-0.6.7 (?/??/2013):
-------------------
+0.6.7 (2/3/2013):
+-----------------
+
+- Added a more explicit error message summarizing options when a launch of
+ a program results in a Secure Boot failure.
+
+- Changed MOK tool detection to scan all volumes, not just the rEFInd
+ home volume. This is desirable because the Linux Foundation's HashTool
+ can only scan its own volume, making it desirable to place copies of this
+ program on every volume that holds EFI boot loader binaries.
+
+- Added support for launching the Linux Foundation HashTool as a means of
+ managing MOKs (or MOK hashes, at any rate).
- Fixed bug that caused rEFInd to present an entry for itself as a
Microsoft OS if it was launched as EFI/Microsoft/Boot/bootmgfw.efi.
- Fixed bug that caused dont_scan_volumes option to be added to
- also_scan_dirst list.
+ also_scan_dirs list.
- Fixed dont_scan_volumes so that it works with OS X boot loaders.
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>\r
\r
<p>Originally written: 3/14/2013; last Web page update:\r
-1/26/2012, referencing rEFInd 0.6.6</p>\r
+2/3/2012, referencing rEFInd 0.6.7</p>\r
\r
\r
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>\r
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-1/26/2013, referencing rEFInd 0.6.6</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<tr>
<td><tt>dont_scan_files</tt> or <tt>don't_scan_files</tt></td>
<td>filename(s)</td>
- <td>Adds the specified filename or filenames to a filename "blacklist"—these files are <i>not</i> included as boot loader options even if they're found on the disk. This is useful to exclude support programs (such as <tt>shim.efi</tt> and <tt>MokManager.efi</tt>) and drivers from your OS list. The default value is <tt>shim.efi, MokManager.efi, TextMode.efi, ebounce.efi, GraphicsConsole.efi</tt>.</td>
+ <td>Adds the specified filename or filenames to a filename "blacklist"—these files are <i>not</i> included as boot loader options even if they're found on the disk. This is useful to exclude support programs (such as <tt>shim.efi</tt> and <tt>MokManager.efi</tt>) and drivers from your OS list. The default value is <tt>shim.efi, MokManager.efi, HashTool.efi, TextMode.efi, ebounce.efi, GraphicsConsole.efi</tt>.</td>
</tr>
<tr>
<td><tt>scan_all_linux_kernels</tt></td>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 4/19/2012; last Web page update:
-1/26/2013, referencing rEFInd 0.6.6</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-1/26/2013, referencing rEFInd 0.6.6</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-1/26/2013, referencing rEFInd 0.6.6</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<li>Phoenix Technologies maintains a <a href="http://wiki.phoenix.com/wiki/index.php/Main_Page">wiki on EFI topics,</a> including <a href="http://wiki.phoenix.com/wiki/index.php/Category:UEFI_2.0">information on many EFI system calls</a> useful to programmers.</li>
-<li>Matthew J. Garrett, the developer of the shim boot loader to manage Secure Boot, maintains <a href="http://mjg59.dreamwidth.org/">a blog</a> that often describes EFI issues.</li>
+<li>Matthew J. Garrett, the developer of the shim boot loader to manage Secure Boot, maintains <a href="http://mjg59.dreamwidth.org/">a blog</a> in which he often writes about EFI issues.</li>
</ul></li> <!-- Informational Web pages -->
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-1/26/2013, referencing rEFInd 0.6.6</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>Beginning with version 0.6.2, I've included RPM and Debian package files for rEFInd. If you have a working RPM-based or Debian-based Linux installation that boots in EFI mode, using one of these files is likely to be the easiest way to install rEFInd: You need only download the file and issue an appropriate installation command. In some cases, double-clicking the package in your file manager will install it. If that doesn't work, a command like the following will install the RPM on an RPM-based system:</p>
-<pre class="listing"># <tt class="userinput">rpm -Uvh refind-0.6.5-1.x86_64.rpm</tt></pre>
+<pre class="listing"># <tt class="userinput">rpm -Uvh refind-0.6.7-1.x86_64.rpm</tt></pre>
<p>On a Debian-based system, the equivalent command is:</p>
-<pre class="listing"># <tt class="userinput">dpkg -i refind_0.6.5-1_amd64.deb</tt></pre>
