<link href="../Styles/styles.css" rel="stylesheet" type="text/css" />
</head>
+<meta name="viewport" content="width=device-width, initial-scale=1">
+
<body>
<h1>The rEFInd Boot Manager:<br />Managing Secure Boot</h1>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 11/13/2012; last Web page update:
-2/16/2015, referencing rEFInd 0.8.6</p>
+9/19/2015, referencing rEFInd 0.9.2</p>
<p>This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<hr />
-<p class="sidebar"><b>Note:</b> My <a href="http://www.rodsbooks.com/efi-bootloaders/">Managing EFI Boot Loaders for Linux</a> Web page includes a much more detailed description of Secure Boot in its <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html">Dealing with Secure Boot</a> sub-page. You should consult this page if you want to disable Secure Boot, generate your own keys, or perform other such tasks.</p>
+<p class="sidebar"><b>Note:</b> My <a href="http://www.rodsbooks.com/efi-bootloaders/">Managing EFI Boot Loaders for Linux</a> Web page includes a much more detailed description of Secure Boot in two of its subpages. Consult <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html">Dealing with Secure Boot</a> for more information on disabling Secure Boot, using Shim, and using PreLoader; and read <a href="http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html">Controlling Secure Boot</a> for more information on using your own keys instead of or in addition to those that came with your computer.</p>
<div class="navbar">
<h3>Installing Shim and rEFInd</h3>
</a>
-<p class="sidebar"><b>Note:</b> rEFInd's <tt>install.sh</tt> script attempts to identify whether your computer was booted with Secure Boot active and, if it was, to locate existing Shim binaries and make use of whatever it finds. Thus, you may not need to explicitly set up Shim after you install rEFInd, although you will probably have to enroll rEFInd's key in your MOK list, as described shortly.</p>
+<p class="sidebar"><b>Note:</b> rEFInd's <tt>refind-install</tt> script attempts to identify whether your computer was booted with Secure Boot active and, if it was, to locate existing Shim binaries and make use of whatever it finds. Thus, you may not need to explicitly set up Shim after you install rEFInd, although you will probably have to enroll rEFInd's key in your MOK list, as described shortly.</p>
<p>A working Secure Boot installation of rEFInd involves at least three programs, and probably four or more, each of which must be installed in a specific way:</p>
</ul>
-<p>If you've installed a distribution that provides Shim and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running <tt>install.sh</tt>, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of Shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:</p>
+<p>If you've installed a distribution that provides Shim and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running <tt>refind-install</tt>, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of Shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:</p>
<ol>
version, though; as noted earlier, it's inadequate for use with
rEFInd.)</li>
-<p class="sidebar"><b>Tip:</b> If you're running Linux, you can save some effort by using the <tt>install.sh</tt> script with its <tt>--shim <tt class="variable">/path/to/shim.efi</tt></tt> option rather than installing manually, as in steps 4–6 of this procedure. If you've installed <tt>openssl</tt> and <tt>sbsign</tt>, using <tt>--localkeys</tt> will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use <tt>sbsign</tt> and the keys in <tt>/etc/refind.d/keys</tt> to sign your kernels or boot loaders.</p>
+<p class="sidebar"><b>Tip:</b> If you're running Linux, you can save some effort by using the <tt>refind-install</tt> script with its <tt>--shim <tt class="variable">/path/to/shim.efi</tt></tt> option rather than installing manually, as in steps 4–6 of this procedure. If you've installed <tt>openssl</tt> and <tt>sbsign</tt>, using <tt>--localkeys</tt> will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use <tt>sbsign</tt> and the keys in <tt>/etc/refind.d/keys</tt> to sign your kernels or boot loaders.</p>
<li>Copy the <tt>shim.efi</tt> and <tt>MokManager.efi</tt> binaries to the
directory you intend to use for rEFInd—for instance,
<tt>EFI/refind</tt> on the ESP.</li>
<li>Follow the installation instructions for rEFInd on the <a
- href="installing.html">Installing rEFInd</a> page; however, give rEFInd
- the filename <tt>grubx64.efi</tt> and register <tt>shim.efi</tt> with
- the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt> in
- Windows. Be sure that rEFInd (as <tt>grubx64.efi</tt>),
- <tt>shim.efi</tt>, and <tt>MokManager.efi</tt> all reside in the same
- directory.</li>
+ href="installing.html">Installing rEFInd</a> page; however, you should
+ normally give rEFInd the filename <tt>grubx64.efi</tt> and register
+ <tt>shim.efi</tt> with the EFI by using <tt>efibootmgr</tt> in Linux or
+ <tt>bcdedit</tt> in Windows. Be sure that rEFInd (as
+ <tt>grubx64.efi</tt>), <tt>shim.efi</tt>, and <tt>MokManager.efi</tt>
+ all reside in the same directory. If you're using Shim 0.7 or later and
+ installing it under Linux, you may optionally keep rEFInd's
+ <tt>refind_x64.efi</tt> name; but you must then tell Shim to use rEFInd
+ by passing an additional <tt>-u "shim.efi refind_x64.efi"</tt> option
+ to <tt>efibootmgr</tt>. Change the filenames to the actual filenames
+ used by Shim and rEFInd, respectively.</li>
<li>Copy the <tt>refind.cer</tt> file from the rEFInd package to your ESP,
ideally to a location with few other files. (The rEFInd installation
<h3>Managing Your MOKs</h3>
</a>
-<p>The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: <tt>sbsigntool</tt> and <tt>pesign</tt>. Both are available in binary form from <a href="https://build.opensuse.org/project/show?project=home%3Ajejb1%3AUEFI">this OpenSUSE Build Service (OBS)</a> repository, and many distributions ship with at least one of them. The following procedure uses <tt>sbsigntool</tt>. To sign your own binaries, follow these steps (you can skip the first five steps if you've successfully used <tt>install.sh</tt>'s <tt>--localkeys</tt> option):</p>
+<p>The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: <tt>sbsigntool</tt> and <tt>pesign</tt>. Both are available in binary form from <a href="https://build.opensuse.org/project/show?project=home%3Ajejb1%3AUEFI">this OpenSUSE Build Service (OBS)</a> repository, and many distributions ship with at least one of them. The following procedure uses <tt>sbsigntool</tt>. To sign your own binaries, follow these steps (you can skip the first five steps if you've successfully used <tt>refind-install</tt>'s <tt>--localkeys</tt> option):</p>
<ol>
normally comes in a package called <tt>openssl</tt>.)</li>
<li>If you did <i>not</i> re-sign your rEFInd binaries with
- <tt>install.sh</tt>'s <tt>--localkeys</tt> option, type the following
- two commands to generate your public and private keys:
+ <tt>refind-install</tt>'s <tt>--localkeys</tt> option, type the
+ following two commands to generate your public and private keys:
<pre class="listing">
$ <tt class="userinput">openssl req -new -x509 -newkey rsa:2048 -keyout refind_local.key \
are equivalent, but are used by different
tools—<tt>sbsigntool</tt> uses <tt>refind_local.crt</tt> to sign
binaries, but MokManager uses <tt>refind_local.cer</tt> to enroll the
- key. If you used <tt>install.sh</tt>'s <tt>--localkeys</tt> option,
+ key. If you used <tt>refind-install</tt>'s <tt>--localkeys</tt> option,
this step is unnecessary, since these keys have already been created
and are stored in <tt>/etc/refind.d/keys/</tt>.</li>