href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 11/13/2012; last Web page update:
-12/8/2012, referencing rEFInd 0.5.0.1</p>
+7/28/2014, referencing rEFInd 0.8.3</p>
-<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
+<p>This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<table border="1">
<tr>
<td>Donate $2.50</td>
<td>Donate $5.00</td>
<td>Donate $10.00</td>
+<td>Donate $20.00</td>
<td>Donate another value</td>
</tr>
<tr>
-<td><form name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick">
+
+<td>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="business" value="rodsmith@rodsbooks.com">
-<input type="hidden" name="item_name" value="rEFInd Boot Manager">
+<input type="hidden" name="lc" value="US">
+<input type="hidden" name="no_note" value="0">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="amount" value="1.00">
-<input type="image" src="http://www.paypal.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
+<input type="hidden" name="item_name" value="rEFInd Boot Manager">
+<input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
+<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
+<img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
-
</td>
-<td><form name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick">
+
+<td>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="business" value="rodsmith@rodsbooks.com">
-<input type="hidden" name="item_name" value="rEFInd Boot Manager">
+<input type="hidden" name="lc" value="US">
+<input type="hidden" name="no_note" value="0">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="amount" value="2.50">
-<input type="image" src="http://www.paypal.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
+<input type="hidden" name="item_name" value="rEFInd Boot Manager">
+<input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
+<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
+<img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
-
</td>
-<td><form name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick">
+
+
+<td>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="business" value="rodsmith@rodsbooks.com">
-<input type="hidden" name="item_name" value="rEFInd Boot Manager">
+<input type="hidden" name="lc" value="US">
+<input type="hidden" name="no_note" value="0">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="amount" value="5.00">
-<input type="image" src="http://www.paypal.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
+<input type="hidden" name="item_name" value="rEFInd Boot Manager">
+<input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
+<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
+<img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
-
</td>
-<td><form name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post">
-<input type="hidden" name="cmd" value="_xclick">
+
+<td>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="business" value="rodsmith@rodsbooks.com">
-<input type="hidden" name="item_name" value="rEFInd Boot Manager">
+<input type="hidden" name="lc" value="US">
+<input type="hidden" name="no_note" value="0">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="amount" value="10.00">
-<input type="image" src="http://www.paypal.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
+<input type="hidden" name="item_name" value="rEFInd Boot Manager">
+<input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
+<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
+<img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
+</td>
+<td>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_donations">
+<input type="hidden" name="business" value="rodsmith@rodsbooks.com">
+<input type="hidden" name="lc" value="US">
+<input type="hidden" name="no_note" value="0">
+<input type="hidden" name="currency_code" value="USD">
+<input type="hidden" name="amount" value="20.00">
+<input type="hidden" name="item_name" value="rEFInd Boot Manager">
+<input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest">
+<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
+<img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
+</form>
</td>
+
<td>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_donations">
<img alt="Donate with PayPal" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
</td></tr>
-</table>
+</table>
<hr />
<p class="sidebar"><b>Note:</b> My <a href="http://www.rodsbooks.com/efi-bootloaders/">Managing EFI Boot Loaders for Linux</a> Web page includes a much more detailed description of Secure Boot in its <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html">Dealing with Secure Boot</a> sub-page. You should consult this page if you want to disable Secure Boot, generate your own keys, or perform other such tasks.</p>
-<p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">secure boot basics</a> and two specific aspects of rEFInd and its interactions with Secure Boot: <a href="#installation">installation issues</a> and <a href="#mok">MOK management.</a> It concludes with a look at <a href="#caveats">known bugs and limitations</a> in rEFInd's Secure Boot features.</p>
+<div class="navbar">
-<a name="basic">
-<h2>Basic Issues</h2>
-</a>
+<h4 class="tight">Contents</h4>
-<p class="sidebar"><b>Note:</b> You don't <i>have to</i> use Secure Boot. If you don't want it, you can <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#disable">disable it,</a> at least on <i>x</i>86-64 PCs. If an ARM-based computer ships with Windows 8, this isn't an option for it. Unfortunately, the shim software described on this page currently supports only x86-64, not x86 or ARM.</p>
+<ul>
-<p>Through 2012, it became obvious that Secure Boot would be a feature that was controlled, to a large extent, by Microsoft. This is because Microsoft requires that non-server computers that display Windows 8 logos ship with Secure Boot enabled. As a practical matter, this also means that such computers ship with Microsoft's keys in their firmware. In the absence of an industry-standard body to manage the signing of Secure Boot keys, this means that Microsoft's key is the only one that's more-or-less guaranteed to be installed on the computer, thus blocking the ability to boot any OS that lacks a boot path through Microsoft's signing key.</p>
+<li class="tight"><a href="#basic">Basic Issues</li>
-<p>Fortunately, Microsoft will sign third-party binaries with their key. A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) have all announced plans to take advantage of this system. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason Red Hat has developed a program that it calls <i>shim</i> that essentially shifts the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Shim is signed by Microsoft and redirects the boot process to another boot loader that can be signed with keys that the distribution maintains and that are built into shim. Fedora 18 is expected to use this system. SUSE has announced that it will use the same system, as does Ubuntu with version 12.10 and later. SUSE has contributed to the shim approach by providing expansions to shim that support a set of keys that users can maintain themselves. These keys are known as Machine Owner Keys (MOKs), and managing them is described later, in <a href="#mok">Managing MOKs.</a> To reiterate, then, there are potentially three ways to sign a binary that will get it launched on a system that uses shim:</p>