+<pre class="listing"># <tt class="userinput">dpkg -i refind_0.6.7-1_amd64.deb</tt></pre>
<p>Either command produces output similar to that described for <a href="#installsh">using the <tt>install.sh</tt> script,</a> so you can check it for error messages and other signs of trouble. The package file installs rEFInd and registers it with the EFI to be the default boot loader. The script that runs as part of the installation process tries to determine if you're using Secure Boot, and if so it will try to configure rEFInd to launch using shim; however, this won't work correctly on all systems. Ubuntu 12.10 users who are booting with Secure Boot active should be wary, since the resulting installation will probably try to use Ubuntu's version of shim, which won't work correctly with rEFInd.</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/19/2012; last Web page update:
-1/26/2013, referencing rEFInd 0.6.6</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p class="subhead">by Roderick W. Smith, <a
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
-<p>Last Web page update: 1/26/2013</p>
+<p>Last Web page update: 2/3/2013</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<ul>
+<li><b>0.6.7 (2/3/2013)</b>—This version fixes a few bugs and adds some minor features relating to Secure Boot. Bug fixes include keeping rEFInd out of its own menu when it's launched as <tt>EFI/Microsoft/Boot/bootmgfw.efi</tt>; keeping the <tt>dont_scan_volumes</tt> option out of the <tt>also_scan_dirs</tt> list; a fix for <tt>dont_scan_volumes</tt> so that it applies to the OS X boot loader; and a fix for a bug that caused PNG files in a user-specified icons directory to be ignored if an ICNS file was available in the standard icons directory. New features include support for the Linux Foundation's <tt>HashTool.efi</tt> as a MOK utility, scanning for MOK utilities on all volumes, and a more verbose error message when a Secure Boot authentication failure occurs.</li>
+
<li><b>0.6.6 (1/26/2013)</b>—This version includes two new features and a number of minor bug fixes. The first new feature is support for changing rEFInd's font via the <tt>font</tt> token in <tt>refind.conf</tt>. You're limited to monospace fonts that are encoded as PNG files; you can't use variable-width fonts or normal font files like TrueType fonts. The fonts support only ASCII characters. See the <a href="themes.html#fonts">fonts section on the Theming rEFInd page</a> for details. I've also changed the default font to a slightly larger one that's anti-aliased. The second new feature is that rEFInd now detects when the <tt>EFI/BOOT/bootx64.efi</tt> (or <tt>EFI/BOOT/bootia32.efi</tt> on 32-bit systems) boot loader is a duplicate of another boot loader, and automatically excludes it from the OS list. This is useful on systems that boot with Windows, since Windows tends to install its boot loader twice, once using the <tt>EFI/BOOT/bootx64.efi</tt> filename. Bug fixes are described in the <tt>NEWS.txt</tt> file, and include fixes for bugs that prevented manual boot stanzas in included configuration files from being detected; that caused an <tt>ASSERT</tt> error to appear on the screen on some systems if <tt>default_selection</tt> was not set; the caused <tt>Binary is whitelisted</tt> messages to persist on the screen when loading signed EFI drivers with Secure Boot active; that caused rEFInd to ignore <tt>icon</tt> tokens in <tt>refind.conf</tt> manual boot stanzas; and that caused the <tt>install.sh</tt> script to fail to update drivers when rEFInd was installed to <tt>EFI/BOOT</tt>.</li>
<li><b>0.6.5 (1/16/2013)</b>—Most of this version's changes relate to icon, graphics, and theming features. The biggest code change is in support for PNG files for banners, icons, and selection backgrounds. I've also fixed bugs that prevented large banners from being used; you can now use banners as big as the screen (or bigger, but they'll be cropped), as illustrated on the <a href="themes.html">Theming rEFInd</a> page. The text color also now automatically switches between black and white depending on the background over which it's displayed. If you don't use these features, you're likely to notice some changes in where certain elements are displayed. Most obviously, the banner appears higher on the screen than it did previously, so as to minimize the chance of overlap with text displays such as the information screen. These text displays should appear correctly even on tiny 640x480 displays (they were blank on such small displays in the past). I've added icons for <a href="https://www.haiku-os.org/">Haiku</a> and <a href="http://www.altlinux.com/">ALT Linux.</a> Finally, the only non-graphics development is the addition of a "safe mode" boot option for OS X, which you can disable by adding <tt>safemode</tt> to the <tt>hideui</tt> option in <tt>refind.conf</tt>.</li>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 11/13/2012; last Web page update:
