href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 11/13/2012; last Web page update:
-12/5/2012, referencing rEFInd 0.5.0</p>
+12/6/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p class="sidebar"><b>Note:</b> My <a href="http://www.rodsbooks.com/efi-bootloaders/">Managing EFI Boot Loaders for Linux</a> Web page includes a much more detailed description of Secure Boot in its <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html">Dealing with Secure Boot</a> sub-page. You should consult this page if you want to disable Secure Boot, generate your own keys, or perform other such tasks.</p>
-<p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">secure boot basics</a> and two specific aspects of rEFInd and its interactions with Secure Boot: <a href="#installation">installation issues</a> and <a href="#caveats">known bugs and limitations</a> in rEFInd's Secure Boot features.</p>
+<p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">secure boot basics</a> and two specific aspects of rEFInd and its interactions with Secure Boot: <a href="#installation">installation issues</a> and <a href="#mok">MOK management.</a> It concludes with a look at <a href="#caveats">known bugs and limitations</a> in rEFInd's Secure Boot features.</p>
<a name="basic">
<h2>Basic Issues</h2>
<p>Through 2012, it became obvious that Secure Boot would be a feature that was controlled, to a large extent, by Microsoft. This is because Microsoft requires that non-server computers that display Windows 8 logos ship with Secure Boot enabled. As a practical matter, this also means that such computers ship with Microsoft's keys in their firmware. In the absence of an industry-standard body to manage the signing of Secure Boot keys, this means that Microsoft's key is the only one that's more-or-less guaranteed to be installed on the computer, thus blocking the ability to boot any OS that lacks a boot path through Microsoft's signing key.</p>
-<p>Fortunately, Microsoft will sign third-party binaries with their key. A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) have all announced plans to take advantage of this system. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason Red Hat has developed a program that it calls <i>shim</i> that essentially shifts the Secure Boot "train" from Microsoft's proprietary "track" to one that's more
convenient for open source authors. Shim is signed by Microsoft and redirects the boot process to another boot loader that can be signed with keys that the distribution maintains and that are built into shim. Fedora 18 is expected to use this system. SUSE has announced that it will use the same system, as does Ubuntu with version 12.10 and later. SUSE has contributed to the shim approach by supporting a set of keys that users can maintain themselves. These keys are known as Machine Owner Keys (MOKs), and managing them is described later, in <a href="#mok">Managing MOKs.</a> To reiterate, then, there are potentially three ways to sign a binary that will get it launched on a system that uses shim:</p>
+<p>Fortunately, Microsoft will sign third-party binaries with their key. A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) have all announced plans to take advantage of this system. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason Red Hat has developed a program that it calls <i>shim</i> that essentially shifts the Secure Boot "train" from Microsoft's proprietary "track" to one that's more
friendly to open source authors. Shim is signed by Microsoft and redirects the boot process to another boot loader that can be signed with keys that the distribution maintains and that are built into shim. Fedora 18 is expected to use this system. SUSE has announced that it will use the same system, as does Ubuntu with version 12.10 and later. SUSE has contributed to the shim approach by providing expansions to shim that support a set of keys that users can maintain themselves. These keys are known as Machine Owner Keys (MOKs), and managing them is described later, in <a href="#mok">Managing MOKs.</a> To reiterate, then, there are potentially three ways to sign a binary that will get it launched on a system that uses shim:</p>
<ul>
<p>Because shim and MOK are being supported by several of the major players in the Linux world, I've decided to do the same with rEFInd. Beginning with version 0.5.0, rEFInd can communicate with the shim system to authenticate boot loaders. If a boot loader has been signed by a valid UEFI Secure Boot key, a valid shim key, or a valid MOK key, rEFInd will launch it. rEFInd will also launch unsigned boot loaders or those with invalid signatures <i>if</i> Secure Boot is disabled in or unsupported by the firmware. (If that's your situation, you needn't bother reading this page.)</p>
-<p>Version 0.5.0 doesn't yet ship in a pre-signed form; you'll need to create your own keys, as described shortly, and use them to sign your binary of rEFInd. I'm forcing you to do this because it's necessary to sign your post-rEFInd binaries anyhow.</p>