+<li class="tight"><a href="#shim">Using rEFInd with Shim</a></li>
+ <ul>
+ <li class="tight"><a href="#installation">Installing Shim and rEFInd</a></li>
+ <li class="tight"><a href="#mok">Managing Your MOKs</a></li>
+ </ul>
-<ul>
+<li class="tight"><a href="#preloader">Using rEFInd with PreLoader</a></li>
-<li><b>Secure Boot keys</b>—These keys are managed by the EFI firmware. In a default configuration, Microsoft is the only party that's more-or-less guaranteed to be able to sign boot loaders with these keys; however, it's possible to <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#add_keys">replace Microsoft's keys with your own,</a> in order to take full control of Secure Boot on your computer. The trouble is that this process is tedious and varies in details from one computer to another.</li>
+<li class="tight"><a href="#caveats">Secure Boot Caveats</a></li>
-<li><b>Shim's built-in keys</b>—It's possible, but not necessary, to compile shim with a built-in public key. Its private counterpart can then be used to sign binaries. In practice, this key type is limited in utility; it's likely to be used by distribution maintainers to sign their own version of GRUB and the Linux kernels that it launches, nothing more. On the plus side, shim's keys require little or no maintenance by users. One potential complication is that if you swap out one shim binary for another, its built-in key may change, which means that the replacement shim might no longer launch its follow-on boot loader.</li>
+</ul>
-<li><b>MOKs</b>—Versions 0.2 and later of shim support MOKs, which give you the ability to add your own keys to the computer. If you want to install multiple Linux distributions in Secure Boot mode, MOKs are likely to be helpful. They're vital if you want to launch kernels you compile yourself or use boot managers or boot loaders other than those provided by your distribution.</li>
+</div>
-</ul>
+<p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">secure boot basics</a> and two specific ways of using rEFInd with Secure Boot: <a href="#shim">Using the shim program</a> and <a href="#preloader">using the PreLoader program.</a> It concludes with a look at <a href="#caveats">known bugs and limitations</a> in rEFInd's Secure Boot features.</p>
-<p>All three key types are the same in form—shim's built-in keys and MOKs are both generated using the same tools used to generate Secure Boot keys. Unfortunately, the tools used to generate these keys are still rather crude and are rarely installed on Linux systems, which is one of the reasons that rEFInd's installation script doesn't yet support setting up a Secure Boot configuration. Although it's theoretically possible to use rEFInd without signing your own binaries, this is not yet practical, because distributions don't yet provide their own signed binaries or the public MOK files you must have to enroll their keys. With any luck this will change in 2013. At the very least, many distributions will begin supporting Secure Boot in the near future, and with any luck they'll include their public MOKs for use with other distributions' versions of shim.</p>
+<a name="basic">
+<h2>Basic Issues</h2>
+</a>
-<p>Because shim and MOK are being supported by several of the major players in the Linux world, I've decided to do the same with rEFInd. Beginning with version 0.5.0, rEFInd can communicate with the shim system to authenticate boot loaders. If a boot loader has been signed by a valid UEFI Secure Boot key, a valid shim key, or a valid MOK key, rEFInd will launch it. rEFInd will also launch unsigned boot loaders or those with invalid signatures <i>if</i> Secure Boot is disabled in or unsupported by the firmware. (If that's your situation, you needn't bother reading this page.)</p>
+<p class="sidebar"><b>Note:</b> You don't <i>have to</i> use Secure Boot.
+If you don't want it, you can <a
+href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#disable">disable
+it,</a> at least on <i>x</i>86-64 PCs. If an ARM-based computer ships with
+Windows 8, this isn't an option for it. Unfortunately, the shim and PreLoader programs described on this page currently support only <i>x</i>86-64, not <i>x</i>86 or ARM.</p>
-<p>Version 0.5.0 ships signed with my own keys, and I provide the public version of this key with the rEFInd package. This can help simplify setup, since you needn't generate your own keys to get rEFInd working; however, without public keys for the boot loaders that rEFInd launches, you'll still need to generate keys and sign your boot loaders, as described in the <a href="#mok">Managing Your MOKs</a> section.</p>
+<p>Through 2012, it became obvious that Secure Boot would be a feature that was controlled, to a large extent, by Microsoft. This is because Microsoft requires that non-server computers that display Windows 8 logos ship with Secure Boot enabled. As a practical matter, this also means that such computers ship with Microsoft's keys in their firmware. In the absence of an industry-standard body to manage the signing of Secure Boot keys, this means that Microsoft's key is the only one that's more-or-less guaranteed to be installed on the computer, thus blocking the ability to boot any OS that lacks a boot path through Microsoft's signing key.</p>
-<a name="installation">
-<h2>Installation Issues</h2>
-</a>
+<p>Fortunately, Microsoft will sign third-party binaries with their key—or more precisely, with a key that Microsoft uses to sign third-party binaries. (Microsoft uses another key to sign its own binaries, and some devices, such as the Microsoft Surface tablet, lack the third-party Microsoft key.) A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) are all using this system to enable their boot loaders to run. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason two separate programs exist that shift the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Both of these programs (shim and PreLoader) are available in binary form signed by Microsoft's key. Shim enables the computer to launch binaries that are signed by a key that's built into it or that the user adds to a list known as the Machine Owner Key (MOK) list. PreLoader enables the computer to launch binaries that the user has explicitly identified as being OK. Distributions beginning with Ubuntu 12.10 (and 12.04.2), Fedora 18, and OpenSUSE 12.3 use shim, although Ubuntu ships with an early version of shim that's useless for launching rEFInd, at least through Ubuntu 13.04. To the best of my knowledge, no major distribution uses PreLoader, but it may see use on live CDs and is easier to set up if you're not using a distribution that supports shim.</p>