-1/26/2013, referencing rEFInd 0.6.6</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>Through 2012, it became obvious that Secure Boot would be a feature that was controlled, to a large extent, by Microsoft. This is because Microsoft requires that non-server computers that display Windows 8 logos ship with Secure Boot enabled. As a practical matter, this also means that such computers ship with Microsoft's keys in their firmware. In the absence of an industry-standard body to manage the signing of Secure Boot keys, this means that Microsoft's key is the only one that's more-or-less guaranteed to be installed on the computer, thus blocking the ability to boot any OS that lacks a boot path through Microsoft's signing key.</p>
+<p class="sidebar"><b>Note:</b> The <a href="http://www.linuxfoundation.org">Linux Foundation</a> is on the verge of releasing a signed version of their <a href="http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source">PreBootloader,</a> which will function something like shim; however, where shim requires signing all binaries that don't already have valid Secure Boot keys and managing a small number of keys, PreBootloader requires registering every authorized binary. I'll update this documentation when PreBootloader is released in a signed form.</p>
+
<p>Fortunately, Microsoft will sign third-party binaries with their key—or more precisely, with a key that Microsoft uses to sign third-party binaries. (Microsoft uses another key to sign its own binaries, and some devices, such as the Microsoft Surface tablet, lack the third-party Microsoft key.) A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) have all announced plans to take advantage of this system. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason Red Hat has developed a program that it calls <i>shim</i> that essentially shifts the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Shim is signed by Microsoft and redirects the boot process to another boot loader that can be signed with keys that the distribution maintains and that are built into shim. Fedora 18 also uses this system. SUSE has announced that it will use the same system, as does Ubuntu with version 12.10 and later. SUSE has contributed to the shim approach by providing expansions to shim that support a set of keys that users can maintain themselves. These keys are known as Machine Owner Keys (MOKs), and managing them is described later, in <a href="#mok">Managing MOKs.</a> To reiterate, then, there are potentially three ways to sign a binary that will get it launched on a computer that uses shim:</p>
<ul>
have to wait for future shim developments if you want to use Secure
Boot on <i>x</i>86 or ARM computers.</li>
-<li>I currently lack a Windows 8 installation with which to test, so I can't
- even be 100% positive that rEFInd will launch Windows 8 in Secure Boot
- ode. (It should, though, since it can launch other boot loaders that have
- been signed with Microsoft's keys.) In theory, signing Microsoft's boot
- loader with a MOK should work. This might be handy if you want to replace
- your computer's built-in keys with your own but still boot Windows—but
- be aware that if Windows replaces its boot loader, it will then stop
- working.</li>
+<li>In theory, signing Microsoft's boot loader with a MOK should work. This
+ might be handy if you want to replace your computer's built-in keys
+ with your own but still boot Windows—but be aware that if Windows
+ replaces its boot loader, it will then stop working.</li>
</ul>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 4/19/2012; last Web page update:
-1/26/2013, referencing rEFInd 0.6.6</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<li class="tight"><a href="#icons">Icons</a></li>
