# Common make rules for building with gnu-efi
#
-EFIINC = /usr/include/efi
-GNUEFILIB = /usr/lib64
-EFILIB = /usr/lib64
-EFICRT0 = /usr/lib64
+#EFIINC = /usr/include/efi
+#GNUEFILIB = /usr/lib64
+#EFILIB = /usr/lib64
+#EFICRT0 = /usr/lib64
# Comment out above and uncomment below if using locally-compiled GNU-EFI....
-#EFIINC = /usr/local/include/efi
-#GNUEFILIB = /usr/local/lib
-#EFILIB = /usr/local/lib
-#EFICRT0 = /usr/local/lib
+EFIINC = /usr/local/include/efi
+GNUEFILIB = /usr/local/lib
+EFILIB = /usr/local/lib
+EFICRT0 = /usr/local/lib
HOSTARCH = $(shell uname -m | sed s,i[3456789]86,ia32,)
ARCH := $(HOSTARCH)
-0.6.10 (?/??/2013):
--------------------
+0.6.10 (5/5/2013):
+------------------
+
+- Added support for "screensaver" token. If set to a positive integer, this
+ causes the screen to blank after the specified number of seconds of
+ inactivity. Pressing most keys (unfortunately NOT including Shift, Alt,
+ or Ctrl) will restore the display and restart the screen saver timeout.
- Added icon for ChromeOS (os_chrome.icns in the icons subdirectory).
- ChromeOS reportedly boots using the fallback filename, but if a user
+ ChromeBooks reportedly boots using the fallback filename, but if a user
wants to install rEFInd on a ChromeBook, renaming the original EFI/BOOT
directory to EFI/chrome and then installing rEFInd in the fallback
filename will bring up this new icon for ChromeOS.
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>\r
\r
<p>Originally written: 3/14/2012; last Web page update:\r
-4/25/2013, referencing rEFInd 0.6.9</p>\r
+5/5/2013, referencing rEFInd 0.6.10</p>\r
\r
\r
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>\r
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<td>numeric value</td>
<td>Sets the timeout period in seconds. If <tt>0</tt>, the timeout is disabled—rEFInd waits indefinitely for user input.</td>
</tr>
+<tr>
+ <td><tt>screensaver</tt></td>
+ <td>numeric value</td>
+ <td>Sets the number of seconds of inactivity before the screen blanks to prevent burn-in. The display returns after most keypresses (unfortunately, not including modifiers such as Shift, Control, Alt, or Option). The default is <tt>0</tt>, which disables this feature.</td>
+</tr>
<tr>
<td><tt>hideui</tt></td>
<td><tt>banner</tt>, <tt>label</tt>, <tt>singleuser</tt>, <tt>safemode</tt>, <tt>hwtest</tt>, <tt>arrows</tt>, <tt>hints</tt>, <tt>editor</tt>, or <tt>all</tt></td>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 4/19/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<li>Fixes to display problems on many UEFI-based PCs.</li>
+<li>Beginning with version 0.6.10, a screen saver feature, activated by the <tt>screensaver <tt class="variable">seconds</tt></tt> token in <tt>refind.conf</tt>: Set <tt class="variable">seconds</tt> to the number of seconds before the screen will blank to prevent burn-in.</li>
+
<li>Workarounds to file detection bugs in at least one type of UEFI firmware.</li>
<li>Improved detection of itself, to keep rEFInd out of its own boot menu.</li>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<ul>
<li><b><a
- href="http://sourceforge.net/projects/refind/files/0.6.9/refind-src-0.6.9.zip/download">A
+ href="http://sourceforge.net/projects/refind/files/0.6.10/refind-src-0.6.10.zip/download">A
source code zip file</a></b>—This is useful if you want to compile
the software locally. Note that I use Linux with the <a
href="https://sourceforge.net/projects/tianocore/">TianoCore EFI
development tools are also supported.</li>
<li><b><a
- href="http://sourceforge.net/projects/refind/files/0.6.9/refind-bin-0.6.9.zip/download">A
+ href="http://sourceforge.net/projects/refind/files/0.6.10/refind-bin-0.6.10.zip/download">A
binary zip file</a></b>—Download this if you want to install
rEFInd and/or its filesystem drivers on an <i>x</i>86 or <i>x</i>86-64
computer and have no need to test rEFInd first by booting it on an
href="installing.html">Installing rEFInd</a> page. Some users of Arch
Linux have reported problems booting some specific Arch Linux kernels
with rEFInd and some other tools. For them, a <a
- href="http://sourceforge.net/projects/refind/files/0.6.9/refind-bin-gnuefi-0.6.9.zip/download">variant
+ href="http://sourceforge.net/projects/refind/files/0.6.10/refind-bin-gnuefi-0.6.10.zip/download">variant
package</a> exists in which the <i>x</i>86-64 binary was compiled with
GNU-EFI rather than the usual TianoCore EDK2. This change helps some
users with this problem; but using GNU-EFI also means that this version
can't launch BIOS-mode OSes.</li>
<li><b><a
- href="http://sourceforge.net/projects/refind/files/0.6.9/refind-0.6.9-1.x86_64.rpm/download">A
+ href="http://sourceforge.net/projects/refind/files/0.6.10/refind-0.6.10-1.x86_64.rpm/download">A
binary RPM file</a></b>—If you use an RPM-based <i>x</i>86-64
Linux system such as Fedora or openSUSE, you can install the binary RPM
package rather than use the binary zip file. (I don't provide an
rEFInd</a> page) as part of the installation process. Distribution
maintainers can examine the <tt>refind.spec</tt> file in the source
package and tweak it to their needs. The <a
- href="http://sourceforge.net/projects/refind/files/0.6.9/refind-0.6.9-1.src.rpm/download">source
+ href="http://sourceforge.net/projects/refind/files/0.6.10/refind-0.6.10-1.src.rpm/download">source
RPM file</a> might or might not build on your system as-is; it relies
on assumptions about the locations of the GNU-EFI development
files.</li>
<li><b><a
- href="http://sourceforge.net/projects/refind/files/0.6.9/refind_0.6.9-1_amd64.deb/download">A
+ href="http://sourceforge.net/projects/refind/files/0.6.10/refind_0.6.10-1_amd64.deb/download">A
binary Debian package</a></b>—If you use an <i>x</i>86-64 version
of Debian, Ubuntu, Mint, or another Debian-based distribution, you can
install from this package, which was converted from the binary RPM
<p class="sidebar"><b>Note:</b> At the moment, neither the bootable CD-R image file nor the bootable USB flash drive image file supports booting with Secure Boot active.</p>
<li><b><a
- href="http://sourceforge.net/projects/refind/files/0.6.9/refind-cd-0.6.9.zip/download">A
+ href="http://sourceforge.net/projects/refind/files/0.6.10/refind-cd-0.6.10.zip/download">A
CD-R image file</a></b>—This download contains the same files as
the binary zip file, but you can burn it to a CD-R to test rEFInd
(and its filesystem drivers) without installing it first. (It boots on
computer.</p>
<li><b><a
- href="http://sourceforge.net/projects/refind/files/0.6.9/refind-flashdrive-0.6.9.zip/download">A
+ href="http://sourceforge.net/projects/refind/files/0.6.10/refind-flashdrive-0.6.10.zip/download">A
USB flash drive image file</a></b>—Although you can create
your own rEFInd USB flash drive, you may find it easier to download
