X-Git-Url: https://code.delx.au/refind/blobdiff_plain/970af7382223d2dd18a6d29db512eb7009a6ff6f..dca87996fe98099efb7626df25465707aeca4cfd:/docs/refind/secureboot.html diff --git a/docs/refind/secureboot.html b/docs/refind/secureboot.html index b7cba26..ef8b7c0 100644 --- a/docs/refind/secureboot.html +++ b/docs/refind/secureboot.html @@ -17,7 +17,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

Originally written: 11/13/2012; last Web page update: -9/13/2015, referencing rEFInd 0.9.1

+11/8/2015, referencing rEFInd 0.10.0

This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!

@@ -44,7 +44,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

-Donate with PayPal @@ -59,7 +58,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

-Donate with PayPal @@ -75,7 +73,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

-Donate with PayPal @@ -90,7 +87,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

-Donate with PayPal @@ -105,7 +101,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

-Donate with PayPal @@ -119,7 +114,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

-Donate with PayPal @@ -154,6 +148,13 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

+

Note: Macs don't (yet?) support Secure Boot, but +as of version 10.11 ("El Capitan"), OS X uses its own new security feature, +System Integrity Protection (SIP), which creates its own set of +hoops through which rEFInd users must jump. See the rEFInd and System Integrity Protection page for +details.

+

If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some Secure Boot basics and two specific ways of using rEFInd with Secure Boot: Using the Shim program and using the PreLoader program. (My separate EFI Boot Loaders for Linux page on Secure Boot covers the additional topics of disabling Secure Boot and adding keys to the firmware's own set of keys.) This page concludes with a look at known bugs and limitations in rEFInd's Secure Boot features.

@@ -228,7 +229,7 @@ Windows 8, this isn't an option for it. Unfortunately, the Shim and PreLoader pr

Installing Shim and rEFInd

 -

Note: rEFInd's install.sh script attempts to identify whether your computer was booted with Secure Boot active and, if it was, to locate existing Shim binaries and make use of whatever it finds. Thus, you may not need to explicitly set up Shim after you install rEFInd, although you will probably have to enroll rEFInd's key in your MOK list, as described shortly.

+

Note: rEFInd's refind-install script attempts to identify whether your computer was booted with Secure Boot active and, if it was, to locate existing Shim binaries and make use of whatever it finds. Thus, you may not need to explicitly set up Shim after you install rEFInd, although you will probably have to enroll rEFInd's key in your MOK list, as described shortly.

A working Secure Boot installation of rEFInd involves at least three programs, and probably four or more, each of which must be installed in a specific way:

@@ -244,7 +245,7 @@ Windows 8, this isn't an option for it. Unfortunately, the Shim and PreLoader pr -

If you've installed a distribution that provides Shim and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running install.sh, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of Shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:

+

If you've installed a distribution that provides Shim and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running refind-install, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of Shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:

    @@ -262,19 +263,24 @@ Windows 8, this isn't an option for it. Unfortunately, the Shim and PreLoader pr version, though; as noted earlier, it's inadequate for use with rEFInd.) -

    Tip: If you're running Linux, you can save some effort by using the install.sh script with its --shim /path/to/shim.efi option rather than installing manually, as in steps 4–6 of this procedure. If you've installed openssl and sbsign, using --localkeys will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use sbsign and the keys in /etc/refind.d/keys to sign your kernels or boot loaders.

    +

    Tip: If you're running Linux, you can save some effort by using the refind-install script with its --shim /path/to/shim.efi option rather than installing manually, as in steps 4–6 of this procedure. If you've installed openssl and sbsign, using --localkeys will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use sbsign and the keys in /etc/refind.d/keys to sign your kernels or boot loaders.

  1. Copy the shim.efi and MokManager.efi binaries to the directory you intend to use for rEFInd—for instance, EFI/refind on the ESP.
  2. Follow the installation instructions for rEFInd on the Installing rEFInd page; however, give rEFInd - the filename grubx64.efi and register shim.efi with - the EFI by using efibootmgr in Linux or bcdedit in - Windows. Be sure that rEFInd (as grubx64.efi), - shim.efi, and MokManager.efi all reside in the same - directory.
    3. + href="installing.html">Installing rEFInd page; however, you should + normally give rEFInd the filename grubx64.efi and register + shim.efi with the EFI by using efibootmgr in Linux or + bcdedit in Windows. Be sure that rEFInd (as + grubx64.efi), shim.efi, and MokManager.efi + all reside in the same directory. If you're using Shim 0.7 or later and + installing it under Linux, you may optionally keep rEFInd's + refind_x64.efi name; but you must then tell Shim to use rEFInd + by passing an additional -u "shim.efi refind_x64.efi" option + to efibootmgr. Change the filenames to the actual filenames + used by Shim and rEFInd, respectively.
  3. Copy the refind.cer file from the rEFInd package to your ESP, ideally to a location with few other files. (The rEFInd installation @@ -328,7 +334,7 @@ Windows 8, this isn't an option for it. Unfortunately, the Shim and PreLoader pr

    Managing Your MOKs

    -

    The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: sbsigntool and pesign. Both are available in binary form from this OpenSUSE Build Service (OBS) repository, and many distributions ship with at least one of them. The following procedure uses sbsigntool. To sign your own binaries, follow these steps (you can skip the first five steps if you've successfully used install.sh's --localkeys option):

    +

    The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: sbsigntool and pesign. Both are available in binary form from this OpenSUSE Build Service (OBS) repository, and many distributions ship with at least one of them. The following procedure uses sbsigntool. To sign your own binaries, follow these steps (you can skip the first five steps if you've successfully used refind-install's --localkeys option):

      @@ -336,8 +342,8 @@ Windows 8, this isn't an option for it. Unfortunately, the Shim and PreLoader pr normally comes in a package called openssl.)
    1. If you did not re-sign your rEFInd binaries with - install.sh's --localkeys option, type the following - two commands to generate your public and private keys: + refind-install's --localkeys option, type the + following two commands to generate your public and private keys: 
       $ openssl req -new -x509 -newkey rsa:2048 -keyout refind_local.key \
@@ -357,7 +363,7 @@ $ openssl x509 -in refind_local.crt -out refind_local.cer
     are equivalent, but are used by different
     tools—sbsigntool uses refind_local.crt to sign
     binaries, but MokManager uses refind_local.cer to enroll the
-    key. If you used install.sh's --localkeys option,
+    key. If you used refind-install's --localkeys option,
     this step is unnecessary, since these keys have already been created
     and are stored in /etc/refind.d/keys/.