-<li class="tight"><a href="#icon_backgrounds">Icon Backgrounds</a></li>
+<li class="tight"><a href="#icon_backgrounds">Icon Selection Backgrounds</a></li>
<li class="tight"><a href="#fonts">Fonts</a></li>
<li><b>Icons</b>—rEFInd uses icons for its OSes and utilities. The vast majority of these icons are loaded from disk files and so are easily replaced without adjusting the <tt>refind.conf</tt> file. Alternatively, you can specify a new icons directory with the <tt>icons_dir</tt> token in <tt>refind.conf</tt>.</li>
-<li><b>Icon backgrounds</b>—When an icon is selected, it's merged with a slightly larger selection icon, which you can change by specifying a new file with the <tt>selection_big</tt> and <tt>selection_small</tt> tokens in <tt>refind.conf</tt>.</li>
+<li><b>Icon selection backgrounds</b>—When an icon is selected, it's merged with a slightly larger selection icon, which you can change by specifying a new file with the <tt>selection_big</tt> and <tt>selection_small</tt> tokens in <tt>refind.conf</tt>.</li>
<li><b>fonts</b>—rEFInd uses a 14-point monospaced serif font by default. If you don't like this font, you can change it to another monospaced font by using the <tt>font</tt> token in <tt>refind.conf</tt>; however, the font file is a simple PNG image of the font's characters, which limits rEFInd's font capabilities.</li>
</ul>
<a name="icon_backgrounds">
-<h2>Icon Backgrounds</h2>
+<h2>Icon Selection Backgrounds</h2>
</a>
<p>rEFInd identifies the current selection by displaying a partially-transparent icon "between" the OS or tool icon and the background image. The default icon works reasonably well on both solid and image backgrounds, but if you like, you can customize it by creating new icons in PNG or in Microsoft's <a href="http://en.wikipedia.org/wiki/BMP_file_format">BMP format</a>. You should create both 144x144 and 64x64 images and tell rEFInd about them by using the <tt>selection_big</tt> and <tt>selection_small</tt> tokens, respectively, in <tt>refind.conf</tt>. If you omit the large icon, rEFInd will stretch the small icon to fit the larger space; if you omit the small icon, rEFInd will use the default small icon. Because BMP doesn't support transparency (alpha channels), you must use the PNG format if you want your selection background to show the underlying image beneath it. (You can create the illusion of transparency on a solid background by matching the colors, though.)</p>
<ul>
-<li><b>The font name</b>—Type <tt class="userinput">convert -list font | less</tt> to obtain a list of fonts available on your computer. Note, however, that rEFInd requires <tt>monospaced</tt> (fixed-width) fonts, and most of the fonts installed on most computers are variable-width.</li>
+<li><b>The font name</b>—Type <tt class="userinput">convert -list font | less</tt> to obtain a list of fonts available on your computer. Note, however, that rEFInd requires <i>monospaced</i> (fixed-width) fonts, and most of the fonts installed on most computers are variable-width.</li>
<li><b>The font size in points</b></li>
transparency). They must contain glyphs for the 95 characters between ASCII
32 (space) and ASCII 126 (tilde, ~), inclusive, plus a 96th glyph that
rEFInd displays for out-of-range characters. To work properly, the
-characters must be evenly spaced and the PNG image area must be a multiple
+characters must be evenly spaced and the PNG image must be a multiple
of 96 pixels wide, with divisions at appropriate points. In theory, you
should be able to take a screen shot of a program displaying the relevant
characters and then crop it to suit your needs. In practice, this is likely
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-1/26/2013, referencing rEFInd 0.6.6</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-1/26/2013, referencing rEFInd 0.6.6</p>
+2/3/2013, referencing rEFInd 0.6.7</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<ul>
-<li class="tight"><a href="#basic">Using Basic rEFInd Features</li>
+<li class="tight"><a href="#basic">Using Basic rEFInd Features</a></li>
+
+<li class="tight"><a href="#boot_options">Adjusting Boot Options</a></li>
<li class="tight"><a href="#keyboard">Using Keyboard Shortcuts</a></li>
height="550" alt="rEFInd presents a GUI menu for selecting your boot
