]> code.delx.au - refind/blob - docs/refind/secureboot.html
fc3f321763ad4ea40a2fa535f15f5f1247c7d182
[refind] / docs / refind / secureboot.html
1 <?xml version="1.0" encoding="utf-8" standalone="no"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
3 "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
4
5 <html xmlns="http://www.w3.org/1999/xhtml">
6 <head>
7 <title>The rEFInd Boot Manager: Managing Secure Boot</title>
8 <link href="../Styles/styles.css" rel="stylesheet" type="text/css" />
9 </head>
10
11 <meta name="viewport" content="width=device-width, initial-scale=1">
12
13 <body>
14 <h1>The rEFInd Boot Manager:<br />Managing Secure Boot</h1>
15
16 <p class="subhead">by Roderick W. Smith, <a
17 href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
18
19 <p>Originally written: 11/13/2012; last Web page update:
20 9/19/2015, referencing rEFInd 0.9.2</p>
21
22
23 <p>This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
24
25 <table border="1">
26 <tr>
27 <td>Donate $1.00</td>
28 <td>Donate $2.50</td>
29 <td>Donate $5.00</td>
30 <td>Donate $10.00</td>
31 <td>Donate $20.00</td>
32 <td>Donate another value</td>
33 </tr>
34 <tr>
35
36 <td>
37 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
38 <input type="hidden" name="cmd" value="_donations">
39 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
40 <input type="hidden" name="lc" value="US">
41 <input type="hidden" name="no_note" value="0">
42 <input type="hidden" name="currency_code" value="USD">
43 <input type="hidden" name="amount" value="1.00">
44 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
45 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
46 <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
47 <img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
48 </form>
49 </td>
50
51 <td>
52 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
53 <input type="hidden" name="cmd" value="_donations">
54 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
55 <input type="hidden" name="lc" value="US">
56 <input type="hidden" name="no_note" value="0">
57 <input type="hidden" name="currency_code" value="USD">
58 <input type="hidden" name="amount" value="2.50">
59 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
60 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
61 <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
62 <img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
63 </form>
64 </td>
65
66
67 <td>
68 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
69 <input type="hidden" name="cmd" value="_donations">
70 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
71 <input type="hidden" name="lc" value="US">
72 <input type="hidden" name="no_note" value="0">
73 <input type="hidden" name="currency_code" value="USD">
74 <input type="hidden" name="amount" value="5.00">
75 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
76 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
77 <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
78 <img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
79 </form>
80 </td>
81
82 <td>
83 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
84 <input type="hidden" name="cmd" value="_donations">
85 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
86 <input type="hidden" name="lc" value="US">
87 <input type="hidden" name="no_note" value="0">
88 <input type="hidden" name="currency_code" value="USD">
89 <input type="hidden" name="amount" value="10.00">
90 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
91 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
92 <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
93 <img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
94 </form>
95 </td>
96
97 <td>
98 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
99 <input type="hidden" name="cmd" value="_donations">
100 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
101 <input type="hidden" name="lc" value="US">
102 <input type="hidden" name="no_note" value="0">
103 <input type="hidden" name="currency_code" value="USD">
104 <input type="hidden" name="amount" value="20.00">
105 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
106 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
107 <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
108 <img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
109 </form>
110 </td>
111
112 <td>
113 <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
114 <input type="hidden" name="cmd" value="_donations">
115 <input type="hidden" name="business" value="rodsmith@rodsbooks.com">
116 <input type="hidden" name="lc" value="US">
117 <input type="hidden" name="no_note" value="0">
118 <input type="hidden" name="currency_code" value="USD">
119 <input type="hidden" name="item_name" value="rEFInd Boot Manager">
120 <input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
121 <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
122 <img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
123 </form>
124 </td></tr>
125 </table>
126
127 <hr />
128
129 <p>This page is part of the documentation for the rEFInd boot manager. If a Web search has brought you here, you may want to start at the <a href="index.html">main page.</a></p>
130
131 <hr />
132
133 <p class="sidebar"><b>Note:</b> My <a href="http://www.rodsbooks.com/efi-bootloaders/">Managing EFI Boot Loaders for Linux</a> Web page includes a much more detailed description of Secure Boot in two of its subpages. Consult <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html">Dealing with Secure Boot</a> for more information on disabling Secure Boot, using Shim, and using PreLoader; and read <a href="http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html">Controlling Secure Boot</a> for more information on using your own keys instead of or in addition to those that came with your computer.</p>
134
135 <div class="navbar">
136
137 <h4 class="tight">Contents</h4>
138
139 <ul>
140
141 <li class="tight"><a href="#basic">Basic Issues</li>
142
143 <li class="tight"><a href="#shim">Using rEFInd with Shim</a></li>
144 <ul>
145 <li class="tight"><a href="#installation">Installing Shim and rEFInd</a></li>
146 <li class="tight"><a href="#mok">Managing Your MOKs</a></li>
147 </ul>
148
149 <li class="tight"><a href="#preloader">Using rEFInd with PreLoader</a></li>
150
151 <li class="tight"><a href="#caveats">Secure Boot Caveats</a></li>
152
153 </ul>
154
155 </div>
156
157 <p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">Secure Boot basics</a> and two specific ways of using rEFInd with Secure Boot: <a href="#shim">Using the Shim program</a> and <a href="#preloader">using the PreLoader program.</a> (My separate <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html">EFI Boot Loaders for Linux page on Secure Boot</a> covers the additional topics of disabling Secure Boot and adding keys to the firmware's own set of keys.) This page concludes with a look at <a href="#caveats">known bugs and limitations</a> in rEFInd's Secure Boot features.</p>
158
159 <a name="basic">
160 <h2>Basic Issues</h2>
161 </a>
162
163 <p class="sidebar"><b>Note:</b> You don't <i>have to</i> use Secure Boot.
