computer's built-in keys
+ with your own but still boot Windows—but be aware that if Windows
+ replaces its boot loader, it will then stop working.</li>
</ul>
<hr />
-<p>copyright © 2012 by Roderick W. Smith</p>
+<p>copyright © 2012–2013 by Roderick W. Smith</p>
<p>This document is licensed under the terms of the <a href="FDL-1.3.txt">GNU Free Documentation License (FDL), version 1.3.</a></p>