-<p>Originally written: 3/14/2013; last Web page update:\r
-2/3/2012, referencing rEFInd 0.6.7</p>\r
+<p>Originally written: 3/14/2012; last Web page update:\r
+3/18/2013, referencing rEFInd 0.6.8</p>\r
\r
\r
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>\r
\r
\r
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>\r
<p>Originally written: 3/14/2012; last Web page update:
-2/3/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>Originally written: 4/19/2012; last Web page update:
-2/3/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>Originally written: 3/14/2012; last Web page update:
-2/3/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>Originally written: 3/14/2012; last Web page update:
-2/8/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p class="sidebar"><b>Note:</b> At the moment, neither the bootable CD-R image file nor the bootable USB flash drive image file supports booting with Secure Boot active.</p>
<li><b><a
<p class="sidebar"><b>Note:</b> At the moment, neither the bootable CD-R image file nor the bootable USB flash drive image file supports booting with Secure Boot active.</p>
<p>Originally written: 3/14/2012; last Web page update:
-2/3/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<li>Matthew J. Garrett, the developer of the shim boot loader to manage Secure Boot, maintains <a href="http://mjg59.dreamwidth.org/">a blog</a> in which he often writes about EFI issues.</li>
<li>Matthew J. Garrett, the developer of the shim boot loader to manage Secure Boot, maintains <a href="http://mjg59.dreamwidth.org/">a blog</a> in which he often writes about EFI issues.</li>
+<li>J. A. Watson has a <a href="http://www.zdnet.com/the-refind-boot-loader-for-uefi-systems-7000010275/">review of rEFInd on an HP laptop</a> on ZDNet. He had serious problems because of the HP's UEFI bugs, but finally got it to work.</li>
<p>Originally written: 3/14/2012; last Web page update:
-2/11/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>Originally written: 3/19/2012; last Web page update:
-2/3/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
+<li><b>0.6.8 (3/18/2013)</b>—This version fixes a few obscure bugs but adds only one minor new feature. Most notably, it fixes a problem that caused "Invalid Parameter" errors to appear when scanning for boot loaders on some systems; fixes a bug that caused icons defined in files named after boot loaders to not appear; and fixes a bug in the <tt>install.sh</tt> script that caused the script to fail on some systems. It also enables you to name a shell <tt>shell.efi</tt> in the root directory (previously only <tt>shell_<i>arch</i>.efi</tt> worked in the root directory, although <tt>shell.efi</tt> worked in the <tt>EFI/tools</tt> directory).</li>
+
<li><b>0.6.7 (2/3/2013)</b>—This version fixes a few bugs and adds some minor features relating to Secure Boot. Bug fixes include keeping rEFInd out of its own menu when it's launched as <tt>EFI/Microsoft/Boot/bootmgfw.efi</tt>; keeping the <tt>dont_scan_volumes</tt> option out of the <tt>also_scan_dirs</tt> list; a fix for <tt>dont_scan_volumes</tt> so that it applies to the OS X boot loader; and a fix for a bug that caused PNG files in a user-specified icons directory to be ignored if an ICNS file was available in the standard icons directory. New features include support for the Linux Foundation's <tt>HashTool.efi</tt> as a MOK utility, scanning for MOK utilities on all volumes, and a more verbose error message when a Secure Boot authentication failure occurs.</li>
<li><b>0.6.6 (1/26/2013)</b>—This version includes two new features and a number of minor bug fixes. The first new feature is support for changing rEFInd's font via the <tt>font</tt> token in <tt>refind.conf</tt>. You're limited to monospace fonts that are encoded as PNG files; you can't use variable-width fonts or normal font files like TrueType fonts. The fonts support only ASCII characters. See the <a href="themes.html#fonts">fonts section on the Theming rEFInd page</a> for details. I've also changed the default font to a slightly larger one that's anti-aliased. The second new feature is that rEFInd now detects when the <tt>EFI/BOOT/bootx64.efi</tt> (or <tt>EFI/BOOT/bootia32.efi</tt> on 32-bit systems) boot loader is a duplicate of another boot loader, and automatically excludes it from the OS list. This is useful on systems that boot with Windows, since Windows tends to install its boot loader twice, once