164 If you don't want it, you can <a
165 href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#disable">disable
166 it,</a> at least on <i>x</i>86-64 PCs. If an ARM-based computer ships with
167 Windows 8, this isn't an option for it. Unfortunately, the Shim and PreLoader programs described on this page currently support only <i>x</i>86-64, not <i>x</i>86 or ARM.</p>
168
169 <p>Through 2012, it became obvious that Secure Boot would be a feature that was controlled, to a large extent, by Microsoft. This is because Microsoft requires that non-server computers that display Windows 8 logos ship with Secure Boot enabled. As a practical matter, this also means that such computers ship with Microsoft's keys in their firmware. In the absence of an industry-standard body to manage the signing of Secure Boot keys, this means that Microsoft's key is the only one that's more-or-less guaranteed to be installed on the computer, thus blocking the ability to boot any OS that lacks a boot path through Microsoft's signing key.</p>
170
171 <p>Fortunately, Microsoft will sign third-party binaries with their key&mdash;or more precisely, with a key that Microsoft uses to sign third-party binaries. (Microsoft uses another key to sign its own binaries, and some devices, such as the Microsoft Surface tablet, lack the third-party Microsoft key.) A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) are all using this system to enable their boot loaders to run. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason two separate programs exist that shift the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Both of these programs (Shim and PreLoader) are available in binary form signed by Microsoft's key. Shim enables the computer to launch binaries that are signed by a key that's built into it or that the user adds to a list known as the Machine Owner Key (MOK) list. PreLoader enables the computer to launch binaries that the user has explicitly identified as being OK. Distributions beginning with Ubuntu 12.10 (and 12.04.2), Fedora 18, and OpenSUSE 12.3 use Shim, although the Ubuntu initially shipped with an early version of Shim that's useless for launching rEFInd. (Current versions of Ubuntu ship with more flexible versions of Shim.) PreLoader is used by some smaller and more specialized distributions, such as Arch Linux. You can switch from one to the other if you like, no matter what your distribution uses by default.</p>
172
173 <p>There are three ways to sign a binary that will get it launched on a computer that uses Shim:</p>
174
175 <ul>
176
177 <li><b>Secure Boot keys</b>&mdash;These keys are managed by the EFI
178 firmware. In a default configuration, Microsoft is the only party
179 that's more-or-less guaranteed to be able to sign boot loaders with
180 these keys; however, it's possible to <a
181 href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#add_keys">replace
182 Microsoft's keys with your own,</a> in order to take full control of
183 Secure Boot on your computer. The trouble is that this process is
184 tedious and varies in details from one computer to another. It's worth
185 noting that many, but not all, computers ship with Canonical's key,
186 which can help slightly when booting Ubuntu; if your computer is so
187 equipped, you can use any Shim you like and not worry about adding
188 Canonical's key to your MOK list, although you must still add a MOK key
189 for rEFInd itself.</li>
190
191 <li><b>Shim's built-in keys</b>&mdash;It's possible, but not necessary, to
192 compile Shim with a built-in public key. Its private counterpart can
193 then be used to sign binaries. In practice, this key type is limited in
194 utility; it's likely to be used by distribution maintainers to sign
195 their own version of GRUB and the Linux kernels that it launches,
196 nothing more. On the plus side, Shim's keys require little or no
197 maintenance by users. One potential complication is that if you swap
198 out one Shim binary for another, its built-in key may change, which
199 means that the replacement Shim might no longer launch its follow-on
200 boot loader or kernels linked to the first Shim.</li>
201
202 <li><b>MOKs</b>&mdash;Versions 0.2 and later of Shim support MOKs, which
203 give you the ability to add your own keys to the computer. If you want
204 to install multiple Linux distributions in Secure Boot mode, MOKs are
205 likely to be helpful. They're vital if you want to launch kernels you
206 compile yourself or use boot managers or boot loaders other than those
207 provided by your distribution.</li>
208
209 </ul>
210
211 <p>All three key types are the same in form&mdash;Shim's built-in keys and MOKs are both generated using the same tools used to generate Secure Boot keys. The keys can be generated with the common <tt>openssl</tt> program, but signing EFI binaries requires either of two rarer programs: <tt>sbsign</tt> or <tt>pesign</tt>. If you use Shim with a distribution that doesn't support Secure Boot, you'll need to either sign the kernels yourself, which can be a hassle, or launch the kernels by way of a boot loader that doesn't check for signatures, such as ELILO.</p>