this version and copy it to your USB drive with <tt>dd</tt> or some
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<li>James Jesudason has a tutorial on installing Ubuntu 13.04 beta on a Macbook Retina Pro on <a href="http://randomtutor.blogspot.com/2013_02_01_archive.html">this blog page.</a> I'd recommend using a Linux filesystem driver to read the kernel directly from a Linux filesystem rather than copy the kernel to the OS X partition as in the tutorial, but either method will work.</li>
+<li>If you're interested in developing EFI software yourself, my <a href="http://www.rodsbooks.com/efi-programming/">Programming for EFI</a> can help you get started.</li>
+
</ul></li> <!-- Informational Web pages -->
<li><b>Additional programs</b>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<div style="float:right; width:55%">
+<p><b>Don't be scared by the length of this page!</b> Only portions of this page apply to any given user, and most people can install rEFInd from an RPM or Debian package in a matter of seconds or by using the <tt>install.sh</tt> script in minute or two.</p>
+
<p>Once you've obtained a rEFInd binary file, you must install it to your computer's ESP (or conceivably to some other location). The details of how you do this depend on your OS and your computer (UEFI-based PC vs. Macintosh). The upcoming sections provide details. See the Contents sidebar to the left for links to specific installation procedures. For most Linux users, an RPM or Debian package is the best way to go. If your Linux system doesn't support these formats, though, or if you're running OS X, using the <tt>install.sh</tt> script can be a good way to go. If you're using Windows, you'll have to install manually.</p>
<p class="sidebar" style="width:95%"><b>Important:</b> A rEFInd zip file, when uncompressed, creates a directory called <tt>refind-<i>version</i></tt>, where <tt><i>version</i></tt> is the version number. This directory includes a subdirectory called <tt>refind</tt> that holds the boot loader, along with another that holds documentation, as well as miscellaneous files in <tt>refind-<i>version</i></tt> itself. When I refer to "the <tt>refind</tt> directory" on this page, I mean the directory with that precise name, not the <tt>refind-<i>version</i></tt> directory that is its parent.</p>
<p>Beginning with version 0.6.2, I've included RPM and Debian package files for rEFInd. If you have a working RPM-based or Debian-based Linux installation that boots in EFI mode, using one of these files is likely to be the easiest way to install rEFInd: You need only download the file and issue an appropriate installation command. In some cases, double-clicking the package in your file manager will install it. If that doesn't work, a command like the following will install the RPM on an RPM-based system:</p>
-<pre class="listing"># <tt class="userinput">rpm -Uvh refind-0.6.9-1.x86_64.rpm</tt></pre>
+<pre class="listing"># <tt class="userinput">rpm -Uvh refind-0.6.10-1.x86_64.rpm</tt></pre>
<p>On a Debian-based system, the equivalent command is:</p>
-<pre class="listing"># <tt class="userinput">dpkg -i refind_0.6.9-1_amd64.deb</tt></pre>
+<pre class="listing"># <tt class="userinput">dpkg -i refind_0.6.10-1_amd64.deb</tt></pre>
<p>Either command produces output similar to that described for <a href="#installsh">using the <tt>install.sh</tt> script,</a> so you can check it for error messages and other signs of trouble. The package file installs rEFInd and registers it with the EFI to be the default boot loader. The script that runs as part of the installation process tries to determine if you're using Secure Boot, and if so it will try to configure rEFInd to launch using shim; however, this won't work correctly on all systems. Ubuntu 12.10 users who are booting with Secure Boot active should be wary, since the resulting installation will probably try to use Ubuntu's version of shim, which won't work correctly with rEFInd.</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/19/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p class="subhead">by Roderick W. Smith, <a
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
-<p>Last Web page update: 4/25/2013</p>
+<p>Last Web page update: 5/5/2013</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<ul>
+<li><b>0.6.10 (5/5/2013)</b>—This version adds a number of minor improvements: The ability to create multiple screen shots under a sequence of names rather than using just one name; a new screen saver feature, activated by the <tt>screensaver</tt> token in <tt>refind.conf</tt>; and an option to reboot the computer into the firmware's setup utility on computers that support this feature. I've also added an OS for ChromeOS (<tt>os_chrome.icns</tt>), and I've updated the LodePNG library to the latest version, which might improve rendering of some PNG files.</li>
+
<li><b>0.6.9 (4/25/2013)</b>—The most visible change to this version is to the rEFInd banner image, which now includes an icon provided by Erik Kemperman. The biggest change with this version is the inclusion of an updated version of <tt>gptsync</tt>, which is popular on Macs as a means of maintaining the <a href="http://www.rodsbooks.com/gdisk/hybrid.html">hybrid MBR</a> that's required to boot Windows in BIOS mode on that platform. Because hybrid MBRs are ugly and dangerous, though, the rEFInd <tt>install.sh</tt> script installs the program only under OS X, and even then it must be activated by uncommending the <tt>scanfor</tt> line in <tt>refind.conf</tt> and adding <tt>gptsync</tt> to its options list. If you want to use <tt>gptsync</tt> on a PC, you can, but you'll need to copy the program file manually to the ESP's <tt>EFI/tools</tt> directory. Other changes with this version include working around a suspected firmware bug that can cause hangs when rEFInd starts on some systems and changing the timeout code so that rEFInd will launch its default OS even if the computer is started without a keyboard.</li>
<li><b>0.6.8 (3/18/2013)</b>—This version fixes a few obscure bugs but adds only one minor new feature. Most notably, it fixes a problem that caused "Invalid Parameter" errors to appear when scanning for boot loaders on some systems; fixes a bug that caused icons defined in files named after boot loaders to not appear; and fixes a bug in the <tt>install.sh</tt> script that caused the script to fail on some systems. It also enables you to name a shell <tt>shell.efi</tt> in the root directory (previously only <tt>shell_<i>arch</i>.efi</tt> worked in the root directory, although <tt>shell.efi</tt> worked in the <tt>EFI/tools</tt> directory).</li>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 11/13/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<li class="tight"><a href="#basic">Basic Issues</li>
