From c1935b0f6d9272cfa51e9a6c1e342c252ea41b1f Mon Sep 17 00:00:00 2001
From: srs5694
Originally written: 3/14/2012; last Web page update: -10/7/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
diff --git a/docs/refind/configfile.html b/docs/refind/configfile.html index 583e601..ee0805b 100644 --- a/docs/refind/configfile.html +++ b/docs/refind/configfile.html @@ -15,7 +15,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.comOriginally written: 3/14/2012; last Web page update: -11/6/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
diff --git a/docs/refind/drivers.html b/docs/refind/drivers.html index 132d9d3..e753c0b 100644 --- a/docs/refind/drivers.html +++ b/docs/refind/drivers.html @@ -15,7 +15,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.comOriginally written: 4/19/2012; last Web page update: -11/15/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
diff --git a/docs/refind/features.html b/docs/refind/features.html index 5acec24..70da853 100644 --- a/docs/refind/features.html +++ b/docs/refind/features.html @@ -15,7 +15,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.comOriginally written: 3/14/2012; last Web page update: -11/6/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
@@ -169,6 +169,8 @@ lack a usable CSM.On the flip side, at least for Mac users, rEFInd comes with less sophisticated Mac installation tools than does rEFIt, in favor of more OS-agnostic packaging.
diff --git a/docs/refind/getting.html b/docs/refind/getting.html index 811ebf5..5d95623 100644 --- a/docs/refind/getting.html +++ b/docs/refind/getting.html @@ -15,7 +15,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.comOriginally written: 3/14/2012; last Web page update: -11/6/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
@@ -98,7 +98,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.comOriginally written: 3/14/2012; last Web page update: -11/6/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
@@ -146,7 +146,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.comOriginally written: 3/14/2012; last Web page update: -11/15/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
@@ -216,9 +216,9 @@ Installation has completed successfully. changes to the computer's NVRAM. The idea is that you can easily create a bootable USB flash drive with this option: Create a proper FAT-formatted ESP on a disk (say, /dev/sdd1) and then type sh ./install --usedefault /dev/sdd1 to turn the - disk into an emergency disk. This option can also be used to install - rEFInd to an ESP using the alternative naming + class="userinput">bash ./install --usedefault /dev/sdd1 to turn + the disk into an emergency disk. This option can also be used to + install rEFInd to an ESP using the alternative naming options described later. This latter usage will result in a bootable rEFInd only if no other OS has already created an NVRAM variable pointing to itself.In all cases, if the new version includes new or altered configuration file options, you may need to manually update your configuration file. Alternatively, if you've used the default configuration file, you can replace your working refind.conf with refind.conf-sample from the rEFInd zip file. (When using install.sh, this file will be copied to rEFInd's installation directory under its original name, so you can rename it within that directory to replace the old file.
+If you're upgrading to rEFInd from rEFIt, you can simply run the install.sh script as described earlier or perform a manual installation. Once installed, rEFInd will take over boot manager duties. You'll still be able to launch rEFIt from rEFInd; a rEFIt icon will appear in rEFInd's menu. You can eliminate this option by removing the rEFIt files, which normally reside in /EFI/refit.
+I've seen links to other versions of these tools from time to time on the Web, so if you try one of these programs and it crashes or behaves strangely, try performing a Web search; you may turn up something that works better for you than the one to which I've linked.
diff --git a/docs/refind/linux.html b/docs/refind/linux.html index 0229af0..d702c0a 100644 --- a/docs/refind/linux.html +++ b/docs/refind/linux.html @@ -15,7 +15,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.comOriginally written: 3/19/2012; last Web page update: -11/6/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
diff --git a/docs/refind/revisions.html b/docs/refind/revisions.html index 530bd53..e0cbbbb 100644 --- a/docs/refind/revisions.html +++ b/docs/refind/revisions.html @@ -14,7 +14,7 @@by Roderick W. Smith, rodsmith@rodsbooks.com
-Last Web page update: 11/6/2012
+Last Web page update: 12/5/2012
I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
@@ -93,6 +93,8 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.comOriginally written: 11/13/2012; last Web page update: -11/13/2012, referencing rEFInd 0.5.0
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
@@ -92,7 +92,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com -If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some secure boot basics and two specific aspects of rEFInd and its interactions with Secure Boot: installation issues and key management.