+<p>Version 0.5.0 ships signed with my own keys, and I provide the public version of this key with the rEFInd package. This can help simplify setup, since you needn't generate your own keys to get rEFInd working; however, without public keys for the boot loaders that rEFInd launches, you'll still need to generate keys and sign your boot loaders, as described in the <a href="#mok">Managing Your MOKs</a> section.</p>
<a name="installation">
<h2>Installation Issues</h2>
<ul>
-<li><b>shim</b>—You can download a version of shim signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by shim's developer, Matthew J. Garrett) includes a shim key that's signed nothing but the <tt>MokManager.efi</tt> program that also ships with the program. Thus, to use this version of shim, you must use MOKs. Ubuntu 12.10 ships with its own shim, but that version doesn't support MOKs and so is useless for launching rEFInd. Future versions of Fedora, SUSE, and probably other distributions will come with their own variants of shim, most of which will no doubt support their own shim keys as well as MOKs. You should install shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a>For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
+<li><b>shim</b>—You can download a version of shim signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by shim's developer, former Red Hat employee Matthew J. Garrett) includes a shim key that's used by nothing but the <tt>MokManager.efi</tt> program that also ships with the program. Thus, to use this version of shim, you must use MOKs. Ubuntu 12.10 ships with its own shim, but that version doesn't support MOKs and so is useless for launching rEFInd. Future versions of Fedora, SUSE, and probably other distributions will come with their own variants of shim, most of which will no doubt support their own shim keys as well as MOKs. You should install shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a> For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
-<li><b>MokManager</b>—This program is included with shim 0.2 and later. It presents a crude user interface for managing MOKs, and it's launched by shim if shim can't find its default boot loader (generally <tt>grubx64.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a MOK, but the binary in Garrett's shim 0.2 is signed with a shim key, and I expect that versions distributed with most Linux distributions will also be signed by their respective shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
+<li><b>MokManager</b>—This program is included with shim 0.2 and later. It presents a crude user interface for managing MOKs, and it's launched by shim if shim can't find its default boot loader (generally <tt>grubx64.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a Secure Boot key or a MOK, but the binary in Garrett's shim 0.2 is signed with a shim key, and I expect that versions distributed with most Linux distributions will also be signed by their respective shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
-<li><b>rEFInd</b>—Naturally, you need rEFInd. Because shim is hard-coded to launch a program called <tt>grubx64.efi</tt>, you must install rEFInd using that name and to the same directory in which <tt>shim.efi</tt> resides. In theory, rEFInd could be signed with a Secure Boot key, a shim key, or a MOK; however, because Microsoft won't sign binaries distributed under the GPLv3, I can't distribute a version of rEFInd signed with Microsoft's Secure Boot key; and as I don't have access to the private shim keys used by any distribution, I can't distribute a rEFInd binary signed by them. Thus, rEFInd will normally be signed by a MOK. As of version 0.5.0, you must sign your rEFInd binary with your own MOK.</li>
+<li><b>rEFInd</b>—Naturally, you need rEFInd. Because shim is hard-coded to launch a program called <tt>grubx64.efi</tt>, you must install rEFInd using that name and to the same directory in which <tt>shim.efi</tt> resides. In theory, rEFInd could be signed with a Secure Boot key, a shim key, or a MOK; however, because Microsoft won't sign binaries distributed under the GPLv3, I can't distribute a version of rEFInd signed with Microsoft's Secure Boot key; and as I don't have access to the private shim keys used by any distribution, I can't distribute a rEFInd binary signed by them. (If distributions begin including rEFInd in their package sets, though, such distribution-provided binaries could be signed with the distributions' shim keys.) Thus, rEFInd will normally be signed by a MOK. Beginning with version 0.5.0, rEFInd binaries that I provide are signed by me.</li>