-<li class="tight"><a href="#installation">Installation Issues</a></li>
+<li class="tight"><a href="#shim">Using rEFInd with Shim</a></li>
+ <ul>
+ <li class="tight"><a href="#installation">Installing Shim and rEFInd</a></li>
+ <li class="tight"><a href="#mok">Managing Your MOKs</a></li>
+ </ul>
-<li class="tight"><a href="#mok">Managing Your MOKs</a></li>
+<li class="tight"><a href="#prebootloader">Using rEFInd with PreBootloader</a></li>
<li class="tight"><a href="#caveats">Secure Boot Caveats</a></li>
</div>
-<p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">secure boot basics</a> and two specific
aspects of rEFInd and its interactions with Secure Boot: <a href="#installation">installation issues</a> and <a href="#mok">MOK management.</a> It concludes with a look at <a href="#caveats">known bugs and limitations</a> in rEFInd's Secure Boot features.</p>
+<p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">secure boot basics</a> and two specific
ways of using rEFInd with Secure Boot: <a href="#shim">Using the shim program</a> and <a href="#prebootloader">using the PreBootloader program.</a> It concludes with a look at <a href="#caveats">known bugs and limitations</a> in rEFInd's Secure Boot features.</p>
<a name="basic">
<h2>Basic Issues</h2>
If you don't want it, you can <a
href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html#disable">disable
it,</a> at least on <i>x</i>86-64 PCs. If an ARM-based computer ships with
-Windows 8, this isn't an option for it. Unfortunately, the shim software
-described on this page currently supports only <i>x</i>86-64, not
-<i>x</i>86 or ARM.</p>
+Windows 8, this isn't an option for it. Unfortunately, the shim and PreBootloader programs described on this page currently support only <i>x</i>86-64, not <i>x</i>86 or ARM.</p>
<p>Through 2012, it became obvious that Secure Boot would be a feature that was controlled, to a large extent, by Microsoft. This is because Microsoft requires that non-server computers that display Windows 8 logos ship with Secure Boot enabled. As a practical matter, this also means that such computers ship with Microsoft's keys in their firmware. In the absence of an industry-standard body to manage the signing of Secure Boot keys, this means that Microsoft's key is the only one that's more-or-less guaranteed to be installed on the computer, thus blocking the ability to boot any OS that lacks a boot path through Microsoft's signing key.</p>
-<p class="sidebar"><b>Note:</b> The <a href="http://www.linuxfoundation.org">Linux Foundation</a> has released a signed version of their <a href="http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/">PreBootloader,</a> which functions something like shim; however, where shim requires signing all binaries that don't already have valid Secure Boot keys and managing a small number of keys, PreBootloader requires registering every authorized binary. I haven't had the chance to revise this documentation to cover PreBootloader, but you may want to use it instead of shim if you want to manage a small number of binaries that are not already signed with a Secure Boot key, MOK, or a key built into a signed version of shim.</p>
+<p>Fortunately, Microsoft will sign third-party binaries with their key—or more precisely, with a key that Microsoft uses to sign third-party binaries. (Microsoft uses another key to sign its own binaries, and some devices, such as the Microsoft Surface tablet, lack the third-party Microsoft key.) A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) are all using this system to enable their boot loaders to run. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason two separate programs exist that shift the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Both of these programs (shim and PreBootloader) are available in binary form signed by Microsoft's key. Shim enables the computer to launch binaries that are signed by a key that's built into it or that the user adds to a list known as the Machine Owner Key (MOK) list. PreBootloader enables the computer to launch binaries that the user has explicitly identified as being OK. Distributions beginning with Ubuntu 12.10 (and 12.04.2), Fedora 18, and OpenSUSE 12.3 use shim, although Ubuntu ships with an early version of shim that's useless for launching rEFInd, at least through Ubuntu 13.04. To the best of my knowledge, no major distribution uses PreBootloader, but it may see use on live CDs and is easier to set up if you're not using a distribution that supports shim.</p>
-<p>Fortunately, Microsoft will sign third-party binaries with their key—or more precisely, with a key that Microsoft uses to sign third-party binaries. (Microsoft uses another key to sign its own binaries, and some devices, such as the Microsoft Surface tablet, lack the third-party Microsoft key.) A payment of $99 to Verisign enables a software distributor to sign as many binaries as desired. Red Hat (Fedora), Novell (SUSE), and Canonical (Ubuntu) have all announced plans to take advantage of this system. Unfortunately, using a third-party signing service is an awkward solution for open source software. In fact, for this very reason Red Hat has developed a program that it calls <i>shim</i> that essentially shifts the Secure Boot "train" from Microsoft's proprietary "track" to one that's more friendly to open source authors. Shim is signed by Microsoft and redirects the boot process to another boot loader that can be signed with keys that the distribution maintains and that are built into shim. Fedora 18 also uses this system. SUSE has announced that it will use the same system, as does Ubuntu with version 12.10 and later. SUSE has contributed to the shim approach by providing expansions to shim that support a set of keys that users can maintain themselves. These keys are known as Machine Owner Keys (MOKs), and managing them is described later, in <a href="#mok">Managing MOKs.</a> To reiterate, then, there are potentially three ways to sign a binary that will get it launched on a computer that uses shim:</p>
+<p>There are three ways to sign a binary that will get it launched on a computer that uses shim:</p>
<ul>
</ul>
-<p>All three key types are the same in form—shim's built-in keys and MOKs are both generated using the same tools used to generate Secure Boot keys. The keys can be generated with the common <tt>openssl</tt> program, but signing EFI binaries requires a rarer program called <tt>sbsign</tt> or <tt>pesign</tt>. Although it's theoretically possible to use rEFInd without signing your own binaries, this is not yet practical, because distributions don't yet provide their own signed binaries or the public MOK files you must have to enroll their keys. With any luck this will change in 2013. At the very least, many distributions will begin supporting Secure Boot in the near future, and with any luck they'll include their public MOKs for use with other distributions' versions of shim.</p>