+If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some secure boot basics and two specific aspects of rEFInd and its interactions with Secure Boot: installation issues and known bugs and limitations in rEFInd's Secure Boot features.
Because shim and MOK are being supported by several of the major players in the Linux world, I've decided to do the same with rEFInd. Beginning with version 0.5.0, rEFInd can communicate with the shim system to authenticate boot loaders. If a boot loader has been signed by a valid UEFI Secure Boot key, a valid shim key, or a valid MOK key, rEFInd will launch it. rEFInd will also launch unsigned boot loaders or those with invalid signatures if Secure Boot is disabled in or unsupported by the firmware. (If that's your situation, you needn't bother reading this page.)
+Version 0.5.0 doesn't yet ship in a pre-signed form; you'll need to create your own keys, as described shortly, and use them to sign your binary of rEFInd. I'm forcing you to do this because it's necessary to sign your post-rEFInd binaries anyhow.
+Because of variables such as which version of shim you're using and whether you intend to rely exclusively on shim keys or make use of MOKs, I can't provide an absolutely complete procedure for installing rEFInd to work with Secure Boot. Broadly speaking, though, the procedure should be something like this:
+Because of variables such as which version of shim you're using, I can't provide an absolutely complete procedure for installing rEFInd to work with Secure Boot. Broadly speaking, though, the procedure should be something like this:
+$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt \ + -days 3650 -subj "/CN=Your Name/" +$ openssl x509 -in MOK.crt -out MOK.cer -outform DER ++ +Change Your Name to your own name or other identifying characteristics, and adjust the certificate's time span (set via -days as you see fit. After you type the first command, it will prompt you for a passphrase. Remember this, since you'll need it to sign your binaries. The result is a private key file (MOK.key), which is highly sensitive since it's required to sign binaries, and two public keys (MOK.crt and MOK.cer), which can be used to verify signed binaries' authenticity.
At this point the computer may boot into its default OS, reboot, or perhaps even hang. When you reboot it, though, rEFInd should start up in Secure Boot mode. It should now be able to launch any boot loader signed with a key recognized by the firmware or by shim (including any MOKs you've enrolled). If you want to manage keys in the future, rEFInd displays a new icon in the second (tools) row you can use to launch MokManager. (This icon appears by default, but if you edit showtools in refind.conf, you must be sure to include mok_tool as an option in order to gain access to it.)
-Several variants on this procedure are possible. For instance, you can generate your own MOK, sign rEFInd with it, and enroll that MOK rather than the refind.der MOK. If you're using Ubuntu 12.10, you can't use its version of shim, but you can replace it with Garrett's shim. The problem is that Ubuntu's GRUB and kernel will then be signed by an unknown key. Unfortunately, I haven't found a suitable public key file on Ubuntu's distribution medium, so you may need to sign GRUB and/or your kernels with your own MOK. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.
+If you're using Ubuntu 12.10, you can't use its version of shim, but you can replace it with Garrett's shim. The problem is that Ubuntu's GRUB and kernel will then be signed by an unknown key. Unfortunately, I haven't found a suitable public key file on Ubuntu's distribution medium, so you may need to sign GRUB and/or your kernels with your own MOK. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.
- -The idea behind MOKs is that you should be able to control the signing of your boot loader binaries. Broadly speaking, you can add recognized signing keys in either of two ways:
+rEFInd's Secure Boot support is brand-new with version 0.5.0 of the program. Unfortunately, rEFInd, like shim, must essentially bypass UEFI security features, and must simultaneously not create security problems, in order to work. Unfortunately, the procedures that rEFInd uses to do this (which were lifted straight from shim) play "fast and loose" with the UEFI rules. This fact creates a number of limitations, which include (but are almost certainly not limited to) the following:
As I write, the methods for adding MOKs from the OS remain unclear to me, so I don't address them here. MOK management using MokManager, though, is fairly straightforward, as described earlier, near the end of Installation Issues. The main caveat is that the MokManager user interface is extremely crude. A directory that contains too many entries tends to produce drawing errors that can interfere with selecting the correct file. Thus, I recommend keeping your ESP's root directory uncluttered and place any .der files you need in an equally uncluttered directory off of the root directory.