212
213 <p class="sidebar">Shim's author is working on merging it and PreLoader. Thus, future versions of Shim may provide the advantages of both programs.</p>
214
215 <p>PreLoader is easier to set up on a distribution that doesn't support Shim because PreLoader doesn't rely on keys; instead, you tell it which binaries you trust and it will let you launch them. This works well on a system with boot managers, boot loaders, and kernels that seldom change. It's not a good solution for distribution maintainers, though, because it requires that users manually add binaries to PreLoader's list of approved binaries when the OS is installed and every time those binaries change. Also, PreLoader relies on a helper program, HashTool, to enroll hashes. (This is Geek for "tell the computer that a binary is OK.") Unfortunately, the initial (and, as far as I know, only signed) HashTool can enroll hashes only from the partition from which it was launched, so if you want to use rEFInd to launch Linux kernels directly, it's easiest if you mount your EFI System Partition (ESP) at <tt>/boot</tt> in Linux or copy your kernels to the ESP. Another approach is to copy <tt>HashTool.efi</tt> to the partition that holds your kernel and rename it to almost anything else. rEFInd will then treat it like an OS boot loader and create a menu entry for it, enabling you to launch it as needed.</p>
216
217 <p>Beginning with version 0.5.0, rEFInd can communicate with the Shim system to authenticate boot loaders. If a boot loader has been signed by a valid UEFI Secure Boot key, a valid Shim key, or a valid MOK, rEFInd will launch it. rEFInd will also launch unsigned boot loaders or those with invalid signatures <i>if</i> Secure Boot is disabled in or unsupported by the firmware. (If that's your situation, you needn't bother reading this page.) PreLoader is designed in such a way that it requires no explicit support in rEFInd to work.</p>
218
219 <p>My binary builds of rEFInd version 0.5.0 and later ship signed with my own keys, and I provide the public version of this key with the rEFInd package. This can help simplify setup, since you needn't generate your own keys to get rEFInd working. The rEFInd PPA for Ubuntu ships unsigned binaries, but the installation script that runs automatically when the package is installed signs the binaries with a local key as it installs them. In either case, if you lack public keys for the boot loaders that rEFInd launches, you'll need to sign your boot loaders, as described in the <a href="#mok">Managing Your MOKs</a> section.</p>
220
221 <a name="shim">
222 <h2>Using rEFInd with Shim</h2>
223 </a>
224
225 <p>Because several major distributions support Shim, I describe it first. You may need to adjust the rEFInd installation process to get it working with Shim, especially if you're not using a distribution that uses this software. In addition to installing Shim, you should know how to manage your MOKs, so I describe this topic, too. If you don't want to use Shim, you can skip ahead to <a href="#preloader">the section on PreLoader.</a></p>
226
227 <a name="installation">
228 <h3>Installing Shim and rEFInd</h3>
229 </a>
230
231 <p class="sidebar"><b>Note:</b> rEFInd's <tt>install.sh</tt> script attempts to identify whether your computer was booted with Secure Boot active and, if it was, to locate existing Shim binaries and make use of whatever it finds. Thus, you may not need to explicitly set up Shim after you install rEFInd, although you will probably have to enroll rEFInd's key in your MOK list, as described shortly.</p>
232
233 <p>A working Secure Boot installation of rEFInd involves at least three programs, and probably four or more, each of which must be installed in a specific way:</p>
234
235 <ul>
236
237 <li><b>Shim</b>&mdash;You can use any version of Shim you like. In many cases, one will already be installed on your computer from your distribution, called <tt>shim.efi</tt> or <tt>shimx64.efi</tt> in the distribution's directory on the ESP. If so, it's probably best to use that version, since its built-in key will handle your distribution's kernels. If you don't currently have a Shim installed, you can copy one from another computer, copy the file from a distribution installation disc, or download a version of Shim 0.2 (old, but still usable) signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by Shim's developer, former Red Hat employee Matthew J. Garrett) includes a Shim key that's used by nothing but the <tt>MokManager.efi</tt> program that also ships with the program. No matter what version of Shim you use, you must enroll rEFInd's MOK. Ubuntu 12.10 and 13.04 ship with an earlier version of Shim (0.1) that doesn't support MOKs; avoid Shim 0.1 for use with rEFInd. You should install Shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a> For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