-<p>A working Secure Boot installation of rEFInd involves at least three programs, and probably four or more, each of which must be installed in a specific way:</p>
+<p>There are three ways to sign a binary that will get it launched on a computer that uses shim:</p>
<ul>
-<li><b>shim</b>—You can download a version of shim signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by shim's developer, former Red Hat employee Matthew J. Garrett) includes a shim key that's used by nothing but the <tt>MokManager.efi</tt> program that also ships with the program. Thus, to use this version of shim, you must use MOKs. Ubuntu 12.10 ships with its own shim, but that version doesn't support MOKs and so is useless for launching rEFInd. Future versions of Fedora, SUSE, and probably other distributions will come with their own variants of shim, most of which will no doubt support their own shim keys as well as MOKs. You should install shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a> For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
+<li><b>Secure Boot keys</b>—These keys are managed by the EFI
+ firmware. In a default configuration, Microsoft is the only party
+ that's more-or-less guaranteed to be able to sign boot loaders with
+ these keys; however, it's possible to <a
+ href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#add_keys">replace
+ Microsoft's keys with your own,</a> in order to take full control of
+ Secure Boot on your computer. The trouble is that this process is
+ tedious and varies in details from one computer to another.</li>
+
+<li><b>Shim's built-in keys</b>—It's possible, but not necessary, to
+ compile shim with a built-in public key. Its private counterpart can
+ then be used to sign binaries. In practice, this key type is limited in
+ utility; it's likely to be used by distribution maintainers to sign
+ their own version of GRUB and the Linux kernels that it launches,
+ nothing more. On the plus side, shim's keys require little or no
+ maintenance by users. One potential complication is that if you swap
+ out one shim binary for another, its built-in key may change, which
+ means that the replacement shim might no longer launch its follow-on
+ boot loader.</li>
+
+<li><b>MOKs</b>—Versions 0.2 and later of shim support MOKs, which
+ give you the ability to add your own keys to the computer. If you want
+ to install multiple Linux distributions in Secure Boot mode, MOKs are
+ likely to be helpful. They're vital if you want to launch kernels you
+ compile yourself or use boot managers or boot loaders other than those
+ provided by your distribution.</li>
-<li><b>MokManager</b>—This program is included with shim 0.2 and later. It presents a crude user interface for managing MOKs, and it's launched by shim if shim can't find its default boot loader (generally <tt>grubx64.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a Secure Boot key or a MOK, but the binary in Garrett's shim 0.2 is signed with a shim key, and I expect that versions distributed with most Linux distributions will also be signed by their respective shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
+</ul>
-<li><b>rEFInd</b>—Naturally, you need rEFInd. Because shim is hard-coded to launch a program called <tt>grubx64.efi</tt>, you must install rEFInd using that name and to the same directory in which <tt>shim.efi</tt> resides. In theory, rEFInd could be signed with a Secure Boot key, a shim key, or a MOK; however, because Microsoft won't sign binaries distributed under the GPLv3, I can't distribute a version of rEFInd signed with Microsoft's Secure Boot key; and as I don't have access to the private shim keys used by any distribution, I can't distribute a rEFInd binary signed by them. (If distributions begin including rEFInd in their package sets, though, such distribution-provided binaries could be signed with the distributions' shim keys.) Thus, rEFInd will normally be signed by a MOK. Beginning with version 0.5.0, rEFInd binaries that I provide are signed by me.</li>
+<p>All three key types are the same in form—shim's built-in keys and MOKs are both generated using the same tools used to generate Secure Boot keys. The keys can be generated with the common <tt>openssl</tt> program, but signing EFI binaries requires a rarer program called <tt>sbsign</tt> or <tt>pesign</tt>. If you use shim with a distribution that doesn't support this tool, you'll need to either sign the kernels yourself, which can be a hassle, or launch the kernels by way of a boot loader that doesn't check for signatures, such as ELILO.</p>
-<li><b>Your boot loaders and kernels</b>—Your OS boot loaders, and perhaps your Linux kernels, must be signed. They can be signed with any of the three key types. Indeed, your system may have a mix of all three types—a Windows 8 boot loader will most likely be signed with Microsoft's Secure Boot key, GRUB and kernels provided by most distributions will be signed with their own shim keys, and if you use your own locally-compiled kernel or a boot loader from an unusual source you may need to sign it with a MOK. Aside from signing, these files can be installed in exactly the same way as if your computer were not using Secure Boot.</li>
+<p class="sidebar">Shim's author is working on merging it and PreLoader. Thus, future versions of shim may provide the advantages of both programs.</p>
-</ul>
+<p>PreLoader is easier to set up on a distribution that doesn't support shim because PreLoader doesn't rely on keys; instead, you tell it which binaries you trust and it will let you launch them. This works well on a system with boot managers, boot loaders, and kernels that seldom change. It's not a good solution for distribution maintainers, though, because it requires that users manually add binaries to PreLoader's list of approved binaries when the OS is installed and every time those binaries change. Also, PreLoader relies on a helper program, HashTool, to enroll hashes. (This is Geek for "tell the computer that a binary is OK.") Unfortunately, HashTool can enroll hashes only from the partition from which it was launched, so if you want to use rEFInd to launch Linux kernels directly, it's easiest if you mount your EFI System Partition (ESP) at <tt>/boot</tt> in Linux or copy your kernels to the ESP. Another approach is to copy <tt>HashTool.efi</tt> to the partition that holds your kernel and rename it to almost anything else. rEFInd will then treat it like an OS boot loader and create a menu entry for it, enabling you to launch it as needed.</p>
-<p>Because of variables such as which version of shim you're using and whether you're installing a pre-signed version of rEFInd or want to sign it yourself, I can't provide an absolutely complete procedure for installing rEFInd to work with Secure Boot. Broadly speaking, though, the procedure should be something like this:</p>