+<p>All three key types are the same in form—shim's built-in keys and MOKs are both generated using the same tools used to generate Secure Boot keys. The keys can be generated with the common <tt>openssl</tt> program, but signing EFI binaries requires a rarer program called <tt>sbsign</tt> or <tt>pesign</tt>. If you use shim with a distribution that doesn't support this tool, you'll need to either sign the kernels yourself, which can be a hassle, or launch the kernels by way of a boot loader that doesn't check for signatures, such as ELILO.</p>
-<p>Because shim and MOK are being supported by several of the major players in the Linux world, I've decided to do the same with rEFInd. Beginning with version 0.5.0, rEFInd can communicate with the shim system to authenticate boot loaders. If a boot loader has been signed by a valid UEFI Secure Boot key, a valid shim key, or a valid MOK key, rEFInd will launch it. rEFInd will also launch unsigned boot loaders or those with invalid signatures <i>if</i> Secure Boot is disabled in or unsupported by the firmware. (If that's your situation, you needn't bother reading this page.)</p>
+<p class="sidebar">Shim's author is working on merging it and PreBootloader. Thus, future versions of shim may provide the advantages of both programs.</p>
-<p>Version 0.5.0 ships signed with my own keys, and I provide the public version of this key with the rEFInd package. This can help simplify setup, since you needn't generate your own keys to get rEFInd working; however, without public keys for the boot loaders that rEFInd launches, you'll still need to generate keys and sign your boot loaders, as described in the <a href="#mok">Managing Your MOKs</a> section.</p>
+<p>PreBootloader is easier to set up on a distribution that doesn't support shim because PreBootloader doesn't rely on keys; instead, you tell it which binaries you trust and it will let you launch them. This works well on a system with boot managers, boot loaders, and kernels that seldom change. It's not a good solution for distribution maintainers, though, because it requires that users manually add binaries to PreBootloader's list of approved binaries when the OS is installed and every time those binaries change. Also, PreBootloader relies on a helper program, HashTool, to enroll hashes. (This is Geek for "tell the computer that a binary is OK.") Unfortunately, HashTool can enroll hashes only from the partition from which it was launched, so if you want to use rEFInd to launch Linux kernels directly, it's easiest if you mount your ESP at <tt>/boot</tt> in Linux or copy your kernels to the ESP. Another approach is to copy <tt>HashTool.efi</tt> to the partition that holds your kernel and rename it to almost anything else. rEFInd will then treat it like an OS boot loader and create a menu entry for it, enabling you to launch it as needed.</p>
+
+<p>Beginning with version 0.5.0, rEFInd can communicate with the shim system to authenticate boot loaders. If a boot loader has been signed by a valid UEFI Secure Boot key, a valid shim key, or a valid MOK key, rEFInd will launch it. rEFInd will also launch unsigned boot loaders or those with invalid signatures <i>if</i> Secure Boot is disabled in or unsupported by the firmware. (If that's your situation, you needn't bother reading this page.) PreBootloader is designed in such a way that it requires no explicit support in rEFInd to work.</p>
+
+<p>Version 0.5.0 ships signed with my own keys, and I provide the public version of this key with the rEFInd package. This can help simplify setup, since you needn't generate your own keys to get rEFInd working; however, if you lack public keys for the boot loaders that rEFInd launches, you'll need to generate your own keys and sign your boot loaders, as described in the <a href="#mok">Managing Your MOKs</a> section.</p>
+
+<a name="shim">
+<h2>Using rEFInd with Shim</h2>
+</a>
+
+<p>Because several major distributions support shim, I describe it first. You may need to adjust the rEFInd installation process to get it working with shim, especially if you're not using a distribution that uses this software. In addition to installing shim, you should know how to manage your MOKs, so I describe this topic, too. If you don't want to use shim, you can skip ahead to <a href="#prebootloader">the section on PreBootloader.</a></p>
<a name="installation">
-<h2>Installation Issues</h2>
+<h3>Installing Shim and rEFInd</h3>
</a>
<p>A working Secure Boot installation of rEFInd involves at least three programs, and probably four or more, each of which must be installed in a specific way:</p>
<ul>
-<li><b>shim</b>—You can download a version of shim signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by shim's developer, former Red Hat employee Matthew J. Garrett) includes a shim key that's used by nothing but the <tt>MokManager.efi</tt> program that also ships with the program. Thus, to use this version of shim, you must use MOKs. Fedora 18's
version of shim includes its own key but can also use MOKs; but to use it with rEFInd, you must still enroll rEFInd's MOK. Ubuntu 12.10 ships with its own shim, but that version doesn't support MOKs and so is useless for launching rEFInd. Future versions of SUSE and probably other distributions will come with their own variants of shim, most of which will no doubt support their own shim keys as well as MOKs. You should install shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a> For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
+<li><b>shim</b>—You can download a version of shim signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by shim's developer, former Red Hat employee Matthew J. Garrett) includes a shim key that's used by nothing but the <tt>MokManager.efi</tt> program that also ships with the program. Thus, to use this version of shim, you must use MOKs. Fedora 18's
and OpenSUSE 12.3's versions of shim include their own keys and can also use MOKs; but to use these packages with rEFInd, you must still enroll rEFInd's MOK. Ubuntu 12.10 and 13.04 ship with an earlier version of shim that version doesn't support MOKs. Ubuntu's shim is useless for launching rEFInd. Future distributions will probably come with their own variants of shim, most of which will no doubt support their own shim keys as well as MOKs. You should install shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a> For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