<li><b>Your boot loaders and kernels</b>—Your OS boot loaders, and perhaps your Linux kernels, must be signed. They can be signed with any of the three key types. Indeed, your system may have a mix of all three types—a Windows 8 boot loader will most likely be signed with Microsoft's Secure Boot key, GRUB and kernels provided by most distributions will be signed with their own shim keys, and if you use your own locally-compiled kernel or a boot loader from an unusual source you may need to sign it with a MOK. Aside from signing, these files can be installed in exactly the same way as if your computer were not using Secure Boot.</li>
</ul>
-<p>Because of variables such as which version of shim you're using, I can't provide an absolutely complete procedure for installing rEFInd to work with Secure Boot. Broadly speaking, though, the procedure should be something like this:</p>
+<p>Because of variables such as which version of shim you're using and whether you're installing a pre-signed version of rEFInd or want to sign it yourself, I can't provide an absolutely complete procedure for installing rEFInd to work with Secure Boot. Broadly speaking, though, the procedure should be something like this:</p>
<ol>
<li>Boot the computer. This can be a challenge in and of itself. You may need to use a Secure Boot–enabled Linux emergency disc, temporarily disable Secure Boot, or do the work from Windows.</li>
+<li><a href="getting.html">Download rEFInd</a> in binary form (the binary zip or CD-R image file). If you download the binary zip file, unzip it; if you get the CD-R image file, burn it to a CD-R and mount it.</li>
+
<li>Download shim from <a href="http://www.codon.org.uk/~mjg59/shim-signed/">Matthew J. Garrett's download site</a> or from your distribution. (Don't use Ubuntu 12.10's version, though; as noted earlier, it's inadequate for use with rEFInd.)</li>
<li>Copy the <tt>shim.efi</tt> and <tt>MokManager.efi</tt> binaries to the directory you intend to use for rEFInd—for instance, <tt>EFI/refind</tt> on the ESP.</li>
+<li>Follow the installation instructions for rEFInd on the <a href="installing.html">Installing rEFInd</a> page; however, give rEFInd the filename <tt>grubx64.efi</tt> and register <tt>shim.efi</tt> with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt> in Windows. This is most cleanly done by following the manual instructions; however, you can use the <tt>install.sh</tt> script if you subsequently rename the files and register <tt>shim.efi</tt> with <tt>efibootmgr</tt>. Be sure that rEFInd (as <tt>grubx64.efi</tt>), <tt>shim.efi</tt>, and <tt>MokManager.efi</tt> all reside in the same directory.</li>
+
+<li>Copy the <tt>refind.cer</tt> file from the rEFInd package to your ESP, ideally to a location with few other files. (The rEFInd installation directory should work fine.)</li>
+
+<li>Reboot. With any luck, you'll see a simple text-mode user interface with a label of <tt>Shim UEFI key management</tt>. This is the MokManager program, which shim launched when rEFInd failed verification because its key is not yet enrolled.</li>
+
+<li>Press your down arrow key and press Enter to select <tt>Enroll key from disk</tt>. The screen will clear and prompt you to select a key, as shown here:</li>
+
+ <br /><IMG SRC="MokManager1.png" ALIGN="CENTER" WIDTH="676"
+ HEIGHT="186" ALT="MokManager's user interface is crude but effective."
+ BORDER=2> <br />
+
+<li>Each of the lines with a long awkward string represents a disk partition. Select one and you'll see a list of files. Continue selecting subdirectories until you find the <tt>refind.cer</tt> file you copied to the ESP earlier.</li>
+
+<li>Select <tt>refind.cer</tt>. You can type <tt class="userinput">1</tt> to view the certificate's details if you like, or skip that and type <tt class="userinput">0</tt> to enroll the key.</li>
+
+<li>Back out of any directories you entered and return to the MokManager main menu.</li>
+
+<li>Select <tt>Continue boot</tt> at the main menu.</li>
+
+</ol>
+
+<p>At this point the computer may boot into its default OS, reboot, or perhaps even hang. When you reboot it, though, rEFInd should start up in Secure Boot mode. (You can verify this by selecting the <i>About rEFInd</i> tool in the main menu. Check the <i>Platform</i> item in the resulting screen; it should verify that Secure Boot is active.) You should now be able to launch any boot loader signed with a key recognized by the firmware or by shim (including any MOKs you've enrolled). If you want to manage keys in the future, rEFInd displays a new icon in the second (tools) row you can use to launch MokManager. (This icon appears by default if MokManager is installed, but if you edit <tt>showtools</tt> in <tt>refind.conf</tt>, you must be sure to include <tt>mok_tool</tt> as an option in order to gain access to it.)</p>
+
+<p>If you're using Ubuntu 12.10, you can't use its version of shim, but you can replace it with Garrett's shim. The problem is that Ubuntu's GRUB and kernel will then be signed by an unknown key. Unfortunately, I haven't found a suitable public key file on Ubuntu's distribution medium, so you may need to sign GRUB and/or your kernels with your own MOK. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.</p>