238
239 <li><b>MokManager</b>&mdash;This program is included with Shim 0.2 and later. It presents a user interface for managing MOKs, and it's launched by Shim if Shim can't find its default boot loader (generally <tt>grubx64.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a Secure Boot key or a MOK, but such binaries are usually signed by Shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
240
241 <li><b>rEFInd</b>&mdash;Naturally, you need rEFInd. Because Shim is hard-coded to launch a program called <tt>grubx64.efi</tt>, you must install rEFInd using that name and to the same directory in which <tt>shim.efi</tt> resides. In theory, rEFInd could be signed with a Secure Boot key, a Shim key, or a MOK; however, because Microsoft won't sign binaries distributed under the GPLv3, I can't distribute a version of rEFInd signed with Microsoft's Secure Boot key; and as I don't have access to the private Shim keys used by any distribution, I can't distribute a rEFInd binary signed by them. (If distributions begin including rEFInd in their package sets, though, such distribution-provided binaries could be signed with the distributions' Shim keys.) Thus, rEFInd will normally be signed by a MOK. Beginning with version 0.5.0, rEFInd binaries that I provide are signed by me. Beginning with version 0.5.1, the installation script provides an option to sign the rEFInd binary with your own key, provided the necessary support software is installed.</li>
242
243 <li><b>Your boot loaders and kernels</b>&mdash;Your OS boot loaders, and perhaps your Linux kernels, must be signed. They can be signed with any of the three key types. Indeed, your system may have a mix of all three types&mdash;a Windows 8 boot loader will most likely be signed with Microsoft's Secure Boot key, GRUB and kernels provided by most distributions will be signed with their own Shim keys, and if you use your own locally-compiled kernel or a boot loader from an unusual source you may need to sign it with a MOK. Aside from signing, these files can be installed in exactly the same way as if your computer were not using Secure Boot.</li>
244
245 </ul>
246
247 <p>If you've installed a distribution that provides Shim and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running <tt>install.sh</tt>, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of Shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:</p>
248
249 <ol>
250
251 <li>Boot the computer. This can be a challenge in and of itself. You may
252 need to use a Secure Boot&ndash;enabled Linux emergency disc,
253 temporarily disable Secure Boot, or do the work from Windows.</li>
254
255 <li><a href="getting.html">Download rEFInd</a> in binary form (the binary
256 zip or CD-R image file). If you download the binary zip file, unzip it;
257 if you get the CD-R image file, burn it to a CD-R and mount it.</li>
258
259 <li>Download Shim from <a
260 href="http://www.codon.org.uk/~mjg59/shim-signed/">Matthew J. Garrett's
261 download site</a> or from your distribution. (Don't use an early 0.1
262 version, though; as noted earlier, it's inadequate for use with
263 rEFInd.)</li>
264
265 <p class="sidebar"><b>Tip:</b> If you're running Linux, you can save some effort by using the <tt>install.sh</tt> script with its <tt>--shim <tt class="variable">/path/to/shim.efi</tt></tt> option rather than installing manually, as in steps 4&ndash;6 of this procedure. If you've installed <tt>openssl</tt> and <tt>sbsign</tt>, using <tt>--localkeys</tt> will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use <tt>sbsign</tt> and the keys in <tt>/etc/refind.d/keys</tt> to sign your kernels or boot loaders.</p>
266
267 <li>Copy the <tt>shim.efi</tt> and <tt>MokManager.efi</tt> binaries to the
268 directory you intend to use for rEFInd&mdash;for instance,
269 <tt>EFI/refind</tt> on the ESP.</li>
270
271 <li>Follow the installation instructions for rEFInd on the <a
272 href="installing.html">Installing rEFInd</a> page; however, you should
273 normally give rEFInd the filename <tt>grubx64.efi</tt> and register
274 <tt>shim.efi</tt> with the EFI by using <tt>efibootmgr</tt> in Linux or
275 <tt>bcdedit</tt> in Windows. Be sure that rEFInd (as
276 <tt>grubx64.efi</tt>), <tt>shim.efi</tt>, and <tt>MokManager.efi</tt>
277 all reside in the same directory. If you're using Shim 0.7 or later and
278 installing it under Linux, you may optionally keep rEFInd's
279 <tt>refind_x64.efi</tt> name; but you must then tell Shim to use rEFInd
280 by passing an additional <tt>-u "shim.efi refind_x64.efi"</tt> option
281 to <tt>efibootmgr</tt>. Change the filenames to the actual filenames
282 used by Shim and rEFInd, respectively.</li>
283
284 <li>Copy the <tt>refind.cer</tt> file from the rEFInd package to your ESP,