-<li><b>MokManager</b>—This program is included with shim 0.2 and later. It presents a crude user interface for managing MOKs, and it's launched by shim if shim can't find its default boot loader (generally <tt>grubx64.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a Secure Boot key or a MOK, but the binary in Garrett's shim 0.2 is signed with a shim key, and I expect that versions distributed with most Linux distributions will also be signed by their respective shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
+<li><b>MokManager</b>—This program is included with shim 0.2 and later (including the versions of shim that ship with Fedora 18 and OpenSUSE 12.3). It presents a crude user interface for managing MOKs, and it's launched by shim if shim can't find its default boot loader (generally <tt>grubx64.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a Secure Boot key or a MOK, but the binary in Garrett's shim 0.2 is signed with a shim key, and I expect that versions distributed with most Linux distributions will also be signed by their respective shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
<li><b>rEFInd</b>—Naturally, you need rEFInd. Because shim is hard-coded to launch a program called <tt>grubx64.efi</tt>, you must install rEFInd using that name and to the same directory in which <tt>shim.efi</tt> resides. In theory, rEFInd could be signed with a Secure Boot key, a shim key, or a MOK; however, because Microsoft won't sign binaries distributed under the GPLv3, I can't distribute a version of rEFInd signed with Microsoft's Secure Boot key; and as I don't have access to the private shim keys used by any distribution, I can't distribute a rEFInd binary signed by them. (If distributions begin including rEFInd in their package sets, though, such distribution-provided binaries could be signed with the distributions' shim keys.) Thus, rEFInd will normally be signed by a MOK. Beginning with version 0.5.0, rEFInd binaries that I provide are signed by me. Beginning with version 0.5.1, the installation script provides an option to sign the rEFInd binary with your own key, provided the necessary support software is installed.</li>
</ul>
-<p>Because of variables such as which version of shim you're using and whether you're installing a pre-signed version of rEFInd or want to sign it yourself, I can't provide an absolutely complete procedure for installing rEFInd to work with Secure Boot. Broadly speaking, though, the procedure should be something like this:</p>
+<p>If you've installed Fedora 18 or OpenSUSE 12.3 and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running <tt>install.sh</tt>, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:</p>
<ol>
<li>Download shim from <a
href="http://www.codon.org.uk/~mjg59/shim-signed/">Matthew J. Garrett's
- download site</a> or from your distribution. (Don't use Ubuntu 12.10's
+ download site</a> or from your distribution. (Don't use Ubuntu's
version, though; as noted earlier, it's inadequate for use with
- rEFInd.) Fedora 18 ships with a signed shim, but I've not yet tested
- it.</li>
+ rEFInd.)</li>
<p class="sidebar"><b>Tip:</b> If you're running Linux, you can save some effort by using the <tt>install.sh</tt> script with its <tt>--shim <tt class="variable">/path/to/shim.efi</tt></tt> option rather than installing manually, as in steps 4–6 of this procedure. If you've installed <tt>openssl</tt> and <tt>sbsign</tt>, using <tt>--localkeys</tt> will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use <tt>sbsign</tt> and the keys in <tt>/etc/refind.d/keys</tt> to sign your kernels or boot loaders.</p>
disk</tt>. The screen will clear and prompt you to select a key, as
shown here:</li>
- <br /><IMG SRC="MokManager1.png" ALIGN="CENTER" WIDTH="676"
- HEIGHT="186" ALT="MokManager's user interface is crude but effective."
- BORDER=2> <br />
+ <br /><img src="MokManager1.png" align="CENTER" width="676"
+ height="186" alt="MokManager's user interface is crude but effective."
+ border=2> <br />
<li>Each of the lines with a long awkward string represents a disk
partition. Select one and you'll see a list of files. Continue
<p>At this point the computer may boot into its default OS, reboot, or perhaps even hang. When you reboot it, though, rEFInd should start up in Secure Boot mode. (You can verify this by selecting the <i>About rEFInd</i> tool in the main menu. Check the <i>Platform</i> item in the resulting screen; it should verify that Secure Boot is active.) You should now be able to launch any boot loader signed with a key recognized by the firmware or by shim (including any MOKs you've enrolled). If you want to manage keys in the future, rEFInd displays a new icon in the second (tools) row you can use to launch MokManager. (This icon appears by default if MokManager is installed, but if you edit <tt>showtools</tt> in <tt>refind.conf</tt>, you must be sure to include <tt>mok_tool</tt> as an option in order to gain access to it.)</p>
-<p>If you're using Ubuntu
12.10, you can't use its version of shim, but you can replace it with Garrett's shim. If you do so, though, you'll have to add Ubuntu's public key as a MOK, at least if you intend to launch Ubuntu's version of GRUB or launch Ubuntu-provided signed kernels. Ubuntu's public key is available in the <a href="http://archive.ubuntu.com/ubuntu/pool/main/s/shim/shim_0~20120906.bcd0a4e8-0ubuntu4.debian.tar.gz">shim_0~20120906.bcd0a4e8-0ubuntu4.debian.tar.gz</a> tarball, as <tt>canonical-uefi-ca.der</tt>. (The filename extensions <tt>.cer</tt> and <tt>.der</tt> are interchangeable for most purposes.) I've also included this key with rEFInd, in the <tt>refind/keys</tt> subdirectory of its package file. To use this key, copy it to your ESP and enroll it with MokManager. See <a href="http://falstaff.agner.ch/2012/12/12/secure-boot-implementation-of-ubuntu-12-10-quantal-quetzal/">this blog post</a> for further details on Ubuntu 12.10's handling of Secure Boot. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.</p>
+<p>If you're using Ubuntu, you can't use its version of shim, but you can replace it with Garrett's shim. If you do so, though, you'll have to add Ubuntu's public key as a MOK, at least if you intend to launch Ubuntu's version of GRUB or launch Ubuntu-provided signed kernels. Ubuntu's public key is available in the <a href="http://archive.ubuntu.com/ubuntu/pool/main/s/shim/shim_0~20120906.bcd0a4e8-0ubuntu4.debian.tar.gz">shim_0~20120906.bcd0a4e8-0ubuntu4.debian.tar.gz</a> tarball, as <tt>canonical-uefi-ca.der</tt>. (The filename extensions <tt>.cer</tt> and <tt>.der</tt> are interchangeable for most purposes.) I've also included this key with rEFInd, in the <tt>refind/keys</tt> subdirectory of its package file. To use this key, copy it to your ESP and enroll it with MokManager. See <a href="http://falstaff.agner.ch/2012/12/12/secure-boot-implementation-of-ubuntu-12-10-quantal-quetzal/">this blog post</a> for further details on Ubuntu 12.10's handling of Secure Boot. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.</p>