+<p>Beginning with version 0.5.0, rEFInd can communicate with the shim system to authenticate boot loaders. If a boot loader has been signed by a valid UEFI Secure Boot key, a valid shim key, or a valid MOK key, rEFInd will launch it. rEFInd will also launch unsigned boot loaders or those with invalid signatures <i>if</i> Secure Boot is disabled in or unsupported by the firmware. (If that's your situation, you needn't bother reading this page.) PreLoader is designed in such a way that it requires no explicit support in rEFInd to work.</p>
-<ol>
+<p>Version 0.5.0 ships signed with my own keys, and I provide the public version of this key with the rEFInd package. This can help simplify setup, since you needn't generate your own keys to get rEFInd working; however, if you lack public keys for the boot loaders that rEFInd launches, you'll need to generate your own keys and sign your boot loaders, as described in the <a href="#mok">Managing Your MOKs</a> section.</p>
+
+<a name="shim">
+<h2>Using rEFInd with Shim</h2>
+</a>
-<li>Boot the computer. This can be a challenge in and of itself. You may need to use a Secure Boot–enabled Linux emergency disc, temporarily disable Secure Boot, or do the work from Windows.</li>
+<p>Because several major distributions support shim, I describe it first. You may need to adjust the rEFInd installation process to get it working with shim, especially if you're not using a distribution that uses this software. In addition to installing shim, you should know how to manage your MOKs, so I describe this topic, too. If you don't want to use shim, you can skip ahead to <a href="#preloader">the section on PreLoader.</a></p>
-<li><a href="getting.html">Download rEFInd</a> in binary form (the binary zip or CD-R image file). If you download the binary zip file, unzip it; if you get the CD-R image file, burn it to a CD-R and mount it.</li>
+<a name="installation">
+<h3>Installing Shim and rEFInd</h3>
+</a>
-<li>Download shim from <a href="http://www.codon.org.uk/~mjg59/shim-signed/">Matthew J. Garrett's download site</a> or from your distribution. (Don't use Ubuntu 12.10's version, though; as noted earlier, it's inadequate for use with rEFInd.)</li>
+<p>A working Secure Boot installation of rEFInd involves at least three programs, and probably four or more, each of which must be installed in a specific way:</p>
-<li>Copy the <tt>shim.efi</tt> and <tt>MokManager.efi</tt> binaries to the directory you intend to use for rEFInd—for instance, <tt>EFI/refind</tt> on the ESP.</li>
+<ul>
-<li>Follow the installation instructions for rEFInd on the <a href="installing.html">Installing rEFInd</a> page; however, give rEFInd the filename <tt>grubx64.efi</tt> and register <tt>shim.efi</tt> with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt> in Windows. This is most cleanly done by following the manual instructions; however, you can use the <tt>install.sh</tt> script if you subsequently rename the files and register <tt>shim.efi</tt> with <tt>efibootmgr</tt>. Be sure that rEFInd (as <tt>grubx64.efi</tt>), <tt>shim.efi</tt>, and <tt>MokManager.efi</tt> all reside in the same directory.</li>
+<li><b>shim</b>—You can download a version of shim signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by shim's developer, former Red Hat employee Matthew J. Garrett) includes a shim key that's used by nothing but the <tt>MokManager.efi</tt> program that also ships with the program. Thus, to use this version of shim, you must use MOKs. Fedora 18's and OpenSUSE 12.3's versions of shim include their own keys and can also use MOKs; but to use these packages with rEFInd, you must still enroll rEFInd's MOK. Ubuntu 12.10 and 13.04 ship with an earlier version of shim that version doesn't support MOKs. Ubuntu's shim is useless for launching rEFInd. Future distributions will probably come with their own variants of shim, most of which will no doubt support their own shim keys as well as MOKs. You should install shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a> For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
-<li>Copy the <tt>refind.cer</tt> file from the rEFInd package to your ESP, ideally to a location with few other files. (The rEFInd installation directory should work fine.)</li>
+<li><b>MokManager</b>—This program is included with shim 0.2 and later (including the versions of shim that ship with Fedora 18 and OpenSUSE 12.3). It presents a crude user interface for managing MOKs, and it's launched by shim if shim can't find its default boot loader (generally <tt>grubx64.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a Secure Boot key or a MOK, but the binary in Garrett's shim 0.2 is signed with a shim key, and I expect that versions distributed with most Linux distributions will also be signed by their respective shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
-<li>Reboot. With any luck, you'll see a simple text-mode user interface with a label of <tt>Shim UEFI key management</tt>. This is the MokManager program, which shim launched when rEFInd failed verification because its key is not yet enrolled.</li>
+<li><b>rEFInd</b>—Naturally, you need rEFInd. Because shim is hard-coded to launch a program called <tt>grubx64.efi</tt>, you must install rEFInd using that name and to the same directory in which <tt>shim.efi</tt> resides. In theory, rEFInd could be signed with a Secure Boot key, a shim key, or a MOK; however, because Microsoft won't sign binaries distributed under the GPLv3, I can't distribute a version of rEFInd signed with Microsoft's Secure Boot key; and as I don't have access to the private shim keys used by any distribution, I can't distribute a rEFInd binary signed by them. (If distributions begin including rEFInd in their package sets, though, such distribution-provided binaries could be signed with the distributions' shim keys.) Thus, rEFInd will normally be signed by a MOK. Beginning with version 0.5.0, rEFInd binaries that I provide are signed by me. Beginning with version 0.5.1, the installation script provides an option to sign the rEFInd binary with your own key, provided the necessary support software is installed.</li>
-<li>Press your down arrow key and press Enter to select <tt>Enroll key from disk</tt>. The screen will clear and prompt you to select a key, as shown here:</li>
+<li><b>Your boot loaders and kernels</b>—Your OS boot loaders, and perhaps your Linux kernels, must be signed. They can be signed with any of the three key types. Indeed, your system may have a mix of all three types—a Windows 8 boot loader will most likely be signed with Microsoft's Secure Boot key, GRUB and kernels provided by most distributions will be signed with their own shim keys, and if you use your own locally-compiled kernel or a boot loader from an unusual source you may need to sign it with a MOK. Aside from signing, these files can be installed in exactly the same way as if your computer were not using Secure Boot.</li>
- <br /><IMG SRC="MokManager1.png" ALIGN="CENTER" WIDTH="676"
- HEIGHT="186" ALT="MokManager's user interface is crude but effective."