OS." border=2 /></center> <br />
-<p>If you don't press any key before the timeout (shown on the last line) expires, the default boot loader will launch. This is normally the first item in the menu, but you can adjust the default by editing the configuration file. (In this example, it's the Linux Mint loader, which is further identified by text above the timeout as <i>vmlinuz-3.5.0-17-generic from LINUXMINT.</i>)</p>
+<p>If you don't press any key before the timeout (shown below the icons and description line) expires, the default boot loader will launch. This is normally the first item in the menu, but you can adjust the default by editing the configuration file. (In this example, it's the Linux Mint loader, which is further identified by text above the timeout as <i>vmlinuz-3.5.0-17-generic from LINUXMINT.</i>)</p>
<p>This display is dominated by the central set of OS <i>tags</i> (icons), which in this example includes tags for OS X, Windows, Mint, and an unkown boot loader. All but the last of these are on hard disks, but the unknown boot loader is on an optical disc, as revealed by the small icons (known as <i>badges</i>) in the lower-right corner of the OS icons.</p>
single-boot basis." border=2></center> <br />
-<p>If your computer supports Secure Boot, you may find that some of your OSes and tools won't work; they'll produce <tt>
Access Denied</tt> error messages. You can overcome this problem by creating a signing key, signing your binaries with it, and adding the public version of that key to your machine owner key (MOK) list. This process is described on the <a href="secureboot.html">Managing Secure Boot</a> page.</p>
+<p>If your computer supports Secure Boot, you may find that some of your OSes and tools won't work; they'll produce <tt>
Secure Boot validation failure</tt> error messages. You can overcome this problem by creating a signing key, signing your binaries with it, and adding the public version of that key to your machine owner key (MOK) list. This process is described on the <a href="secureboot.html">Managing Secure Boot</a> page.</p>
<a name="keyboard">
<h2>Using Keyboard Shortcuts</h2>
/** Helper macro for stringification. */
#define FSW_EFI_STRINGIFY(x) #x
/** Expands to the EFI driver name given the file system type name. */
-#define FSW_EFI_DRIVER_NAME(t) L"rEFInd 0.6.6 " FSW_EFI_STRINGIFY(t) L" File System Driver"
+#define FSW_EFI_DRIVER_NAME(t) L"rEFInd 0.6.7 " FSW_EFI_STRINGIFY(t) L" File System Driver"
// function prototypes
# set of tools. Most notably, MokManager.efi is in this blacklist,
# but will show up as a tool if present in certain directories. You
# can control the tools row with the showtools token.
-# The default is shim.efi,MokManager.efi,TextMode.efi,ebounce.efi,GraphicsConsole.efi
+# The default is shim.efi,TextMode.efi,ebounce.efi,GraphicsConsole.efi,MokManager.efi,HashTool.efi,HashTool-signed.efi
#
#dont_scan_files shim.efi,MokManager.efi
Summary: EFI boot manager software
Name: refind
-Version: 0.6.6.7
+Version: 0.6.7
Release: 1%{?dist}
Summary: EFI boot manager software
License: GPLv3
# wiping out the just-updated files.
%changelog
-* Sat Jan 26 2013 R Smith <rodsmith@rodsbooks.com> - 0.6.6
-- Created spec file for 0.6.6 release
+* Sun Feb 3 2013 R Smith <rodsmith@rodsbooks.com> - 0.6.7
+- Created spec file for 0.6.7 release
GlobalConfig.DontScanDirs = SelfPath;
MyFreePool(GlobalConfig.DontScanFiles);
GlobalConfig.DontScanFiles = StrDuplicate(DONT_SCAN_FILES);
+ MergeStrings(&(GlobalConfig.DontScanFiles), MOK_NAMES, L',');
MyFreePool(GlobalConfig.DontScanVolumes);
GlobalConfig.DontScanVolumes = StrDuplicate(DONT_SCAN_VOLUMES);
} // if
#define HIDEUI_FLAG_ALL ((0xffff))
#define CONFIG_FILE_NAME L"refind.conf"
-#define DONT_SCAN_FILES L"shim.efi,MokManager.efi,TextMode.efi,ebounce.efi,GraphicsConsole.efi"
+// Note: Below is combined with MOK_NAMES to make default
+#define DONT_SCAN_FILES L"shim.efi,TextMode.efi,ebounce.efi,GraphicsConsole.efi"
#define DONT_SCAN_VOLUMES L"Recovery HD"
#define ALSO_SCAN_DIRS L"boot"
#define FS_TYPE_REISERFS 6
#define FS_TYPE_ISO9660 7
+// Names of binaries that can manage MOKs....
+#define MOK_NAMES L"MokManager.efi,HashTool.efi,HashTool-signed.efi"
+// Directories to search for these MOK-managing programs. Note that SelfDir is
+// searched in addition to these locations....