<a name="mok">
-<h2>Managing Your MOKs</h2>
+<h3>Managing Your MOKs</h3>
</a>
<p>The preceding instructions provided the basics of getting rEFInd up and running, including using MokManager to enroll a MOK on your computer. If you need to sign binaries, though, you'll have to use additional tools. The OpenSSL package provides the cryptographic tools necessary, but actually signing EFI binaries requires additional software. Two packages for this are available: <tt>sbsigntool</tt> and <tt>pesign</tt>. Both are available in binary form from <a href="https://build.opensuse.org/project/show?project=home%3Ajejb1%3AUEFI">this OpenSUSE Build Service (OBS)</a> repository. The following procedure uses <tt>sbsigntool</tt>. To sign your own binaries, follow these steps (you can skip the first five steps if you've used <tt>install.sh</tt>'s <tt>--localkeys</tt> option):</p>
<p>At this point you should be able to launch the binaries you've signed. Unfortunately, there can still be problems at this point....</p>
+<a name="prebootloader">
+<h2>Using rEFInd with PreBootloader</h2>
+</a>
+
+<p>If you want to use Secure Boot with a distribution that doesn't come with shim but the preceding description exhausts you, take heart: PreBootloader is easier to set up and use for your situation! Unfortunately, it's still not as easy to use as not using Secure Boot at all, and it's got some drawbacks, but it may represent an acceptable middle ground. To get started, proceed as follows:</p>
+
+<ol>
+
+<li>Boot the computer. As with shim, this can be a challenge; you may need
+ to boot with Secure Boot disabled, use a Secure Boot–enabled live
+ CD, or do the installation from Windows.</li>
+
+<li><a href="getting.html">Download rEFInd</a> in binary form (the binary
+ zip or CD-R image file). If you download the binary zip file, unzip it;
+ if you get the CD-R image file, burn it to a CD-R and mount it.</li>
+
+<li>Download PreBootloader from <a
+ href="http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/">its
+ release page</a> or by clicking the following links. Be sure to get
+ both the <tt><a
+ href="http://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi">PreLoader.efi</a></tt>
+ and <tt><a
+ href="http://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi">HashTool.efi</a></tt>
+ files.</li>
+
+<li>Copy the <tt>PreLoader.efi</tt> and <tt>HashTool.efi</tt> binaries to
+ the directory you intend to use for rEFInd—for instance,
+ <tt>EFI/refind</tt> on the ESP.</li>
+
+<li>Follow the installation instructions for rEFInd on the <a
+ href="installing.html">Installing rEFInd</a> page; however, give rEFInd
+ the filename <tt>loader.efi</tt> and register <tt>PreLoader.efi</tt>
+ with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt>
+ in Windows. Be sure that rEFInd (as <tt>loader.efi</tt>),
+ <tt>PreLoader.efi</tt>, and <tt>HashTool.efi</tt> all reside in the
+ same directory.</li>
+
+<li>Reboot. With any luck, you'll see HashTool appear with a warning
+ message stating that it was unable to launch <tt>loader.efi</tt> and
+ declaring that it will launch <tt>HashTool.efi</tt>. Press the Enter
+ key to continue.</li>
+
+<li>HashTool should now appear. It should give you three or four options,
+ including <tt>Enroll Hash</tt>, as shown here. Select this option</li>
+
+ <br /><img src="HashTool1.png" align="CENTER" width="641" height="459"
+ alt="HashTool provide a somewhat nicer user interface than
+ MokManager's." border=2> <br />
+
+<li>You can now select the binary you want to authorize. You should first
+ select <tt>loader.efi</tt>, since that's rEFInd. The program presents
+ the hash (a very long number) and asks for confirmation. Be sure to
+ select <tt>Yes</tt>.</li>
+
+ <br /><img src="HashTool2.png" align="CENTER" width="638" height="455"
+ alt="Be sure to select the right binary when you enroll its hash."
+ border=2> <br />
+
+<p class="sidebar"><b>Note:</b> Unfortunately, HashTool's file selector can't change filesystems. Thus, if you want to boot a Linux kernel using rEFInd and PreBootloader, you'll need to copy the kernel to the ESP, at least temporarily. Alternatively, as noted earlier, you can copy <tt>HashTool.efi</tt> to the directory that holds the kernels or to another directory on that partition that rEFInd scans—but be sure to rename <tt>HashTool.efi</tt> or rEFInd will ignore it. You'll then see a boot loader entry for HashTool.</p>
+
+<li>Repeat the preceding two steps for any additional binaries you might
+ want to enroll. These include any EFI filesystem drivers you're using,
+ any boot loaders you're launching from rEFInd (other than those that
+ are already signed, such as Microsoft's boot loader), and possibly your
+ Linux kernel.</li>
+
+<li>At the HashTool main menu, select <tt>Exit</tt>. rEFInd should
+ launch.</li>
+
+</ol>
+
+<p>If you did everything right, rEFInd should now launch follow-on boot loaders and kernels, including both programs signed with the platform's Secure Boot keys and binaries that you've authorized with HashTool. If you need to authorize additional programs, you can do so from rEFInd by using the MOK utility tool icon that launches <tt>HashTool.efi</tt> from the second row of icons. (This icon should appear by default, but if you uncomment the <tt>showtools</tt> token in <tt>refind.conf</tt>, be sure that <tt>mok_tool</tt> is present among the options.)</p>
+
<a name="caveats">
<h2>Secure Boot Caveats</h2>
</a>
partitions.</li>
<li>As of version 0.6.2, rEFInd's own Secure Boot support is theoretically
- able to work on non-<i>x</i>86-64 platforms; however, shim 0.2 works
- only on <i>x</i>86-64, and rEFInd is dependent upon shim. Thus, you'll
- have to wait for future shim developments if you want to use Secure
- Boot on <i>x</i>86 or ARM computers.</li>
+ able to work on non-<i>x</i>86-64 platforms; however, shim 0.2 and
+ PreBootloader both work only on <i>x</i>86-64, and rEFInd is dependent
+ upon these tools. Thus, you'll have to wait for future developments if
+ you want to use Secure Boot on <i>x</i>86 or ARM computers.</li>
<li>In theory, signing Microsoft's boot loader with a MOK should work. This
might be handy if you want to replace your computer's built-in keys
</ul>
-<p>If you launch a boot loader or other program from rEFInd that relies on the EFI's standard program-launching code, that program should take advantage of shim and its MOKs. For instance, if you launch <a href="http://freedesktop.org/wiki/Software/gummiboot">gummiboot</a> from rEFInd (and rEFInd from shim), gummiboot should be able to launch shim/MOK-signed Linux kernels. This is not currently true if you launch gummiboot directly from shim.</p>