- BORDER=2> <br />
+</ul>
-<li>Each of the lines with a long awkward string represents a disk partition. Select one and you'll see a list of files. Continue selecting subdirectories until you find the <tt>refind.cer</tt> file you copied to the ESP earlier.</li>
+<p>If you've installed Fedora 18 or OpenSUSE 12.3 and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running <tt>install.sh</tt>, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:</p>
-<li>Select <tt>refind.cer</tt>. You can type <tt class="userinput">1</tt> to view the certificate's details if you like, or skip that and type <tt class="userinput">0</tt> to enroll the key.</li>
+<ol>
-<li>Back out of any directories you entered and return to the MokManager main menu.</li>
+<li>Boot the computer. This can be a challenge in and of itself. You may
+ need to use a Secure Boot–enabled Linux emergency disc,
+ temporarily disable Secure Boot, or do the work from Windows.</li>
+
+<li><a href="getting.html">Download rEFInd</a> in binary form (the binary
+ zip or CD-R image file). If you download the binary zip file, unzip it;
+ if you get the CD-R image file, burn it to a CD-R and mount it.</li>
+
+<li>Download shim from <a
+ href="http://www.codon.org.uk/~mjg59/shim-signed/">Matthew J. Garrett's
+ download site</a> or from your distribution. (Don't use Ubuntu's
+ version, though; as noted earlier, it's inadequate for use with
+ rEFInd.)</li>
+
+<p class="sidebar"><b>Tip:</b> If you're running Linux, you can save some effort by using the <tt>install.sh</tt> script with its <tt>--shim <tt class="variable">/path/to/shim.efi</tt></tt> option rather than installing manually, as in steps 4–6 of this procedure. If you've installed <tt>openssl</tt> and <tt>sbsign</tt>, using <tt>--localkeys</tt> will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use <tt>sbsign</tt> and the keys in <tt>/etc/refind.d/keys</tt> to sign your kernels or boot loaders.</p>
+
+<li>Copy the <tt>shim.efi</tt> and <tt>MokManager.efi</tt> binaries to the
+ directory you intend to use for rEFInd—for instance,
+ <tt>EFI/refind</tt> on the ESP.</li>
+
+<li>Follow the installation instructions for rEFInd on the <a
+ href="installing.html">Installing rEFInd</a> page; however, give rEFInd
+ the filename <tt>grubx64.efi</tt> and register <tt>shim.efi</tt> with
+ the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt> in
+ Windows. Be sure that rEFInd (as <tt>grubx64.efi</tt>),
+ <tt>shim.efi</tt>, and <tt>MokManager.efi</tt> all reside in the same
+ directory.</li>
+
+<li>Copy the <tt>refind.cer</tt> file from the rEFInd package to your ESP,
+ ideally to a location with few other files. (The rEFInd installation
+ directory should work fine.)</li>
+
+<li>Reboot. With any luck, you'll see a simple text-mode user interface
+ with a label of <tt>Shim UEFI key management</tt>. This is the
+ MokManager program, which shim launched when rEFInd failed verification
+ because its key is not yet enrolled.</li>
+
+<li>Press your down arrow key and press Enter to select <tt>Enroll key from
+ disk</tt>. The screen will clear and prompt you to select a key, as
+ shown here:</li>
+
+ <br /><img src="MokManager1.png" align="CENTER" width="676"
+ height="186" alt="MokManager's user interface is crude but effective."
+ border=2> <br />
+
+<li>Each of the lines with a long awkward string represents a disk
+ partition. Select one and you'll see a list of files. Continue
+ selecting subdirectories until you find the <tt>refind.cer</tt> file
+ you copied to the ESP earlier. (Note that the long lines can wrap
+ and hide valid entries on the next line, so you may need to select
+ a disk whose entry is masked by another one!)</li>
+
+<li>Select <tt>refind.cer</tt>. You can type <tt class="userinput">1</tt>
+ to view the certificate's details if you like, or skip that and type
+ <tt class="userinput">0</tt> to enroll the key.</li>
+
+<li>Back out of any directories you entered and return to the MokManager
+ main menu.</li>
<li>Select <tt>Continue boot</tt> at the main menu.</li>
<p>At this point the computer may boot into its default OS, reboot, or perhaps even hang. When you reboot it, though, rEFInd should start up in Secure Boot mode. (You can verify this by selecting the <i>About rEFInd</i> tool in the main menu. Check the <i>Platform</i> item in the resulting screen; it should verify that Secure Boot is active.) You should now be able to launch any boot loader signed with a key recognized by the firmware or by shim (including any MOKs you've enrolled). If you want to manage keys in the future, rEFInd displays a new icon in the second (tools) row you can use to launch MokManager. (This icon appears by default if MokManager is installed, but if you edit <tt>showtools</tt> in <tt>refind.conf</tt>, you must be sure to include <tt>mok_tool</tt> as an option in order to gain access to it.)</p>
-<p>If you're using Ubuntu 12.10, you can't use its version of shim, but you can replace it with Garrett's shim. The problem is that Ubuntu's GRUB and kernel will then be signed by an unknown key. Unfortunately, I haven't found a suitable public key file on Ubuntu's distribution medium, so you may need to sign GRUB and/or your kernels with your own MOK. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.</p>
+<p>If you're using Ubuntu, you can't use its version of shim, but you can replace it with Garrett's shim. If you do so, though, you'll have to add Ubuntu's public key as a MOK, at least if you intend to launch Ubuntu's version of GRUB or launch Ubuntu-provided signed kernels. Ubuntu's public key is available in the <a href="http://archive.ubuntu.com/ubuntu/pool/main/s/shim/shim_0~20120906.bcd0a4e8-0ubuntu4.debian.tar.gz">shim_0~20120906.bcd0a4e8-0ubuntu4.debian.tar.gz</a> tarball, as <tt>canonical-uefi-ca.der</tt>. (The filename extensions <tt>.cer</tt> and <tt>.der</tt> are interchangeable for most purposes.) I've also included this key with rEFInd, in the <tt>refind/keys</tt> subdirectory of its package file. To use this key, copy it to your ESP and enroll it with MokManager. See <a href="http://falstaff.agner.ch/2012/12/12/secure-boot-implementation-of-ubuntu-12-10-quantal-quetzal/">this blog post</a> for further details on Ubuntu 12.10's handling of Secure Boot. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.</p>
<a name="mok">
-<h2>Managing Your MOKs</h2>
+<h3>Managing Your MOKs</h3>
</a>