using the <tt>EFI/BOOT/bootx64.efi</tt> filename. Bug fixes are described in the <tt>NEWS.txt</tt> file, and include fixes for bugs that prevented manual boot stanzas in included configuration files from being detected; that caused an <tt>ASSERT</tt> error to appear on the screen on some systems if <tt>default_selection</tt> was not set; the caused <tt>Binary is whitelisted</tt> messages to persist on the screen when loading signed EFI drivers with Secure Boot active; that caused rEFInd to ignore <tt>icon</tt> tokens in <tt>refind.conf</tt> manual boot stanzas; and that caused the <tt>install.sh</tt> script to fail to update drivers when rEFInd was installed to <tt>EFI/BOOT</tt>.</li>
<li><b>0.6.7 (2/3/2013)</b>—This version fixes a few bugs and adds some minor features relating to Secure Boot. Bug fixes include keeping rEFInd out of its own menu when it's launched as <tt>EFI/Microsoft/Boot/bootmgfw.efi</tt>; keeping the <tt>dont_scan_volumes</tt> option out of the <tt>also_scan_dirs</tt> list; a fix for <tt>dont_scan_volumes</tt> so that it applies to the OS X boot loader; and a fix for a bug that caused PNG files in a user-specified icons directory to be ignored if an ICNS file was available in the standard icons directory. New features include support for the Linux Foundation's <tt>HashTool.efi</tt> as a MOK utility, scanning for MOK utilities on all volumes, and a more verbose error message when a Secure Boot authentication failure occurs.</li>
<li><b>0.6.6 (1/26/2013)</b>—This version includes two new features and a number of minor bug fixes. The first new feature is support for changing rEFInd's font via the <tt>font</tt> token in <tt>refind.conf</tt>. You're limited to monospace fonts that are encoded as PNG files; you can't use variable-width fonts or normal font files like TrueType fonts. The fonts support only ASCII characters. See the <a href="themes.html#fonts">fonts section on the Theming rEFInd page</a> for details. I've also changed the default font to a slightly larger one that's anti-aliased. The second new feature is that rEFInd now detects when the <tt>EFI/BOOT/bootx64.efi</tt> (or <tt>EFI/BOOT/bootia32.efi</tt> on 32-bit systems) boot loader is a duplicate of another boot loader, and automatically excludes it from the OS list. This is useful on systems that boot with Windows, since Windows tends to install its boot loader twice, once using the <tt>EFI/BOOT/bootx64.efi</tt> filename. Bug fixes are described in the <tt>NEWS.txt</tt> file, and include fixes for bugs that prevented manual boot stanzas in included configuration files from being detected; that caused an <tt>ASSERT</tt> error to appear on the screen on some systems if <tt>default_selection</tt> was not set; the caused <tt>Binary is whitelisted</tt> messages to persist on the screen when loading signed EFI drivers with Secure Boot active; that caused rEFInd to ignore <tt>icon</tt> tokens in <tt>refind.conf</tt> manual boot stanzas; and that caused the <tt>install.sh</tt> script to fail to update drivers when rEFInd was installed to <tt>EFI/BOOT</tt>.</li>
<p>Originally written: 11/13/2012; last Web page update:
-2/3/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
@@ -126,7+126,7 @@ described on this page currently supports only <i>x</i>86-64, not
<p>Through 2012, it became obvious that Secure Boot would be a feature that was controlled, to a large extent, by Microsoft. This is because Microsoft requires that non-server computers that display Windows 8 logos ship with Secure Boot enabled. As a practical matter, this also means that such computers ship with Microsoft's keys in their firmware. In the absence of an industry-standard body to manage the signing of Secure Boot keys, this means that Microsoft's key is the only one that's more-or-less guaranteed to be installed on the computer, thus blocking the ability to boot any OS that lacks a boot path through Microsoft's signing key.</p>
<p>Through 2012, it became obvious that Secure Boot would be a feature that was controlled, to a large extent, by Microsoft. This is because Microsoft requires that non-server computers that display Windows 8 logos ship with Secure Boot enabled. As a practical matter, this also means that such computers ship with Microsoft's keys in their firmware. In the absence of an industry-standard body to manage the signing of Secure Boot keys, this means that Microsoft's key is the only one that's more-or-less guaranteed to be installed on the computer, thus blocking the ability to boot any OS that lacks a boot path through Microsoft's signing key.</p>