+My focus in testing rEFInd's Secure Boot capabilities has been on getting Linux kernels with EFI stub loaders to launch correctly.
-The biggest challenge to managing MOKs comes if you need to sign binaries using your own keys. This task requires using cryptographic software based on OpenSSL. The tools involved are crude and poorly documented. I describe a procedure for creating keys and signing binaries here, so check that page if you need detailed instructions.
+At the moment, I consider rEFInd's shim/MOK support to be of alpha quality. I'm releasing it in this state in the hope of getting feedback from adventurous early adopters. I expect the improve the installation procedure, and with any luck fix some of the known bugs, in the next couple of versions. Some of the usability improvements are dependent upon MOK-capable versions of shim being released with major distributions; such versions of shim, with kernels signed with the key that matches the one built into shim, will greatly reduce the need for users to sign boot loaders.
Originally written: 4/19/2012; last Web page update: -11/6/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
diff --git a/docs/refind/todo.html b/docs/refind/todo.html index cf9de2d..fdfca00 100644 --- a/docs/refind/todo.html +++ b/docs/refind/todo.html @@ -15,7 +15,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.comOriginally written: 3/14/2012; last Web page update: -11/6/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
@@ -209,6 +209,16 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com /usr/local/UDK2010/MyWorkSpace/MdeModulePkg/Core/Dxe/Image/Image.c for the reference UEFI implementation. --> +Originally written: 3/14/2012; last Web page update: -11/6/2012, referencing rEFInd 0.4.7
+12/5/2012, referencing rEFInd 0.5.0I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
@@ -134,6 +134,8 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.comOrdinarily, rEFInd displays tags for OSes it finds on internal hard disks, external hard disks (including USB flash drives, CF disks, and so on), and optical discs. Sometimes, though, the firmware hasn't had time to fully examine these devices by the time rEFInd starts; or you might only insert or plug in the media after rEFInd appears. In these cases, you can press the Esc key to have rEFInd re-read its configuration file and re-scan your media for boot loaders. This action can take a few seconds to complete, so be patient. You can also use this feature to detect OSes if you launch a shell and use it to load a driver or edit the refind.conf file. If you regularly need to press Esc, you might look into the scan_delay configuration file option, described on the Configuring the Boot Manager page.
+If your computer supports Secure Boot, you may find that some of your OSes and tools won't work; they'll produce Access Denied error messages. You can overcome this problem by creating a signing key, signing your binaries with it, and adding the public version of that key to your machine owner key (MOK) list. This process is described on the Managing Secure Boot page.
+Although most rEFInd features can be activated via fairly obvious keyboard actions, some are not obvious. Table 1 summarizes the keystrokes that rEFInd accepts, and the action that each keystroke invokes.
