+<p>At this point you should be able to launch the binaries you've signed. Unfortunately, there can still be problems; see the upcoming section, <a href="#caveats">Secure Boot Caveats,</a> for information on them. Alternatively, you can try using PreLoader rather than Shim.</p>
+
+<a name="preloader">
+<h2>Using rEFInd with PreLoader</h2>
+</a>
+
+<p>If you want to use Secure Boot with a distribution that doesn't come with Shim but the preceding description exhausts you, take heart: PreLoader is easier to set up and use for your situation! Unfortunately, it's still not as easy to use as not using Secure Boot at all, and it's got some drawbacks, but it may represent an acceptable middle ground. To get started, proceed as follows:</p>
+
+<ol>
+
+<li>Boot the computer. As with Shim, this can be a challenge; you may need
+ to boot with Secure Boot disabled, use a Secure Boot–enabled live
+ CD, or do the installation from Windows.</li>
+
+<li><a href="getting.html">Download rEFInd</a> in binary form (the binary
+ zip or CD-R image file). If you download the binary zip file, unzip it;
+ if you get the CD-R image file, burn it to a CD-R and mount it.</li>
+
+<li>Download PreLoader from <a
+ href="http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/">its
+ release page</a> or by clicking the following links. Be sure to get
+ both the <tt><a
+ href="http://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi">PreLoader.efi</a></tt>
+ and <tt><a
+ href="http://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi">HashTool.efi</a></tt>
+ files.</li>
+
+<li>Copy the <tt>PreLoader.efi</tt> and <tt>HashTool.efi</tt> binaries to
+ the directory you intend to use for rEFInd—for instance,
+ <tt>EFI/refind</tt> on the ESP.</li>
+
+<li>Follow the installation instructions for rEFInd on the <a
+ href="installing.html">Installing rEFInd</a> page; however, give rEFInd
+ the filename <tt>loader.efi</tt> and register <tt>PreLoader.efi</tt>
+ with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt>
+ in Windows. Be sure that rEFInd (as <tt>loader.efi</tt>),
+ <tt>PreLoader.efi</tt>, and <tt>HashTool.efi</tt> all reside in the
+ same directory.</li>
+
+<li>Reboot. With any luck, you'll see HashTool appear with a warning
+ message stating that it was unable to launch <tt>loader.efi</tt> and
+ declaring that it will launch <tt>HashTool.efi</tt>. Press the Enter
+ key to continue.</li>
+
+<li>HashTool should now appear. It should give you three or four options,
+ including <tt>Enroll Hash</tt>, as shown here. Select this option</li>
+
+ <br /><img src="HashTool1.png" align="CENTER" width="641" height="459"
+ alt="HashTool provide a somewhat nicer user interface than
+ MokManager's." border=2> <br />
+
+<li>You can now select the binary you want to authorize. You should first
+ select <tt>loader.efi</tt>, since that's rEFInd. The program presents
+ the hash (a very long number) and asks for confirmation. Be sure to
+ select <tt>Yes</tt>.</li>
+
+ <br /><img src="HashTool2.png" align="CENTER" width="638" height="455"
+ alt="Be sure to select the right binary when you enroll its hash."
+ border=2> <br />
+
+<p class="sidebar"><b>Note:</b> Unfortunately, the initial version of HashTool's file selector can't change filesystems. Thus, if you want to boot a Linux kernel using rEFInd and PreLoader, you'll need to copy the kernel to the ESP, at least temporarily. Alternatively, as noted earlier, you can copy <tt>HashTool.efi</tt> to the directory that holds the kernels or to another directory on that partition that rEFInd scans—but be sure to rename <tt>HashTool.efi</tt> or rEFInd will ignore it. You'll then see a boot loader entry for HashTool. More recent versions of HashTool can access multiple partitions, but I have yet to find a pre-signed version, so if you want to use it, you'll need to compile it yourself and then register its hash with an earlier version (or with Secure Boot temporarily disabled).</p>
+
+<li>Repeat the preceding two steps for any additional binaries you might
+ want to enroll. These include any EFI filesystem drivers you're using,
+ any boot loaders you're launching from rEFInd (other than those that
+ are already signed, such as Microsoft's boot loader), and possibly your
+ Linux kernel.</li>
+
+<li>At the HashTool main menu, select <tt>Exit</tt>. rEFInd should
+ launch.</li>
+
+</ol>
+
+<p>If you did everything right, rEFInd should now launch follow-on boot loaders and kernels, including both programs signed with the platform's Secure Boot keys and binaries that you've authorized with HashTool. If you need to authorize additional programs, you can do so from rEFInd by using the MOK utility tool icon that launches <tt>HashTool.efi</tt> from the second row of icons. (This icon should appear by default, but if you uncomment the <tt>showtools</tt> token in <tt>refind.conf</tt>, be sure that <tt>mok_tool</tt> is present among the options.)</p>
+
+<p>Although PreLoader is easier to set up than Shim, particularly if you need to launch programs or kernels that aren't already signed, it suffers from the problem that you must register every new program you install, including Linux kernels if you launch them directly from rEFInd. This need can be a hassle if you update your kernels frequently, and every new registration chews up a little space in your NVRAM. Nonetheless, PreLoader can be a good Secure Boot solution for many users or if you want to build a portable Linux installation that you can use on any computer with minimal fuss.</p>