-<p class="sidebar"><b>Note:</b> The <a href="http://www.linuxfoundation.org">Linux Foundation</a> is on the verge of releasing a signed version of their <a href="http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source">PreBootloader,</a> which will function something like shim; however, where shim requires signing all binaries that don't already have valid Secure Boot keys and managing a small number of keys, PreBootloader requires registering every authorized binary. I'll update this documentation when PreBootloader is released in a signed form.</p>
+<p class="sidebar"><b>Note:</b> The <a href="http://www.linuxfoundation.org">Linux Foundation</a> has released a signed version of their <a href="http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/">PreBootloader,</a> which functions something like shim; however, where shim requires signing all binaries that don't already have valid Secure Boot keys and managing a small number of keys, PreBootloader requires registering every authorized binary. I haven't had the chance to revise this documentation to cover PreBootloader, but you may want to use it instead of shim if you want to manage a small number of binaries that are not already signed with a Secure Boot key, MOK, or a key built into a signed version of shim.</p>
<p>Fortunately, Microsoft will sign third-party binaries with their key—or more precisely, with a key that Microsoft uses to sign third-party binaries. (Microsoft uses another key to sign its own binaries, and some devices, such as the Microsoft Surface tablet, lack the third-party Microsoft key.) A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) have all announced plans to take advantage of this system. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason Red Hat has developed a program that it calls <i>shim</i> that essentially shifts the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Shim is signed by Microsoft and redirects the boot process to another boot loader that can be signed with keys that the distribution maintains and that are built into shim. Fedora 18 also uses this system. SUSE has announced that it will use the same system, as does Ubuntu with version 12.10 and later. SUSE has contributed to the shim approach by providing expansions to shim that support a set of keys that users can maintain themselves. These keys are known as Machine Owner Keys (MOKs), and managing them is described later, in <a href="#mok">Managing MOKs.</a> To reiterate, then, there are potentially three ways to sign a binary that will get it launched on a computer that uses shim:</p>
<p>Fortunately, Microsoft will sign third-party binaries with their key—or more precisely, with a key that Microsoft uses to sign third-party binaries. (Microsoft uses another key to sign its own binaries, and some devices, such as the Microsoft Surface tablet, lack the third-party Microsoft key.) A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) have all announced plans to take advantage of this system. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason Red Hat has developed a program that it calls <i>shim</i> that essentially shifts the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Shim is signed by Microsoft and redirects the boot process to another boot loader that can be signed with keys that the distribution maintains and that are built into shim. Fedora 18 also uses this system. SUSE has announced that it will use the same system, as does Ubuntu with version 12.10 and later. SUSE has contributed to the shim approach by providing expansions to shim that support a set of keys that users can maintain themselves. These keys are known as Machine Owner Keys (MOKs), and managing them is described later, in <a href="#mok">Managing MOKs.</a> To reiterate, then, there are potentially three ways to sign a binary that will get it launched on a computer that uses shim:</p>
<p>Originally written: 4/19/2012; last Web page update:
-2/3/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>Originally written: 3/14/2012; last Web page update:
-2/3/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>Originally written: 3/14/2012; last Web page update:
-2/3/2013, referencing rEFInd 0.6.7</p>
+3/18/2013, referencing rEFInd 0.6.8</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>