-<p>The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: <tt>sbsigntool</tt> and <tt>pesign</tt>. Both are available in binary form from <a href="https://build.opensuse.org/project/show?project=home%3Ajejb1%3AUEFI">this OpenSUSE Build Service (OBS)</a> repository. The following procedure uses <tt>sbsigntool</tt>. To sign your own binaries, follow these steps:</p>
+<p>The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: <tt>sbsigntool</tt> and <tt>pesign</tt>. Both are available in binary form from <a href="https://build.opensuse.org/project/show?project=home%3Ajejb1%3AUEFI">this OpenSUSE Build Service (OBS)</a> repository. The following procedure uses <tt>sbsigntool</tt>. To sign your own binaries, follow these steps (you can skip the first five steps if you've used <tt>install.sh</tt>'s <tt>--localkeys</tt> option):</p>
<ol>
-<li>If it's not already installed, install OpenSSL on your computer. (It normally comes in a package called <tt>openssl</tt>.</li>
+<li>If it's not already installed, install OpenSSL on your computer. (It
+ normally comes in a package called <tt>openssl</tt>.)</li>
-<li>Type the following two commands to generate your public and private keys:
+<li>If you did <i>not</i> re-sign your rEFInd binaries with
+ <tt>install.sh</tt>'s <tt>--localkeys</tt> option, type the following
+ two commands to generate your public and private keys:
<pre class="listing">
-$ <tt class="userinput">openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt \
- -nodes -days 3650 -subj "/CN=Your Name/"</tt>
-$ <tt class="userinput">openssl x509 -in MOK.crt -out MOK.cer -outform DER</tt>
+$ <tt class="userinput">openssl req -new -x509 -newkey rsa:2048 -keyout refind_local.key \
+ -out refind_local.crt -nodes -days 3650 -subj "/CN=Your Name/"</tt>
+$ <tt class="userinput">openssl x509 -in refind_local.crt -out refind_local.cer -outform DER</tt>
</pre>
-Change <tt>Your Name</tt> to your own name or other identifying characteristics, and adjust the certificate's time span (set via <tt>-days</tt>) as you see fit. If you omit the <tt>-nodes</tt> option, the program will prompt you for a passphrase for added security. Remember this, since you'll need it to sign your binaries. The result is a private key file (<tt>MOK.key</tt>), which is highly sensitive since it's required to sign binaries, and two public keys (<tt>MOK.crt</tt> and <tt>MOK.cer</tt>), which can be used to verify signed binaries' authenticity. The two public key files are equivalent, but are used by different tools—<tt>sbsigntool</tt> uses <tt>MOK.crt</tt> to sign binaries, but MokManager uses <tt>MOK.cer</tt> to enroll the key.</li>
-
-<li>Copy the three key files to a secure location and adjust permissions such that only you can read <tt>MOK.key</tt>. You'll need these keys to sign future binaries, so don't discard them.</li>
+ Change <tt>Your Name</tt> to your own name or other identifying
+ characteristics, and adjust the certificate's time span (set via
+ <tt>-days</tt>) as you see fit. If you omit the <tt>-nodes</tt> option,
+ the program will prompt you for a passphrase for added security.
+ Remember this, since you'll need it to sign your binaries. The result
+ is a private key file (<tt>refind_local.key</tt>), which is highly
+ sensitive since it's required to sign binaries, and two public keys
+ (<tt>refind_local.crt</tt> and <tt>refind_local.cer</tt>), which can be
+ used to verify signed binaries' authenticity. The two public key files
+ are equivalent, but are used by different
+ tools—<tt>sbsigntool</tt> uses <tt>refind_local.crt</tt> to sign
+ binaries, but MokManager uses <tt>refind_local.cer</tt> to enroll the
+ key. If you used <tt>install.sh</tt>'s <tt>--localkeys</tt> option,
+ this step is unnecessary, since these keys have already been created
+ and are stored in <tt>/etc/refind.d/keys</tt>.</li>
+
+<li>Copy the three key files to a secure location and adjust permissions
+ such that only you can read <tt>refind_local.key</tt>. You'll need
+ these keys to sign future binaries, so don't discard them.</li>
+
+<li>Copy the <tt>refind_local.cer</tt> file to your ESP, ideally to a
+ location with few other files. (MokManager's user interface becomes
+ unreliable when browsing directories with lots of files.)</li>
+
+<li>Download and install the <tt>sbsigntool</tt> package. Binary links for
+ various distributions are available from the <a
+ href="https://build.opensuse.org/package/show?package=sbsigntools&project=home%3Ajejb1%3AUEFI">OpenSUSE
+ Build Service</a>, or you can obtain the source code by typing <tt
+ class="userinput">git clone
+ git://kernel.ubuntu.com/jk/sbsigntool</tt>.</li>
+
+<li>Sign your binary by typing <tt class="userinput">sbsign --key
+ refind_local.key --cert refind_local.crt --output <tt
+ class="variable">binary-signed.efi binary.efi</tt></tt>, adjusting the
+ paths to the keys and the binary names.</li>
+
+<li>Copy your signed binary to a suitable location on the ESP for rEFInd to
+ locate it. Be sure to include any support files that it needs,
+ too.</li>
+
+<li>Check your <tt>refind.conf</tt> file to ensure that the
+ <tt>showtools</tt> option is either commented out or includes
+ <tt>mok_tool</tt> among its options.</li>
+
+<li>Reboot. You can try launching the boot loader you just installed, but
+ chances are it will generate an <tt>Access Denied</tt> message. For it
+ to work, you must launch MokManager using the tool that rEFInd presents
+ on its second row. You can then enroll your <tt>refind_local.cer</tt>
+ key just as you enrolled the <tt>refind.cer</tt> key.</li>
-<li>Copy the <tt>MOK.cer</tt> file to your ESP, ideally to a location with few other files. (MokManager's user interface becomes unreliable when browsing directories with lots of files.)</li>
+</ol>
-<li>Download and install the <tt>sbsigntool</tt> package. Binary links for various distributions are available from the <a href="https://build.opensuse.org/package/show?package=sbsigntools&project=home%3Ajejb1%3AUEFI">OpenSUSE Build Service</a>, or you can obtain the source code by typing <tt class="userinput">git clone git://kernel.ubuntu.com/jk/sbsigntool</tt>.</li>
+<p>At this point you should be able to launch the binaries you've signed. Unfortunately, there can still be problems at this point....</p>
-<li>Sign your binary by typing <tt class="userinput">sbsign --key MOK.key --cert MOK.crt --output <tt class="variable">binary-signed.efi binary.efi</tt></tt>, adjusting the paths to the keys and the binary names.</li>
+<a name="preloader">
+<h2>Using rEFInd with PreLoader</h2>
+</a>
-<li>Copy your signed binary to a suitable location on the ESP for rEFInd to locate it. Be sure to include any support files that it needs, too.</li>