285 ideally to a location with few other files. (The rEFInd installation
286 directory should work fine.)</li>
287
288 <li>Reboot. With any luck, you'll see a simple text-mode user interface
289 with a label of <tt>Shim UEFI key management</tt>. This is the
290 MokManager program, which Shim launched when rEFInd failed verification
291 because its key is not yet enrolled.</li>
292
293 <li>Press your down arrow key and press Enter to select <tt>Enroll key from
294 disk</tt>. The screen will clear and prompt you to select a key, as
295 shown here:
296
297 <br /><img src="MokManager1.png" align="CENTER" width="676"
298 height="186" alt="MokManager's user interface is crude but effective."
299 border=2> <br />
300
301 This user interface was used in early versions of MokManager, but
302 somewhere between versions 0.4 and 0.7, the user interface received an
303 upgrade. If you've got a more recent version, it will look more like
304 this:
305
306 <br /><img src="MokManager2.png" align="CENTER" width="800"
307 height="345" alt="Recent versions of MokManager provide a somewhat more
308 user-friendly user interface." border=2> <br /> </li>
309
310 <li>Each of the lines with a long awkward string represents a disk
311 partition. Select one and you'll see a list of files. Continue
312 selecting subdirectories until you find the <tt>refind.cer</tt> file
313 you copied to the ESP earlier. (Note that in the early user interface
314 the long lines can wrap and hide valid entries on the next line, so you
315 may need to select a disk whose entry is masked by another one!)</li>
316
317 <li>Select <tt>refind.cer</tt>. You can type <tt class="userinput">1</tt>
318 to view the certificate's details if you like, or skip that and type
319 <tt class="userinput">0</tt> to enroll the key.</li>
320
321 <li>Back out of any directories you entered and return to the MokManager
322 main menu.</li>
323
324 <li>Select <tt>Continue boot</tt> at the main menu.</li>
325
326 </ol>
327
328 <p>At this point the computer may boot into its default OS, reboot, or perhaps even hang. When you reboot it, though, rEFInd should start up in Secure Boot mode. (You can verify this by selecting the <i>About rEFInd</i> tool in the main menu. Check the <i>Platform</i> item in the resulting screen; it should verify that Secure Boot is active.) You should now be able to launch any boot loader signed with a key recognized by the firmware or by Shim (including any MOKs you've enrolled). If you want to manage keys in the future, rEFInd displays a new icon in the second (tools) row you can use to launch MokManager. (This icon appears by default if MokManager is installed, but if you edit <tt>showtools</tt> in <tt>refind.conf</tt>, you must be sure to include <tt>mok_tool</tt> as an option in order to gain access to it.)</p>
329
330 <p>If you're using rEFInd to boot multiple Linux versions, chances are you'll need to add the keys for the distributions whose Shim you're not using as MOKs. rEFInd ships with a selection of such keys and copies them to the <tt>keys</tt> subdirectory of the rEFInd installation directory on the ESP as a convenience. Note that you must enroll keys with <tt>.cer</tt> or <tt>.der</tt> filename extensions. Although <tt>.crt</tt> files contain the same information, their format is different and they cannot be used by MokManager.</p>
331
332 <a name="mok">
333 <h3>Managing Your MOKs</h3>
334 </a>
335
336 <p>The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: <tt>sbsigntool</tt> and <tt>pesign</tt>. Both are available in binary form from <a href="https://build.opensuse.org/project/show?project=home%3Ajejb1%3AUEFI">this OpenSUSE Build Service (OBS)</a> repository, and many distributions ship with at least one of them. The following procedure uses <tt>sbsigntool</tt>. To sign your own binaries, follow these steps (you can skip the first five steps if you've successfully used <tt>install.sh</tt>'s <tt>--localkeys</tt> option):</p>
337
338 <ol>
339
340 <li>If it's not already installed, install OpenSSL on your computer. (It
341 normally comes in a package called <tt>openssl</tt>.)</li>
342
343 <li>If you did <i>not</i> re-sign your rEFInd binaries with
344 <tt>install.sh</tt>'s <tt>--localkeys</tt> option, type the following
345 two commands to generate your public and private keys:
346
347 <pre class="listing">
348 $ <tt class="userinput">openssl req -new -x509 -newkey rsa:2048 -keyout refind_local.key \
349 -out refind_local.crt -nodes -days 3650 -subj "/CN=Your Name/"</tt>
350 $ <tt class="userinput">openssl x509 -in refind_local.crt -out refind_local.cer -outform DER</tt>
351 </pre>
352
353 Change <tt>Your Name</tt> to your own name or other identifying
354 characteristics, and adjust the certificate's time span (set via
355 <tt>-days</tt>) as you see fit. If you omit the <tt>-nodes</tt> option,
356 the program will prompt you for a passphrase for added security.