diff --git a/refind/config.c b/refind/config.c index 764d444..d52ca9f 100644 --- a/refind/config.c +++ b/refind/config.c @@ -222,7 +222,7 @@ static CHAR16 *ReadLine(REFIT_FILE *File) UINTN ReadTokenLine(IN REFIT_FILE *File, OUT CHAR16 ***TokenList) { BOOLEAN LineFinished, IsQuoted = FALSE; - CHAR16 *Line, *Token, *p; + CHAR16 *Line, *Token, *p, *Temp; UINTN TokenCount = 0; *TokenList = NULL; @@ -251,6 +251,10 @@ UINTN ReadTokenLine(IN REFIT_FILE *File, OUT CHAR16 ***TokenList) while (*p && *p != '"' && ((*p != ' ' && *p != '\t' && *p != '=' && *p != '#' && *p != ',') || IsQuoted)) { if ((*p == '/') && !IsQuoted) // Switch Unix-style to DOS-style directory separators *p = '\\'; + if (*p == '|') { + Temp = StrDuplicate(&p[1]); + StrCpy(p, Temp); + } p++; } // if if (*p == '"') diff --git a/refind/main.c b/refind/main.c index 7297c62..ee9a361 100644 --- a/refind/main.c +++ b/refind/main.c @@ -118,7 +118,7 @@ static VOID AboutrEFInd(VOID) if (AboutMenu.EntryCount == 0) { AboutMenu.TitleImage = BuiltinIcon(BUILTIN_ICON_FUNC_ABOUT); - AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.4.7.10"); + AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.4.7.11"); AddMenuInfoLine(&AboutMenu, L""); AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2006-2010 Christoph Pfisterer"); AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2012 Roderick W. Smith"); @@ -178,7 +178,7 @@ static EFI_STATUS StartEFIImageList(IN EFI_DEVICE_PATH **DevicePaths, CHAR16 ErrorInfo[256]; CHAR16 *FullLoadOptions = NULL; CHAR16 *loader = NULL; - BOOLEAN UseMok = FALSE, SecureMode; + BOOLEAN UseMok = FALSE; if (ErrorInStep != NULL) *ErrorInStep = 0; @@ -203,25 +203,17 @@ static EFI_STATUS StartEFIImageList(IN EFI_DEVICE_PATH **DevicePaths, // load the image into memory (and execute it, in the case of a shim/MOK image). ReturnStatus = Status = EFI_NOT_FOUND; // in case the list is empty - SecureMode = secure_mode(); -// SecureMode = TRUE; for (DevicePathIndex = 0; DevicePaths[DevicePathIndex] != NULL; DevicePathIndex++) { - // NOTE: Below commented-out line could simplify logic by loading the image once, but - // it doesn't work on my 32-bit Mac Mini or my 64-bit Intel box when launching a - // Linux kernel; the kernel returns a "Failed to handle fs_proto" error message. + // NOTE: Below commented-out line could be more efficient if the ReadFile() and + // FindVolumeAndFilename() calls were moved earlier, but it doesn't work on my + // 32-bit Mac Mini or my 64-bit Intel box when launching a Linux kernel; the + // kernel returns a "Failed to handle fs_proto" error message. // TODO: Track down the cause of this error and fix it, if possible. // ReturnStatus = Status = refit_call6_wrapper(BS->LoadImage, FALSE, SelfImageHandle, DevicePaths[DevicePathIndex], // ImageData, ImageSize, &ChildImageHandle); - // In Secure Boot mode, try to use shim/MOK-style loading first, and if - // that fails, try the standard EFI system call (LoadImage()). This is - // done for efficiency, to prevent loading a binary twice, which can - // take several seconds to load a Linux kernel with EFI stub support on - // some systems. Linux kernels are likely to be shim/MOK signed, so - // this is quickest for them; and delays for most other boot loaders - // will be unnoticeably short. To prevent delays or failures in case - // of buggy shim/MOK code on non-SB systems, skip that attempt and - // call LoadImage() directly when not in SB mode. - if (SecureMode) { + ReturnStatus = Status = refit_call6_wrapper(BS->LoadImage, FALSE, SelfImageHandle, DevicePaths[DevicePathIndex], + NULL, 