+<p>If you want to use Secure Boot with a distribution that doesn't come with shim but the preceding description exhausts you, take heart: PreLoader is easier to set up and use for your situation! Unfortunately, it's still not as easy to use as not using Secure Boot at all, and it's got some drawbacks, but it may represent an acceptable middle ground. To get started, proceed as follows:</p>
-<li>Check your <tt>refind.conf</tt> file to ensure that the <tt>showtools</tt> option is either commented out or includes <tt>mok_tool</tt> among its options.</li>
+<ol>
-<li>Reboot. You can try launching the boot loader you just installed, but chances are it will generate an <tt>Access Denied</tt> message. For it to work, you must launch MokManager using the tool that rEFInd presents on its second row. You can then enroll your <tt>MOK.cer</tt> key just as you enrolled the <tt>refind.cer</tt> key.</li>
+<li>Boot the computer. As with shim, this can be a challenge; you may need
+ to boot with Secure Boot disabled, use a Secure Boot–enabled live
+ CD, or do the installation from Windows.</li>
+
+<li><a href="getting.html">Download rEFInd</a> in binary form (the binary
+ zip or CD-R image file). If you download the binary zip file, unzip it;
+ if you get the CD-R image file, burn it to a CD-R and mount it.</li>
+
+<li>Download PreLoader from <a
+ href="http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/">its
+ release page</a> or by clicking the following links. Be sure to get
+ both the <tt><a
+ href="http://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi">PreLoader.efi</a></tt>
+ and <tt><a
+ href="http://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi">HashTool.efi</a></tt>
+ files.</li>
+
+<li>Copy the <tt>PreLoader.efi</tt> and <tt>HashTool.efi</tt> binaries to
+ the directory you intend to use for rEFInd—for instance,
+ <tt>EFI/refind</tt> on the ESP.</li>
+
+<li>Follow the installation instructions for rEFInd on the <a
+ href="installing.html">Installing rEFInd</a> page; however, give rEFInd
+ the filename <tt>loader.efi</tt> and register <tt>PreLoader.efi</tt>
+ with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt>
+ in Windows. Be sure that rEFInd (as <tt>loader.efi</tt>),
+ <tt>PreLoader.efi</tt>, and <tt>HashTool.efi</tt> all reside in the
+ same directory.</li>
+
+<li>Reboot. With any luck, you'll see HashTool appear with a warning
+ message stating that it was unable to launch <tt>loader.efi</tt> and
+ declaring that it will launch <tt>HashTool.efi</tt>. Press the Enter
+ key to continue.</li>
+
+<li>HashTool should now appear. It should give you three or four options,
+ including <tt>Enroll Hash</tt>, as shown here. Select this option</li>
+
+ <br /><img src="HashTool1.png" align="CENTER" width="641" height="459"
+ alt="HashTool provide a somewhat nicer user interface than
+ MokManager's." border=2> <br />
+
+<li>You can now select the binary you want to authorize. You should first
+ select <tt>loader.efi</tt>, since that's rEFInd. The program presents
+ the hash (a very long number) and asks for confirmation. Be sure to
+ select <tt>Yes</tt>.</li>
+
+ <br /><img src="HashTool2.png" align="CENTER" width="638" height="455"
+ alt="Be sure to select the right binary when you enroll its hash."
+ border=2> <br />
+
+<p class="sidebar"><b>Note:</b> Unfortunately, HashTool's file selector can't change filesystems. Thus, if you want to boot a Linux kernel using rEFInd and PreLoader, you'll need to copy the kernel to the ESP, at least temporarily. Alternatively, as noted earlier, you can copy <tt>HashTool.efi</tt> to the directory that holds the kernels or to another directory on that partition that rEFInd scans—but be sure to rename <tt>HashTool.efi</tt> or rEFInd will ignore it. You'll then see a boot loader entry for HashTool.</p>
+
+<li>Repeat the preceding two steps for any additional binaries you might
+ want to enroll. These include any EFI filesystem drivers you're using,
+ any boot loaders you're launching from rEFInd (other than those that
+ are already signed, such as Microsoft's boot loader), and possibly your
+ Linux kernel.</li>
+
+<li>At the HashTool main menu, select <tt>Exit</tt>. rEFInd should
+ launch.</li>
</ol>
-<p>At this point you should be able to launch the binaries you've signed. Unfortunately, there can still be problems at this point....</p>
+<p>If you did everything right, rEFInd should now launch follow-on boot loaders and kernels, including both programs signed with the platform's Secure Boot keys and binaries that you've authorized with HashTool. If you need to authorize additional programs, you can do so from rEFInd by using the MOK utility tool icon that launches <tt>HashTool.efi</tt> from the second row of icons. (This icon should appear by default, but if you uncomment the <tt>showtools</tt> token in <tt>refind.conf</tt>, be sure that <tt>mok_tool</tt> is present among the options.)</p>
<a name="caveats">
<h2>Secure Boot Caveats</h2>
</a>
-<p>rEFInd's Secure Boot support is brand-new with version 0.5.0 of the program. Unfortunately, rEFInd, like shim, must essentially bypass UEFI security features, and must simultaneously not create security problems, in order to work. Unfortunately, the procedures that rEFInd uses to do this (which were lifted straight from shim) play "fast and loose" with the UEFI rules. This fact creates a number of limitations, which include (but are almost certainly not limited to) the following:</p>
+<p>rEFInd's Secure Boot support is brand-new with version 0.5.0 of the program, and was revamped for version 0.6.2. I believe rEFInd 0.6.2's Secure Boot support to be significantly superior to that of previous versions, but you might still run into problems. Some issues you might encounter include the following:</p>
<ul>
-<li>rEFInd can launch <i>one</i> shim/MOK-signed driver, no more. If you
- try to launch two drivers, rEFInd throws up an <tt>Access Denied</tt>
- error for the second driver.</li>
-
-<li>ELILO can't find the directory from which it was launched when launched
- from rEFInd in Secure Boot mode. This means that you must pass the
- <tt>-C <tt class="variable">/path/to/binary/</tt>elilo.conf</tt> option
- to ELILO. rEFInd does this automatically for the default ELILO option,
- but you should bear the need in mind if you edit that option or use the
- secondary boot options. Because of the same problem, you must specify
- the complete path to your kernel and initial RAM disk file in
- <tt>elilo.conf</tt>. Be sure to specify these paths using either
- forward slashes (<tt>/</tt>) or doubled-up backslashes (<tt>\\</tt>).