+
+<a name="mok">
+<h2>Managing Your MOKs</h2>
+</a>
+
+<p>The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: <tt>sbsigntool</tt> and <tt>pesign</tt>. Both are available in binary form from <a href="https://build.opensuse.org/project/show?project=home%3Ajejb1%3AUEFI">this OpenSUSE Build Service (OBS)</a> repository. The following procedure uses <tt>sbsigntool</tt>. To sign your own binaries, follow these steps:</p>
+
+<ol>
+
<li>If it's not already installed, install OpenSSL on your computer. (It normally comes in a package called <tt>openssl</tt>.</li>
<li>Type the following two commands to generate your public and private keys:
<pre class="listing">
$ <tt class="userinput">openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt \
- -days 3650 -subj "/CN=Your Name/"</tt>
+ -nodes -days 3650 -subj "/CN=Your Name/"</tt>
$ <tt class="userinput">openssl x509 -in MOK.crt -out MOK.cer -outform DER</tt>
</pre>
-Change <tt>Your Name</tt> to your own name or other identifying characteristics, and adjust the certificate's time span (set via <tt>-days</tt> as you see fit. After you type the first command, it will prompt you for a passphrase. Remember this, since you'll need it to sign your binaries. The result is a private key file (<tt>MOK.key</tt>), which is highly sensitive since it's required to sign binaries, and two public keys (<tt>MOK.crt</tt> and <tt>MOK.cer</tt>), which can be used to verify signed binaries' authenticity.</li>
+Change <tt>Your Name</tt> to your own name or other identifying characteristics, and adjust the certificate's time span (set via <tt>-days</tt>) as you see fit. If you omit the <tt>-nodes</tt> option, the program will prompt you for a passphrase for added security. Remember this, since you'll need it to sign your binaries. The result is a private key file (<tt>MOK.key</tt>), which is highly sensitive since it's required to sign binaries, and two public keys (<tt>MOK.crt</tt> and <tt>MOK.cer</tt>), which can be used to verify signed binaries' authenticity. The two public key files are equivalent, but are used by different tools—<tt>sbsigntool</tt> uses <tt>MOK.crt</tt> to sign binaries, but MokManager uses <tt>MOK.cer</tt> to enroll the key.</li>
<li>Copy the three key files to a secure location and adjust permissions such that only you can read <tt>MOK.key</tt>. You'll need these keys to sign future binaries, so don't discard them.</li>
-<li>Copy the <tt>MOK.cer</tt> file to your ESP, ideally to a location with few other files.</li>
+<li>Copy the <tt>MOK.cer</tt> file to your ESP, ideally to a location with few other files. (MokManager's user interface becomes unreliable when browsing directories with lots of files.)</li>
<li>Download and install the <tt>sbsigntool</tt> package. Binary links for various distributions are available from the <a href="https://build.opensuse.org/package/show?package=sbsigntools&project=home%3Ajejb1%3AUEFI">OpenSUSE Build Service</a>, or you can obtain the source code by typing <tt class="userinput">git clone git://kernel.ubuntu.com/jk/sbsigntool</tt>.</li>
-<li>Sign the rEFInd binary by typing <tt class="userinput">sbsign --key MOK.key --cert MOK.crt --output grubx64.efi refind_x64.efi</tt>, adjusting the paths as necessary to the keys and the rEFInd binary. Note that you're giving the signed rEFInd binary the filename <tt>grubx64.efi</tt>. This is necessary to launch rEFInd from shim.</li>
+<li>Sign your binary by typing <tt class="userinput">sbsign --key MOK.key --cert MOK.crt --output <tt class="variable">binary-signed.efi binary.efi</tt></tt>, adjusting the paths to the keys and the binary names.</li>
-<li>Follow the manual installation instructions for rEFInd on the <a href="installing.html">Installing rEFInd</a> page; however, give rEFInd the filename <tt>grubx64.efi</tt> and register <tt>shim.efi</tt> with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt> in Windows.</li>
+<li>Copy your signed binary to a suitable location on the ESP for rEFInd to locate it. Be sure to include any support files that it needs, too.</li>
-<li>Reboot. With any luck, you'll see a simple text-mode user interface with a label of <tt>Shim UEFI key management</tt>. This is the MokManager program, which shim launched when rEFInd failed verification because its key is not yet enrolled.</li>
+<li>Check your <tt>refind.conf</tt> file to ensure that the <tt>showtools</tt> option is either commented out or includes <tt>mok_tool</tt> among its options.</li>
-<li>Press your down arrow key and press Enter to select <tt>Enroll key from disk</tt>. The screen will clear and prompt you to select a key, as shown here:</li>
-
- <br /><IMG SRC="MokManager1.png" ALIGN="CENTER" WIDTH="676"
- HEIGHT="186" ALT="MokManager's user interface is crude but effective."