+#define MOK_LOCATIONS L"\\,EFI\\tools,EFI\\fedora,EFI\\redhat,EFI\\ubuntu,EFI\\suse,EFI\\altlinux"
+
//
// global definitions
//
#define FALLBACK_BASENAME L"boot.efi" /* Not really correct */
#endif
-#define MOK_NAMES L"\\EFI\\tools\\MokManager.efi,\\EFI\\fedora\\MokManager.efi,\\EFI\\redhat\\MokManager.efi,\\EFI\\ubuntu\\MokManager.efi,\\EFI\\suse\\MokManager"
-
// Filename patterns that identify EFI boot loaders. Note that a single case (either L"*.efi" or
// L"*.EFI") is fine for most systems; but Gigabyte's buggy Hybrid EFI does a case-sensitive
// comparison when it should do a case-insensitive comparison, so I'm doubling this up. It does
if (AboutMenu.EntryCount == 0) {
AboutMenu.TitleImage = BuiltinIcon(BUILTIN_ICON_FUNC_ABOUT);
- AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.6.6.7");
+ AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.6.7");
AddMenuInfoLine(&AboutMenu, L"");
AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2006-2010 Christoph Pfisterer");
AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2012 Roderick W. Smith");
RunMenu(&AboutMenu, NULL);
} /* VOID AboutrEFInd() */
+static VOID WarnSecureBootError(CHAR16 *Name, BOOLEAN Verbose) {
+ if (Name == NULL)
+ Name = L"the loader";
+
+ refit_call2_wrapper(ST->ConOut->SetAttribute, ST->ConOut, ATTR_ERROR);
+ Print(L"Secure Boot validation failure loading %s!\n", Name);
+ refit_call2_wrapper(ST->ConOut->SetAttribute, ST->ConOut, ATTR_BASIC);
+ if (Verbose && secure_mode()) {
+ Print(L"\nThis computer is configured with Secure Boot active, but\n%s has failed validation.\n", Name);
+ Print(L"\nYou can:\n * Launch another boot loader\n");
+ Print(L" * Disable Secure Boot in your firmware\n");
+ Print(L" * Sign %s with a machine owner key (MOK)\n", Name);
+ Print(L" * Use a MOK utility (often present on the second row) to add a MOK with which\n");
+ Print(L" %s has already been signed.\n", Name);
+ Print(L" * Use a MOK utility to register %s (\"enroll its hash\") without\n", Name);
+ Print(L" signing it.\n");
+ Print(L"\nSee http://www.rodsbooks.com/refind/secureboot.html for more information\n");
+ PauseForKey();
+ } // if
+} // VOID WarnSecureBootError()
+
// Launch an EFI binary.
static EFI_STATUS StartEFIImageList(IN EFI_DEVICE_PATH **DevicePaths,
IN CHAR16 *LoadOptions, IN CHAR16 *LoadOptionsPrefix,
break;
}
}
+ if ((Status == EFI_ACCESS_DENIED) || (Status == EFI_SECURITY_VIOLATION)) {
+ WarnSecureBootError(ImageTitle, Verbose);
+ goto bailout;
+ }
SPrint(ErrorInfo, 255, L"while loading %s", ImageTitle);
if (CheckError(Status, ErrorInfo)) {
if (ErrorInStep != NULL)
// Add the second-row tags containing built-in and external tools (EFI shell,
// reboot, etc.)
static VOID ScanForTools(VOID) {
- CHAR16 *FileName = NULL, Description[256];
+ CHAR16 *FileName = NULL, *MokLocations, *MokName, *PathName, Description[256];
REFIT_MENU_ENTRY *TempMenuEntry;
- UINTN i, j, VolumeIndex;
+ UINTN i, j, k, VolumeIndex;
+
+ MokLocations = StrDuplicate(MOK_LOCATIONS);
+ if (MokLocations != NULL)
+ MergeStrings(&MokLocations, SelfDirPath, L',');
for (i = 0; i < NUM_TOOLS; i++) {
switch(GlobalConfig.ShowTools[i]) {
+ // NOTE: Be sure that FileName is NULL at the end of each case.