+<p>If you launch a boot loader or other program from rEFInd that relies on the EFI's standard program-launching code, that program should take advantage of shim and its MOKs. For instance, if you launch <a href="http://freedesktop.org/wiki/Software/gummiboot">gummiboot</a> from rEFInd (and rEFInd from shim), gummiboot should be able to launch shim/MOK-signed Linux kernels. This is not currently true if you launch gummiboot directly from shim. (You can launch gummiboot from PreBootloader and it should work, though, because of technical differences between how shim and PreBootloader work.)</p>
<p>My focus in testing rEFInd's Secure Boot capabilities has been on getting Linux kernels with EFI stub loaders to launch correctly. I've done some minimal testing with GRUB 2, though. I've also tested some self-signed binaries, such as an EFI shell and MokManager. (The EFI shell launches, but will not itself launch anything that's not been signed with a UEFI Secure Boot key, even with rEFInd 0.6.2. This of course limits its utility.)</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 4/19/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
systems with a limited number of configurations. Therefore, if you
try rEFInd and run into bugs, please report them to me!</li>
- <li>I have little talent with graphics manipulation programs, so
- rEFInd's boot logo, such as it is, is pretty weak. If you have
- artistic talent and would like to create a rEFInd logo, please feel
- free to send it to me. I won't make any final decision about
- changes until at least June 30 of 2012.</li>
-
<li>rEFIt's original design, and hence rEFInd's design, enables easy
theming by replacing icon files. If you'd like to design a new
theme for rEFInd, feel free to submit it. I might or might not
the list, it will take precedence over the normal hard disk
default.</li>
- <li>Along the lines of the previous item, the default_selection might
- be expanded to support some form of specification of disk types, as
- in a special entry for any optical disk or any external disk, no
- matter what its name is.</li>
+ <li>Along the lines of the previous item, the
+ <tt>default_selection</tt> might be expanded to support some form
+ of specification of disk types, as in a special entry for any
+ optical disk or any external disk, no matter what its name is.</li>
<li>It would be useful to be able to specify paths to boot loaders
and/or initial RAM disks relative to the rEFInd directory (or the
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-4/25/2013, referencing rEFInd 0.6.9</p>
+5/5/2013, referencing rEFInd 0.6.10</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
/** Helper macro for stringification. */
#define FSW_EFI_STRINGIFY(x) #x
/** Expands to the EFI driver name given the file system type name. */
-#define FSW_EFI_DRIVER_NAME(t) L"rEFInd 0.6.9 " FSW_EFI_STRINGIFY(t) L" File System Driver"
+#define FSW_EFI_DRIVER_NAME(t) L"rEFInd 0.6.10 " FSW_EFI_STRINGIFY(t) L" File System Driver"
// function prototypes
- altlinux.cer -- The public key for ALT Linux (http://www.altlinux.com).
-- canonical-uefi-ca.der -- Canonical's public key, used to sign Ubuntu
- boot loaders and kernels.
+- canonical-uefi-ca.crt & canonical-uefi-ca.der -- Canonical's public key,
+ used to sign Ubuntu boot loaders and kernels.
-- fedora-ca.cer -- Fedora's public key, used to sign Fedora 18's version of
- shim and Fedora 18's kernels.
+- fedora-ca.cer & fedora-ca.crt -- Fedora's public key, used to sign Fedora
+ 18's version of shim and Fedora 18's kernels.
+
+- openSUSE-UEFI-CA-Certificate.cer & openSUSE-UEFI-CA-Certificate.crt --
+ Public keys used to sign OpenSUSE 12.3.
- refind.cer & refind.crt -- My own (Roderick W. Smith's) public key,
used to sign refind_x64.efi and the 64-bit rEFInd drivers.
+
+- SLES-UEFI-CA-Certificate.cer & SLES-UEFI-CA-Certificate.crt -- The
+ Public key for SUSE Linux Enterprise Server.
#
timeout 20
+# Screen saver timeout; the screen blanks after the specified number of
+# seconds with no keyboard input. The screen returns after most keypresses
+# (unfortunately, not including modifier keys such as Shift, Control, Alt,
+# or Option). The default is 0, which disables the screen saver.
+#screensaver 300
+
# Hide user interface elements for personal preference or to increase
# security:
# banner - the rEFInd title banner (built-in or loaded via "banner")
Summary: EFI boot manager software
Name: refind
-Version: 0.6.9.2
+Version: 0.6.10
Release: 1%{?dist}
Summary: EFI boot manager software
License: GPLv3
if (AboutMenu.EntryCount == 0) {
AboutMenu.TitleImage = BuiltinIcon(BUILTIN_ICON_FUNC_ABOUT);
- AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.6.9.2");
+ AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.6.10");
AddMenuInfoLine(&AboutMenu, L"");
AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2006-2010 Christoph Pfisterer");
AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2012-2013 Roderick W. Smith");
State->MaxVisible = State->FinalRow0 + 1;
} // static VOID IdentifyRows()
+// Blank the screen, wait for a keypress, and restore banner/background.
+// Screen may still require redrawing of text and icons on return.
+// TODO: Support more sophisticated screen savers, such as power-saving
+// mode and dynamic images.
+static VOID SaveScreen(VOID) {
+ UINTN index;
+ EG_PIXEL Black = { 0x0, 0x0, 0x0, 0 };
+
+ egClearScreen(&Black);
+ refit_call3_wrapper(BS->WaitForEvent, 1, &ST->ConIn->WaitForKey, &index);
+ if (AllowGraphicsMode)
+ SwitchToGraphicsAndClear();
+ ReadAllKeyStrokes();
+} // VOID SaveScreen()
+
//
// generic menu function
//
INTN ShortcutEntry;
BOOLEAN HaveTimeout = FALSE;
UINTN TimeoutCountdown = 0;
- INTN PreviousTime = -1, CurrentTime;
+ INTN PreviousTime = -1, CurrentTime, TimeSinceKeystroke = 0;
CHAR16 TimeoutMessage[256];
CHAR16 KeyAsString[2];
UINTN MenuExit;
+// EG_PIXEL Black = { 0x0, 0x0, 0x0, 0 };
if (Screen->TimeoutSeconds > 0) {
HaveTimeout = TRUE;
} else if (HaveTimeout) {
refit_call1_wrapper(BS->Stall, 100000); // Pause for 100 ms
TimeoutCountdown--;
+ TimeSinceKeystroke++;
+ } else if (GlobalConfig.ScreensaverTime > 0) {
+ refit_call1_wrapper(BS->Stall, 100000); // Pause for 100 ms
+ TimeSinceKeystroke++;
+ if (TimeSinceKeystroke > (GlobalConfig.ScreensaverTime * 10)) {
+ SaveScreen();
+ State.PaintAll = TRUE;
+ TimeSinceKeystroke = 0;
+ } // if
} else {
refit_call3_wrapper(BS->WaitForEvent, 1, &ST->ConIn->WaitForKey, &index);
}
continue;
- }
+ } else {
+ TimeSinceKeystroke = 0;
+ } // if/else !read keystroke
+
if (HaveTimeout) {
// the user pressed a key, cancel the timeout
StyleFunc(Screen, &State, MENU_FUNCTION_PAINT_TIMEOUT, L"");
// text-mode generic style
//
+// Show information lines in text mode.