- BORDER=2> <br />
-
-<li>Each of the lines with a long awkward string represents a disk partition. Select one and you'll see a list of files. Continue selecting subdirectories until you find the <tt>MOK.cer</tt> file you copied to the ESP earlier.</li>
-
-<li>Select <tt>MOK.cer</tt>. You can type <tt class="userinput">1</tt> to view your certificate's details if you like, or skip that and type <tt class="userinput">0</tt> to enroll the key.</li>
-
-<li>Back out of any directories you entered and return to the MokManager main menu.</li>
-
-<li>Select <tt>Continue boot</tt> at the main menu.</li>
+<li>Reboot. You can try launching the boot loader you just installed, but chances are it will generate an <tt>Access Denied</tt> message. For it to work, you must launch MokManager using the tool that rEFInd presents on its second row. You can then enroll your <tt>MOK.cer</tt> key just as you enrolled the <tt>refind.cer</tt> key.</li>
</ol>
-<p>At this point the computer may boot into its default OS, reboot, or perhaps even hang. When you reboot it, though, rEFInd should start up in Secure Boot mode. It should now be able to launch any boot loader signed with a key recognized by the firmware or by shim (including any MOKs you've enrolled). If you want to manage keys in the future, rEFInd displays a new icon in the second (tools) row you can use to launch MokManager. (This icon appears by default, but if you edit <tt>showtools</tt> in <tt>refind.conf</tt>, you must be sure to include <tt>mok_tool</tt> as an option in order to gain access to it.)</p>
-
-<p>If you're using Ubuntu 12.10, you can't use its version of shim, but you can replace it with Garrett's shim. The problem is that Ubuntu's GRUB and kernel will then be signed by an unknown key. Unfortunately, I haven't found a suitable public key file on Ubuntu's distribution medium, so you may need to sign GRUB and/or your kernels with your own MOK. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.</p>
+<p>At this point you should be able to launch the binaries you've signed. Unfortunately, there can still be problems at this point....</p>
<a name="caveats">
<h2>Secure Boot Caveats</h2>
error for the second driver.</li>
<li>ELILO can't find its configuration file when launched from rEFInd in
- Secure Boot mode. The same may be true of GRUB or other boot loaders,
- but I haven't tested them.</li>
+ Secure Boot mode. The same may be true of GRUB Legacy or other boot loaders,
+ but I haven't tested them. (GRUB 2 seems fine.)</li>
+
+<li>Signing the Windows boot loader with a MOK won't work; it hangs, probably
+ for reasons similar to the ones that cause ELILO to fail. Fortunately,
+ the Windows 8 boot loader should work because it should be verified and
+ launched via EFI calls rather than via the new shim-derived code. (I lack
+ a Windows 8 installation for testing, though.) This limitation could affect
+ you if you want to boot Windows 7 with Secure Boot active, though.</li>
<li>Under certain circumstances, the time required to launch a boot loader
can increase. This is unlikely to be noticeable for the average small
filesystems, such as Linux kernels on ext2fs, ext3fs, or ReiserFS
partitions.</li>
-<li>I haven't tested launching Windows from rEFInd in Secure Boot mode.