357 Remember this, since you'll need it to sign your binaries. The result
358 is a private key file (<tt>refind_local.key</tt>), which is highly
359 sensitive since it's required to sign binaries, and two public keys
360 (<tt>refind_local.crt</tt> and <tt>refind_local.cer</tt>), which can be
361 used to verify signed binaries' authenticity. The two public key files
362 are equivalent, but are used by different
363 tools&mdash;<tt>sbsigntool</tt> uses <tt>refind_local.crt</tt> to sign
364 binaries, but MokManager uses <tt>refind_local.cer</tt> to enroll the
365 key. If you used <tt>install.sh</tt>'s <tt>--localkeys</tt> option,
366 this step is unnecessary, since these keys have already been created
367 and are stored in <tt>/etc/refind.d/keys/</tt>.</li>
368
369 <li>Copy the three key files to a secure location and adjust permissions
370 such that only you can read <tt>refind_local.key</tt>. You'll need
371 these keys to sign future binaries, so don't discard them.</li>
372
373 <li>Copy the <tt>refind_local.cer</tt> file to your ESP, ideally to a
374 location with few other files. (MokManager's user interface becomes
375 unreliable when browsing directories with lots of files.)</li>
376
377 <li>Download and install the <tt>sbsigntool</tt> package. Binary links for
378 various distributions are available from the <a
379 href="https://build.opensuse.org/package/show?package=sbsigntools&project=home%3Ajejb1%3AUEFI">OpenSUSE
380 Build Service</a>, or you can obtain the source code by typing <tt
381 class="userinput">git clone
382 git://kernel.ubuntu.com/jk/sbsigntool</tt>.</li>
383
384 <li>Sign your binary by typing <tt class="userinput">sbsign --key
385 refind_local.key --cert refind_local.crt --output <tt
386 class="variable">binary-signed.efi binary.efi</tt></tt>, adjusting the
387 paths to the keys and the binary names.</li>
388
389 <li>Copy your signed binary to a suitable location on the ESP for rEFInd to
390 locate it. Be sure to include any support files that it needs,
391 too.</li>
392
393 <li>Check your <tt>refind.conf</tt> file to ensure that the
394 <tt>showtools</tt> option is either commented out or includes
395 <tt>mok_tool</tt> among its options.</li>
396
397 <li>Reboot. You can try launching the boot loader you just installed, but
398 chances are it will generate an <tt>Access Denied</tt> message. For it
399 to work, you must launch MokManager using the tool that rEFInd presents
400 on its second row. You can then enroll your <tt>refind_local.cer</tt>
401 key just as you enrolled the <tt>refind.cer</tt> key.</li>
402
403 </ol>
404
405 <p>At this point you should be able to launch the binaries you've signed. Unfortunately, there can still be problems; see the upcoming section, <a href="#caveats">Secure Boot Caveats,</a> for information on them. Alternatively, you can try using PreLoader rather than Shim.</p>
406
407 <a name="preloader">
408 <h2>Using rEFInd with PreLoader</h2>
409 </a>
410
411 <p>If you want to use Secure Boot with a distribution that doesn't come with Shim but the preceding description exhausts you, take heart: PreLoader is easier to set up and use for your situation! Unfortunately, it's still not as easy to use as not using Secure Boot at all, and it's got some drawbacks, but it may represent an acceptable middle ground. To get started, proceed as follows:</p>
412
413 <ol>
414
415 <li>Boot the computer. As with Shim, this can be a challenge; you may need
416 to boot with Secure Boot disabled, use a Secure Boot&ndash;enabled live
417 CD, or do the installation from Windows.</li>
418
419 <li><a href="getting.html">Download rEFInd</a> in binary form (the binary
420 zip or CD-R image file). If you download the binary zip file, unzip it;
421 if you get the CD-R image file, burn it to a CD-R and mount it.</li>
422
423 <li>Download PreLoader from <a
424 href="http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/">its
425 release page</a> or by clicking the following links. Be sure to get
426 both the <tt><a
427 href="http://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi">PreLoader.efi</a></tt>
428 and <tt><a
429 href="http://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi">HashTool.efi</a></tt>
430 files.</li>
431
432 <li>Copy the <tt>PreLoader.efi</tt> and <tt>HashTool.efi</tt> binaries to
