- <tt>bzImage</tt> or <tt>vmlinuz</tt> and that end in <tt>.efi</tt>. For
- instance, <tt>bzImage-3.3.0.efi</tt> or <tt>vmlinuz-3.3.0-fc17.efi</tt>
- would match, and trigger subsequent steps in this procedure. Beginning
- with version 0.3.0, if you uncomment the
- <tt>scan_all_linux_kernels</tt> option in <tt>refind.conf</tt>, rEFInd
- will also scan for kernels <i>without</i> a <tt>.efi</tt> filename
- extension. This option is uncommented by default, but if you comment it
- out, delete it, or change it to read <tt>scan_all_linux_kernels 0</tt>,
- rEFInd won't scan for kernels that lack <tt>.efi</tt> filename
- extensions.</li>
+ <tt>bzImage</tt> or <tt>vmlinuz</tt>. For instance,
+ <tt>bzImage-3.19.0.efi</tt> or <tt>vmlinuz-4.2.0</tt> would match, and
+ trigger subsequent steps in this procedure. The
+ <tt>scan_all_linux_kernels</tt> option in <tt>refind.conf</tt> controls
+ the scanning for kernels whose names do not end in <tt>.efi</tt>; if
+ this option is set to <tt>false</tt>, kernel filenames must end in
+ <tt>.efi</tt> to be picked up by rEFInd. This option is set to
+ <tt>true</tt> by default, but you can change it if you don't want to
+ scan all Linux kernels.</li>
+
+<li>If a file's name ends in <tt>.efi.signed</tt>, any other file with an
+ otherwise-identical name that <i>lacks</i> this extension is excluded.
+ This peculiar rule exists because Ubuntu delivers two
+ copies of every kernel, one with and one without this extension. The
+ one with the extension is signed with a Secure Boot key; the one
+ without it is not so signed. Thus, if both files are present, the one
+ without the key won't boot on a computer with Secure Boot active, and
+ either will boot if Secure Boot is inactive. Thus, rEFInd excludes the
+ redundant (unsigned) file in order to help keep the list of boot
+ options manageable.</li>