case TAG_SHUTDOWN:
TempMenuEntry = CopyMenuEntry(&MenuEntryShutdown);
TempMenuEntry->Image = BuiltinIcon(BUILTIN_ICON_FUNC_SHUTDOWN);
break;
case TAG_SHELL:
j = 0;
- MyFreePool(FileName);
while ((FileName = FindCommaDelimited(SHELL_NAMES, j++)) != NULL) {
if (FileExists(SelfRootDir, FileName)) {
AddToolEntry(SelfLoadedImage->DeviceHandle, FileName, L"EFI Shell", BuiltinIcon(BUILTIN_ICON_TOOL_SHELL),
'S', FALSE);
}
+ MyFreePool(FileName);
} // while
break;
case TAG_GPTSYNC:
- MyFreePool(FileName);
FileName = StrDuplicate(L"\\efi\\tools\\gptsync.efi");
if (FileExists(SelfRootDir, FileName)) {
AddToolEntry(SelfLoadedImage->DeviceHandle, FileName, L"Make Hybrid MBR", BuiltinIcon(BUILTIN_ICON_TOOL_PART), 'P', FALSE);
}
+ MyFreePool(FileName);
+ FileName = NULL;
break;
case TAG_APPLE_RECOVERY:
- MyFreePool(FileName);
FileName = StrDuplicate(L"\\com.apple.recovery.boot\\boot.efi");
for (VolumeIndex = 0; VolumeIndex < VolumesCount; VolumeIndex++) {
if ((Volumes[VolumeIndex]->RootDir != NULL) && (FileExists(Volumes[VolumeIndex]->RootDir, FileName))) {
BuiltinIcon(BUILTIN_ICON_TOOL_APPLE_RESCUE), 'R', TRUE);
}
} // for
+ MyFreePool(FileName);
+ FileName = NULL;
break;
case TAG_MOK_TOOL:
j = 0;
- MyFreePool(FileName);
- while ((FileName = FindCommaDelimited(MOK_NAMES, j++)) != NULL) {
- if (FileExists(SelfRootDir, FileName)) {
- SPrint(Description, 255, L"MOK Key Manager at %s", FileName);
- AddToolEntry(SelfLoadedImage->DeviceHandle, FileName, Description,
- BuiltinIcon(BUILTIN_ICON_TOOL_MOK_TOOL), 'S', FALSE);
- }
- } // while
- if (FileExists(SelfDir, L"MokManager.efi")) {
+ while ((FileName = FindCommaDelimited(MokLocations, j++)) != NULL) {
+ k = 0;
+ while ((MokName = FindCommaDelimited(MOK_NAMES, k++)) != NULL) {
+ PathName = StrDuplicate(FileName);
+ MergeStrings(&PathName, MokName, (StriCmp(PathName, L"\\") == 0) ? 0 : L'\\');
+ for (VolumeIndex = 0; VolumeIndex < VolumesCount; VolumeIndex++) {
+ if ((Volumes[VolumeIndex]->RootDir != NULL) && (FileExists(Volumes[VolumeIndex]->RootDir, PathName))) {
+ SPrint(Description, 255, L"MOK utility at %s on %s", PathName, Volumes[VolumeIndex]->VolName);
+ AddToolEntry(Volumes[VolumeIndex]->DeviceHandle, PathName, Description,
+ BuiltinIcon(BUILTIN_ICON_TOOL_MOK_TOOL), 'S', FALSE);
+ } // if
+ } // for
+ MyFreePool(PathName);
+ MyFreePool(MokName);
+ } // while MOK_NAMES
MyFreePool(FileName);
- FileName = SelfDirPath ? StrDuplicate(SelfDirPath) : NULL;
- MergeStrings(&FileName, L"\\MokManager.efi", 0);
- SPrint(Description, 255, L"MOK Key Manager at %s", FileName);
- AddToolEntry(SelfLoadedImage->DeviceHandle, FileName, Description,
- BuiltinIcon(BUILTIN_ICON_TOOL_MOK_TOOL), 'S', FALSE);
- }
+ } // while MokLocations
+
break;
} // switch()
- MyFreePool(FileName);
- FileName = NULL;
} // for
} // static VOID ScanForTools