433 the directory you intend to use for rEFInd&mdash;for instance,
434 <tt>EFI/refind</tt> on the ESP.</li>
435
436 <li>Follow the installation instructions for rEFInd on the <a
437 href="installing.html">Installing rEFInd</a> page; however, give rEFInd
438 the filename <tt>loader.efi</tt> and register <tt>PreLoader.efi</tt>
439 with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt>
440 in Windows. Be sure that rEFInd (as <tt>loader.efi</tt>),
441 <tt>PreLoader.efi</tt>, and <tt>HashTool.efi</tt> all reside in the
442 same directory.</li>
443
444 <li>Reboot. With any luck, you'll see HashTool appear with a warning
445 message stating that it was unable to launch <tt>loader.efi</tt> and
446 declaring that it will launch <tt>HashTool.efi</tt>. Press the Enter
447 key to continue.</li>
448
449 <li>HashTool should now appear. It should give you three or four options,
450 including <tt>Enroll Hash</tt>, as shown here. Select this option</li>
451
452 <br /><img src="HashTool1.png" align="CENTER" width="641" height="459"
453 alt="HashTool provide a somewhat nicer user interface than
454 MokManager's." border=2> <br />
455
456 <li>You can now select the binary you want to authorize. You should first
457 select <tt>loader.efi</tt>, since that's rEFInd. The program presents
458 the hash (a very long number) and asks for confirmation. Be sure to
459 select <tt>Yes</tt>.</li>
460
461 <br /><img src="HashTool2.png" align="CENTER" width="638" height="455"
462 alt="Be sure to select the right binary when you enroll its hash."
463 border=2> <br />
464
465 <p class="sidebar"><b>Note:</b> Unfortunately, the initial version of HashTool's file selector can't change filesystems. Thus, if you want to boot a Linux kernel using rEFInd and PreLoader, you'll need to copy the kernel to the ESP, at least temporarily. Alternatively, as noted earlier, you can copy <tt>HashTool.efi</tt> to the directory that holds the kernels or to another directory on that partition that rEFInd scans&mdash;but be sure to rename <tt>HashTool.efi</tt> or rEFInd will ignore it. You'll then see a boot loader entry for HashTool. More recent versions of HashTool can access multiple partitions, but I have yet to find a pre-signed version, so if you want to use it, you'll need to compile it yourself and then register its hash with an earlier version (or with Secure Boot temporarily disabled).</p>
466
467 <li>Repeat the preceding two steps for any additional binaries you might
468 want to enroll. These include any EFI filesystem drivers you're using,
469 any boot loaders you're launching from rEFInd (other than those that
470 are already signed, such as Microsoft's boot loader), and possibly your
471 Linux kernel.</li>
472
473 <li>At the HashTool main menu, select <tt>Exit</tt>. rEFInd should
474 launch.</li>
475
476 </ol>
477
478 <p>If you did everything right, rEFInd should now launch follow-on boot loaders and kernels, including both programs signed with the platform's Secure Boot keys and binaries that you've authorized with HashTool. If you need to authorize additional programs, you can do so from rEFInd by using the MOK utility tool icon that launches <tt>HashTool.efi</tt> from the second row of icons. (This icon should appear by default, but if you uncomment the <tt>showtools</tt> token in <tt>refind.conf</tt>, be sure that <tt>mok_tool</tt> is present among the options.)</p>
479
480 <p>Although PreLoader is easier to set up than Shim, particularly if you need to launch programs or kernels that aren't already signed, it suffers from the problem that you must register every new program you install, including Linux kernels if you launch them directly from rEFInd. This need can be a hassle if you update your kernels frequently, and every new registration chews up a little space in your NVRAM. Nonetheless, PreLoader can be a good Secure Boot solution for many users or if you want to build a portable Linux installation that you can use on any computer with minimal fuss.</p>
481
482 <a name="caveats">
483 <h2>Secure Boot Caveats</h2>
484 </a>
485
486 <p>rEFInd's Secure Boot originated with version 0.5.0 of the program, and was revamped for version 0.6.2, both released in late 2012. It's worked well for myself and several others with whom I've corresponded; but you might still run into problems. Some issues you might encounter include the following:</p>