0, &ChildImageHandle); + if ((Status == EFI_ACCESS_DENIED) && (ShimLoaded())) { FindVolumeAndFilename(DevicePaths[DevicePathIndex], &DeviceVolume, &loader); if (DeviceVolume != NULL) { Status = ReadFile(DeviceVolume->RootDir, loader, &File, &ImageSize); @@ -232,21 +224,14 @@ static EFI_STATUS StartEFIImageList(IN EFI_DEVICE_PATH **DevicePaths, } // if/else if (Status != EFI_NOT_FOUND) { ReturnStatus = Status = start_image(SelfImageHandle, loader, ImageData, ImageSize, FullLoadOptions, - DeviceVolume, DevicePaths[DevicePathIndex]); + DeviceVolume, FileDevicePath(DeviceVolume->DeviceHandle, loader)); +// ReturnStatus = Status = start_image(SelfImageHandle, loader, ImageData, ImageSize, FullLoadOptions, +// DeviceVolume, DevicePaths[DevicePathIndex]); } if (ReturnStatus == EFI_SUCCESS) { UseMok = TRUE; } // if - // If shim/MOK load fails, try regular EFI load, in case it's an unsupported - // binary type.... - if (!UseMok) { - ReturnStatus = Status = refit_call6_wrapper(BS->LoadImage, FALSE, SelfImageHandle, DevicePaths[DevicePathIndex], - NULL, 0, &ChildImageHandle); - } // if (!UseMok) - } else { // Secure Boot inactive; only do standard call.... - ReturnStatus = Status = refit_call6_wrapper(BS->LoadImage, FALSE, SelfImageHandle, DevicePaths[DevicePathIndex], - NULL, 0, &ChildImageHandle); - } // if/else (SecureMode) + } // if (UEFI SB failed; use shim) if (ReturnStatus != EFI_NOT_FOUND) { break; } diff --git a/refind/mok.c b/refind/mok.c index 6c4ef38..e9a2ad1 100644 --- a/refind/mok.c +++ b/refind/mok.c @@ -130,6 +130,15 @@ BOOLEAN secure_mode (VOID) return TRUE; } // secure_mode() +// Returns TRUE if the shim program is available to verify binaries, +// FALSE if not +BOOLEAN ShimLoaded(void) { + SHIM_LOCK *shim_lock; + EFI_GUID ShimLockGuid = SHIM_LOCK_GUID; + + return (BS->LocateProtocol(&ShimLockGuid, NULL, (VOID**) &shim_lock) == EFI_SUCCESS); +} // ShimLoaded() + /* * Currently, shim/MOK only works on x86-64 (X64) systems, and some of this code * generates warnings on x86 (IA32) builds, so don't bother compiling it at all @@ -330,8 +339,8 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, // Returns TRUE if the specified data is validated by Shim's MOK, FALSE otherwise static BOOLEAN ShimValidate (VOID *data, UINT32 size) { - EFI_GUID ShimLockGuid = SHIM_LOCK_GUID; SHIM_LOCK *shim_lock; + EFI_GUID ShimLockGuid = SHIM_LOCK_GUID; if (BS->LocateProtocol(&ShimLockGuid, NULL, (VOID**) &shim_lock) == EFI_SUCCESS) { if (!shim_lock) diff --git a/refind/mok.h b/refind/mok.h index c398353..4fbfb22 100644 --- a/refind/mok.h +++ b/refind/mok.h @@ -4,8 +4,6 @@ #define SHIM_LOCK_GUID \ { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} } -#if defined(EFIX64) - typedef struct _SHIM_LOCK { EFI_STATUS __attribute__((sysv_abi)) (*shim_verify) (VOID *buffer, UINT32 size); @@ -16,8 +14,7 @@ typedef struct _SHIM_LOCK GNUEFI_PE_COFF_LOADER_IMAGE_CONTEXT *context); } SHIM_LOCK; -#endif - +BOOLEAN ShimLoaded(void); BOOLEAN secure_mode (VOID); EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath, VOID *data, UINTN datasize, CHAR16 *Options, REFIT_VOLUME *DeviceVolume, IN EFI_DEVICE_PATH *DevicePath); diff --git a/refind/screen.c b/refind/screen.c index 9f0d483..cd5c698 100644 --- a/refind/screen.c +++ b/refind/screen.c @@ -162,8 +162,8 @@ VOID BeginTextScreen(IN CHAR16 *Title) VOID FinishTextScreen(IN BOOLEAN WaitAlways) { if (haveError || WaitAlways) { - SwitchToText(FALSE); - PauseForKey(); + PauseForKey(); + SwitchToText(FALSE); } // reset error flag -- 2.39.2