- It's possible that some other boot loaders will suffer from the same
- problem.</li>
-
-<li>Signing the Windows boot loader with a MOK won't work; it hangs,
- probably for reasons similar to the ones that cause ELILO to fail to
- find its home directory. Fortunately, the Windows 8 boot loader should
- work because it should be verified and launched via EFI calls rather
- than via the new shim-derived code. (I lack a Windows 8 installation
- for testing, though.) This limitation could affect you if you want to
- boot Windows 7 with Secure Boot active, though.</li>
+<li>rEFInd uses the same EFI "hooks" as PreLoader. This method, however, is
+ part of an optional EFI subsystem, so in theory some EFIs might not
+ support it. For months, I knew of no such implementation, but <a
+ href="http://superuser.com/questions/615142/uefi-failed-to-install-override-security-policy">this
+ SuperUser question</a> indicates that at least one such implementation
+ exists. The board in question is old enough that it might not support
+ Secure Boot at all, though, so I'm not sure if this report indicates a
+ serious limitation or just a stray error message on a computer that
+ doesn't need this feature at all.</li>
<li>Under certain circumstances, the time required to launch a boot loader
can increase. This is unlikely to be noticeable for the average small
filesystems, such as Linux kernels on ext2fs, ext3fs, or ReiserFS
partitions.</li>
-<li>Secure Boot mode doesn't work on <i>x</i>86 (IA32) or ARM systems, just
- on <i>x</i>86-64 (AMD64) computers. This is largely because shim has
- the same limitations.</li>
+<li>As of version 0.6.2, rEFInd's own Secure Boot support is theoretically
+ able to work on non-<i>x</i>86-64 platforms; however, shim 0.2 and
+ PreLoader both work only on <i>x</i>86-64, and rEFInd is dependent
+ upon these tools. Thus, you'll have to wait for future developments if
+ you want to use Secure Boot on <i>x</i>86 or ARM computers.</li>
+
+<li>In theory, signing Microsoft's boot loader with a MOK should work. This
+ might be handy if you want to replace your computer's built-in keys
+ with your own but still boot Windows—but be aware that if Windows
+ replaces its boot loader, it will then stop working.</li>
</ul>
-<p>My focus in testing rEFInd's Secure Boot capabilities has been on getting Linux kernels with EFI stub loaders to launch correctly. I've done some minimal testing with GRUB 2, though. I've also tested some self-signed binaries, such as an EFI shell and MokManager. (The EFI shell launches, but will not itself launch anything that's not been signed with a UEFI Secure Boot key. This of course limits its utility.)</p>
+<p>If you launch a boot loader or other program from rEFInd that relies on the EFI's standard program-launching code, that program should take advantage of shim and its MOKs. For instance, if you launch <a href="http://freedesktop.org/wiki/Software/gummiboot">gummiboot</a> from rEFInd (and rEFInd from shim), gummiboot should be able to launch shim/MOK-signed Linux kernels. This is not currently true if you launch gummiboot directly from shim. (You can launch gummiboot from PreLoader and it should work, though, because of technical differences between how shim and PreLoader work.)</p>
+
+<p>My focus in testing rEFInd's Secure Boot capabilities has been on getting Linux kernels with EFI stub loaders to launch correctly. I've done some minimal testing with GRUB 2, though. I've also tested some self-signed binaries, such as an EFI shell and MokManager. (The EFI shell launches, but will not itself launch anything that's not been signed with a UEFI Secure Boot key, even with rEFInd 0.6.2. This of course limits its utility.)</p>
-<p>At the moment, I consider rEFInd's shim/MOK support to be of alpha quality. I'm releasing it in this state in the hope of getting feedback from adventurous early adopters. I expect to improve the installation procedure, and with any luck fix some of the known bugs, in the next couple of versions. Some of the usability improvements are dependent upon MOK-capable versions of shim being released with major distributions; such versions of shim, with kernels signed with the key that matches the one built into shim, will greatly reduce the need for users to sign boot loaders.</p>
+<p>At the moment, I consider rEFInd's shim/MOK support to be of late alpha quality. I'm releasing it in this state in the hope of getting feedback from adventurous early adopters. Some of the usability improvements are dependent upon MOK-capable versions of shim being released with major distributions; such versions of shim, with kernels signed with the key that matches the one built into shim, will greatly reduce the need for users to sign boot loaders.</p>
<hr />
-<p>copyright © 2012 by Roderick W. Smith</p>
+<p>copyright © 2012–2014 by Roderick W. Smith</p>
<p>This document is licensed under the terms of the <a href="FDL-1.3.txt">GNU Free Documentation License (FDL), version 1.3.</a></p>