- This is admittedly a huge omission; but I don't have a suitable
- installation for testing.</li>
-
<li>Secure Boot mode doesn't work on <i>x</i>86 (IA32) or ARM systems, just
on <i>x</i>86-64 (AMD64) computers. This is largely because shim has
the same limitations.</li>
</ul>
-<p>My focus in testing rEFInd's Secure Boot capabilities has been on getting Linux kernels with EFI stub loaders to launch correctly.</p>
+<p>My focus in testing rEFInd's Secure Boot capabilities has been on getting Linux kernels with EFI stub loaders to launch correctly. I've done some minimal testing with GRUB 2, though. I've also tested some self-signed binaries, such as an EFI shell and MokManager. (The EFI shell launches, but will not itself launch anything that's not been signed with a UEFI Secure Boot key. This of course limits its utility.)</p>
-<p>At the moment, I consider rEFInd's shim/MOK support to be of alpha quality. I'm releasing it in this state in the hope of getting feedback from adventurous early adopters. I expect the improve the installation procedure, and with any luck fix some of the known bugs, in the next couple of versions. Some of the usability improvements are dependent upon MOK-capable versions of shim being released with major distributions; such versions of shim, with kernels signed with the key that matches the one built into shim, will greatly reduce the need for users to sign boot loaders.</p>
+<p>At the moment, I consider rEFInd's shim/MOK support to be of alpha quality. I'm releasing it in this state in the hope of getting feedback from adventurous early adopters. I expect to improve the installation procedure, and with any luck fix some of the known bugs, in the next couple of versions. Some of the usability improvements are dependent upon MOK-capable versions of shim being released with major distributions; such versions of shim, with kernels signed with the key that matches the one built into shim, will greatly reduce the need for users to sign boot loaders.</p>
<hr />
#
# Revision history:
#
-# 0.4.8 -- Added --usedefault & --drivers options & changed "esp" option to "--esp"
+# 0.5.0 -- Added --usedefault & --drivers options & changed "esp" option to "--esp"
# 0.4.5 -- Fixed check for rEFItBlesser in OS X
# 0.4.2 -- Added notice about BIOS-based OSes & made NVRAM changes in Linux smarter
# 0.4.1 -- Added check for rEFItBlesser in OS X
# with which they first appeared.
TargetDir=/EFI/refind
+EtcKeysDir=/etc/refind.d/keys
+SBModeInstall=0
#
# Functions used by both OS X and Linux....
--drivers) InstallDrivers=1
;;
* ) echo "Usage: $0 [--esp | --usedefault {device-file}] [--drivers]"
- echo "Aborting!"
- exit 1
+ echo "Aborting!"
+ exit 1
esac
shift
done
cp -r $RefindDir/drivers_* $InstallDir/$TargetDir/
fi
Refind=""
+ cp $ThisDir/refind.cer $InstallDir/$TargetDir
+ cp $ThisDir/refind.crt $InstallDir/$TargetDir
elif [[ $Platform == 'EFI32' ]] ; then
cp $RefindDir/refind_ia32.efi $InstallDir/$TargetDir
if [[ $? != 0 ]] ; then
cp -r $RefindDir/drivers_x64/*_x64.efi $InstallDir/$TargetDir/drivers_x64/
fi
Refind="refind_x64.efi"
+ cp $ThisDir/refind.cer $InstallDir/$TargetDir
+ cp $ThisDir/refind.crt $InstallDir/$TargetDir
+ if [[ $SBModeInstall == 1 ]] ; then
+ echo "Storing copies of rEFInd Secure Boot public keys in $EtcKeysDir"
+ mkdir -p $EtcKeysDir
+ cp $ThisDir/refind.cer $EtcKeysDir
+ cp $ThisDir/refind.crt $EtcKeysDir
+ fi
else
echo "Unknown platform! Aborting!"
exit 1
read YesNo
if [[ $YesNo == "Y" || $YesNo == "y" ]] ; then
echo "Deleting /Library/StartupItems/rEFItBlesser..."
- rm -r /Library/StartupItems/rEFItBlesser
+ rm -r /Library/StartupItems/rEFItBlesser
else
echo "Not deleting rEFItBlesser."
fi
# Now a series of Linux support functions....
#
+# Check for evidence that we're running in Secure Boot mode. If so, warn the
+# user and confirm installation.
+# TODO: Perform a reasonable Secure Boot installation.
+CheckSecureBoot() {
+ VarFile=`ls -ld /sys/firmware/efi/vars/SecureBoot* 2> /dev/null`
+ if [[ -n $VarFile && $TargetDir != '/EFI/BOOT' ]] ; then
+ echo ""
+ echo "CAUTION: The computer seems to have been booted with Secure Boot active."
+ echo "Although rEFInd, when installed in conjunction with the shim boot loader, can"
+ echo "work on a Secure Boot computer, this installation script doesn't yet support"
+ echo "direct installation in a way that will work on such a computer. You may"
+ echo "proceed with installation with this script, but if you intend to boot with"
+ echo "Secure Boot active, you must then reconfigure your boot programs to add shim"
+ echo "to the process. Alternatively, you may terminate this script and do a manual"
+ echo "installation, as described at http://www.rodsbooks.com/refind/secureboot.html."
