X-Git-Url: https://code.delx.au/refind/blobdiff_plain/970af7382223d2dd18a6d29db512eb7009a6ff6f..dca87996fe98099efb7626df25465707aeca4cfd:/docs/refind/secureboot.html diff --git a/docs/refind/secureboot.html b/docs/refind/secureboot.html index b7cba26..ef8b7c0 100644 --- a/docs/refind/secureboot.html +++ b/docs/refind/secureboot.html @@ -17,7 +17,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com
Originally written: 11/13/2012; last Web page update: -9/13/2015, referencing rEFInd 0.9.1
+11/8/2015, referencing rEFInd 0.10.0This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
@@ -44,7 +44,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com - @@ -59,7 +58,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com - @@ -75,7 +73,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com - @@ -90,7 +87,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com - @@ -105,7 +101,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com - @@ -119,7 +114,6 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com - @@ -154,6 +148,13 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com + +If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some Secure Boot basics and two specific ways of using rEFInd with Secure Boot: Using the Shim program and using the PreLoader program. (My separate EFI Boot Loaders for Linux page on Secure Boot covers the additional topics of disabling Secure Boot and adding keys to the firmware's own set of keys.) This page concludes with a look at known bugs and limitations in rEFInd's Secure Boot features.
@@ -228,7 +229,7 @@ Windows 8, this isn't an option for it. Unfortunately, the Shim and PreLoader prA working Secure Boot installation of rEFInd involves at least three programs, and probably four or more, each of which must be installed in a specific way:
@@ -244,7 +245,7 @@ Windows 8, this isn't an option for it. Unfortunately, the Shim and PreLoader pr -If you've installed a distribution that provides Shim and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running install.sh, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of Shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:
+If you've installed a distribution that provides Shim and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running refind-install, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of Shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:
The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: sbsigntool and pesign. Both are available in binary form from this OpenSUSE Build Service (OBS) repository, and many distributions ship with at least one of them. The following procedure uses sbsigntool. To sign your own binaries, follow these steps (you can skip the first five steps if you've successfully used install.sh's --localkeys option):
+The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: sbsigntool and pesign. Both are available in binary form from this OpenSUSE Build Service (OBS) repository, and many distributions ship with at least one of them. The following procedure uses sbsigntool. To sign your own binaries, follow these steps (you can skip the first five steps if you've successfully used refind-install's --localkeys option):
$ openssl req -new -x509 -newkey rsa:2048 -keyout refind_local.key \ @@ -357,7 +363,7 @@ $ openssl x509 -in refind_local.crt -out refind_local.cer are equivalent, but are used by different tools—sbsigntool uses refind_local.crt to sign binaries, but MokManager uses refind_local.cer to enroll the - key. If you used install.sh's --localkeys option, + key. If you used refind-install's --localkeys option, this step is unnecessary, since these keys have already been created and are stored in /etc/refind.d/keys/.