487
488 <ul>
489
490 <li>rEFInd uses the same EFI "hooks" as PreLoader. This method, however, is
491 part of an optional EFI subsystem, so in theory some EFIs might not
492 support it. For months, I knew of no such implementation, but <a
493 href="http://superuser.com/questions/615142/uefi-failed-to-install-override-security-policy">this
494 SuperUser question</a> indicates that at least one such implementation
495 exists. Subsequent discussions on the site imply that the computer
496 doesn't support Secure Boot at all. The bottom line: If you encounter
497 the error message <tt>Failed to install override security policy,</tt>
498 try removing PreLoader from your boot path.</li>
499
500 <li>Under certain circumstances, the time required to launch a boot loader
501 can increase. This is unlikely to be noticeable for the average small
502 boot loader, but could be significant for larger boot loaders on slow
503 filesystems, such as Linux kernels on ext2fs, ext3fs, or ReiserFS
504 partitions.</li>
505
506 <li>rEFInd's own Secure Boot support is theoretically able to work on
507 non-<i>x</i>86-64 platforms; however, to the best of my knowledge, Shim
508 and PreLoader both work only on <i>x</i>86-64, and rEFInd is dependent
509 upon these tools. In principle, you should be able to <a
510 href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#add_keys">replace
511 your computer's standard Secure Boot keys</a> to use Secure Boot on
512 these platforms with rEFInd, but this approach will require either
513 built-in key-modification tools in the computer's setup utility or a
514 build of <tt>LockDown.efi</tt> for your platform. I've not tested this
515 approach on <i>x</i>86 or ARM, so I can't say whether it would actually
516 work.</li>
517
518 <li>In theory, signing Microsoft's boot loader with a MOK should work. This
519 might be handy if you want to replace your computer's built-in keys
520 with your own but still boot Windows&mdash;but be aware that if Windows
521 replaces its boot loader, it will then stop working.</li>
522
523 </ul>
524
525 <p>If you launch a boot loader or other program from rEFInd that relies on the EFI's standard program-launching code, that program should take advantage of Shim and its MOKs. For instance, if you launch <a href="http://freedesktop.org/wiki/Software/gummiboot">gummiboot</a> from rEFInd (and rEFInd from Shim), gummiboot should be able to launch Shim/MOK-signed Linux kernels. This is not currently true if you launch gummiboot directly from Shim. (You can launch gummiboot from PreLoader and it should work, though, because of technical differences between how Shim and PreLoader work.)</p>
526
527 <p>My focus in testing rEFInd's Secure Boot capabilities has been on getting Linux kernels with EFI stub loaders to launch correctly. I've done some minimal testing with GRUB 2, though. I've also tested some self-signed binaries, such as an EFI shell and MokManager. (The EFI shell launches, but will not itself launch anything that's not been signed with a UEFI Secure Boot key. This of course limits its utility.)</p>
528
529 <p>Some of the awkwardness of using rEFInd with Secure Boot is due to the need to manage MOKs (either keys with Shim or hashes with PreLoader). Such problems would evaporate if you could get a copy of rEFInd signed with your distribution's Secure Boot key. Thus, if you're annoyed by such problems, try filing a feature request with your distribution maintainer to have them include rEFInd (and sign it!) with their official package set.</p>
530
531 <hr />
532
533 <p>copyright &copy; 2012&ndash;2015 by Roderick W. Smith</p>
534
535 <p>This document is licensed under the terms of the <a href="FDL-1.3.txt">GNU Free Documentation License (FDL), version 1.3.</a></p>
536
537 <p>If you have problems with or comments about this Web page, please e-mail me at <a href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com.</a> Thanks.</p>
538
539 <p><a href="index.html">Go to the main rEFInd page</a></p>
540
541 <p><a href="revisions.html">Learn about rEFInd's history</a></p>
542
543
544 <p><a href="http://www.rodsbooks.com/">Return</a> to my main Web page.</p>
545 </body>
546 </html>