+ echo ""
+ echo -n "Do you want to proceed with installation (Y/N)? "
+ read ContYN
+ if [[ $ContYN == "Y" || $ContYN == "y" ]] ; then
+ echo "OK; continuing with the installation..."
+ else
+ exit 0
+ SBModeInstall=1
+ fi
+ fi
+}
+
# Identifies the ESP's location (/boot or /boot/efi); aborts if
# the ESP isn't mounted at either location.
# Sets InstallDir to the ESP mount point.
echo "Unknown CPU type '$CpuType'; aborting!"
exit 1
fi
+ CheckSecureBoot
CopyRefindFiles
if [[ $TargetDir != "/EFI/BOOT" ]] ; then
AddBootEntry
# Script to prepare source code and binary distribution files of rEFInd.
# By Rod Smith, 3/11/2012
# Updated 11/8/2012 to do more things automatically
+# Updated 12/6/2012 to sign binaries with the rEFInd MOK
#
# Usage: ./mkdistrib version
# where "version" is a version number
# MUST be run from an x86-64 system, on which the TianoCore build
# includes both X64 and IA32 build support ("TARGET_ARCH = IA32 X64"
-# in Conf/target.txt).
+# in Conf/target.txt). The MOK files must be available from a disk
+# partition to be mounted via /etc/fstab at /mnt/refind.
StartDir=`pwd`
+SBSign=`which sbsign 2> /dev/null`
+KeysDir=/mnt/refind
+
+KeysInfo=`df $KeysDir 2> /dev/null | grep $KeysDir`
+
+if [[ ! -n $SBSign ]] ; then
+ echo "Can't find sbsign binary! Aborting!"
+ exit 1
+fi
+
+if [[ ! -n $KeysInfo ]] ; then
+ mount /mnt/refind
+fi
+
+if [[ $? -ne 0 ]] ; then
+ echo "Error mounting $KeysDir! Aborting!"
+ echo ""
+ exit 1
+fi
+
+# From here on, if there's an error, abort immediately.
+set -e
make clean
mkdir -p ../snapshots/$1/refind-$1/icons
cp --preserve=timestamps icons/*icns ../snapshots/$1/refind-$1/icons/
cp -a docs images include EfiLib libeg refind filesystems install.sh CREDITS.txt NEWS.txt BUILDING.txt COPYING.txt LICENSE.txt README.txt refind.inf Make.tiano Make.common Makefile refind.conf-sample ../snapshots/$1/refind-$1
+cp $KeysDir/refind.cer $KeysDir/refind.crt ../snapshots/$1/refind-$1/
# Go there and prepare a souce code zip file....
cd ../snapshots/$1/
make clean
make
make fs
-mkdir -p refind-bin-$1/refind/drivers_x64
+mkdir -p refind-bin-$1/refind/drivers
cp -a icons refind-bin-$1/refind/
-cp --preserve=timestamps drivers/*_x64.efi refind-bin-$1/refind/drivers_x64/
+for File in `ls drivers/*_x64.efi` ; do
+ $SBSign --key $KeysDir/refind.key --cert $KeysDir/refind.crt --output refind-bin-$1/refind/$File $File
+done
+mv refind-bin-$1/refind/drivers refind-bin-$1/refind/drivers_x64
cp --preserve=timestamps filesystems/LICENSE*txt refind-bin-$1/refind/drivers_x64/
cp --preserve=timestamps refind.conf-sample refind-bin-$1/refind/
-cp refind/refind_x64.efi refind-bin-$1/refind/refind_x64.efi
-cp refind/refind_x64.efi $StartDir
+$SBSign --key $KeysDir/refind.key --cert $KeysDir/refind.crt --output refind-bin-$1/refind/refind_x64.efi refind/refind_x64.efi
+cp refind-bin-$1/refind/refind_x64.efi $StartDir
cp -a COPYING.txt LICENSE.txt README.txt docs CREDITS.txt install.sh refind-bin-$1
# Prepare the final .zip file and clean up
+cp $KeysDir/refind.cer $KeysDir/refind.crt refind-bin-$1/
zip -9r ../refind-bin-$1.zip refind-bin-$1
cd ..
rm -r refind-$1
cd $StartDir
+umount $KeysDir
\ No newline at end of file