+static VOID ShowTextInfoLines(IN REFIT_MENU_SCREEN *Screen) {
+ INTN i;
+
+ BeginTextScreen(Screen->Title);
+ if (Screen->InfoLineCount > 0) {
+ refit_call2_wrapper(ST->ConOut->SetAttribute, ST->ConOut, ATTR_BASIC);
+ for (i = 0; i < (INTN)Screen->InfoLineCount; i++) {
+ refit_call3_wrapper(ST->ConOut->SetCursorPosition, ST->ConOut, 3, 4 + i);
+ refit_call2_wrapper(ST->ConOut->OutputString, ST->ConOut, Screen->InfoLines[i]);
+ }
+ }
+} // VOID ShowTextInfoLines()
+
+// Do most of the work for text-based menus....
static VOID TextMenuStyle(IN REFIT_MENU_SCREEN *Screen, IN SCROLL_STATE *State, IN UINTN Function, IN CHAR16 *ParamText)
{
INTN i;
// TODO: account for double-width characters
} // for
- // initial painting
- BeginTextScreen(Screen->Title);
- if (Screen->InfoLineCount > 0) {
- refit_call2_wrapper(ST->ConOut->SetAttribute, ST->ConOut, ATTR_BASIC);
- for (i = 0; i < (INTN)Screen->InfoLineCount; i++) {
- refit_call3_wrapper(ST->ConOut->SetCursorPosition, ST->ConOut, 3, 4 + i);
- refit_call2_wrapper(ST->ConOut->OutputString, ST->ConOut, Screen->InfoLines[i]);
- }
- }
-
break;
case MENU_FUNCTION_CLEANUP:
case MENU_FUNCTION_PAINT_ALL:
// paint the whole screen (initially and after scrolling)
+
+ ShowTextInfoLines(Screen);
for (i = 0; i <= State->MaxIndex; i++) {
if (i >= State->FirstVisible && i <= State->LastVisible) {
refit_call3_wrapper(ST->ConOut->SetCursorPosition, ST->ConOut, 2, MenuPosY + (i - State->FirstVisible));
Screen->Title[i] = 0;
} // if
} // if/else
-
- DrawText(Screen->Title, FALSE, (StrLen(Screen->Title) + 2) * CharWidth, TitlePosX, EntriesPosY += TextLineHeight());
- if (Screen->TitleImage) {
- BltImageAlpha(Screen->TitleImage, EntriesPosX + TITLEICON_SPACING, EntriesPosY + TextLineHeight() * 2,
- BackgroundPixel);
- EntriesPosX += (Screen->TitleImage->Width + TITLEICON_SPACING * 2);
- }
- EntriesPosY += (TextLineHeight() * 2);
- if (Screen->InfoLineCount > 0) {
- for (i = 0; i < (INTN)Screen->InfoLineCount; i++) {
- DrawText(Screen->InfoLines[i], FALSE, LineWidth, EntriesPosX, EntriesPosY);
- EntriesPosY += TextLineHeight();
- }
- EntriesPosY += TextLineHeight(); // also add a blank line
- }
-
break;
case MENU_FUNCTION_CLEANUP:
break;
case MENU_FUNCTION_PAINT_ALL:
- for (i = 0; i <= State->MaxIndex; i++) {
- DrawText(Screen->Entries[i]->Title, (i == State->CurrentSelection), LineWidth, EntriesPosX,
- EntriesPosY + i * TextLineHeight());
- }
- if (!(GlobalConfig.HideUIFlags & HIDEUI_FLAG_HINTS)) {
- if ((Screen->Hint1 != NULL) && (StrLen(Screen->Hint1) > 0))
- DrawTextWithTransparency(Screen->Hint1, (UGAWidth - egComputeTextWidth(Screen->Hint1)) / 2,
- UGAHeight - (egGetFontHeight() * 3));
- if ((Screen->Hint2 != NULL) && (StrLen(Screen->Hint2) > 0))
- DrawTextWithTransparency(Screen->Hint2, (UGAWidth - egComputeTextWidth(Screen->Hint2)) / 2,
+ ComputeSubScreenWindowSize(Screen, State, &EntriesPosX, &EntriesPosY, &MenuWidth, &MenuHeight, &LineWidth);
+ DrawText(Screen->Title, FALSE, (StrLen(Screen->Title) + 2) * CharWidth, TitlePosX, EntriesPosY += TextLineHeight());
+ if (Screen->TitleImage) {
+ BltImageAlpha(Screen->TitleImage, EntriesPosX + TITLEICON_SPACING, EntriesPosY + TextLineHeight() * 2,
+ BackgroundPixel);
+ EntriesPosX += (Screen->TitleImage->Width + TITLEICON_SPACING * 2);
+ }
+ EntriesPosY += (TextLineHeight() * 2);
+ if (Screen->InfoLineCount > 0) {
+ for (i = 0; i < (INTN)Screen->InfoLineCount; i++) {
+ DrawText(Screen->InfoLines[i], FALSE, LineWidth, EntriesPosX, EntriesPosY);
+ EntriesPosY += TextLineHeight();
+ }
+ EntriesPosY += TextLineHeight(); // also add a blank line
+ }
+
+ for (i = 0; i <= State->MaxIndex; i++) {
+ DrawText(Screen->Entries[i]->Title, (i == State->CurrentSelection), LineWidth, EntriesPosX,
+ EntriesPosY + i * TextLineHeight());
+ }
+ if (!(GlobalConfig.HideUIFlags & HIDEUI_FLAG_HINTS)) {
+ if ((Screen->Hint1 != NULL) && (StrLen(Screen->Hint1) > 0))
+ DrawTextWithTransparency(Screen->Hint1, (UGAWidth - egComputeTextWidth(Screen->Hint1)) / 2,
+ UGAHeight - (egGetFontHeight() * 3));
+ if ((Screen->Hint2 != NULL) && (StrLen(Screen->Hint2) > 0))
+ DrawTextWithTransparency(Screen->Hint2, (UGAWidth - egComputeTextWidth(Screen->Hint2)) / 2,
UGAHeight - (egGetFontHeight() * 2));
- } // if
- break;
+ } // if
+ break;
case MENU_FUNCTION_PAINT_SELECTION:
// redraw selection cursor
// Keyboard input
//
-static BOOLEAN ReadAllKeyStrokes(VOID)
+BOOLEAN ReadAllKeyStrokes(VOID)
{
BOOLEAN GotKeyStrokes;
EFI_STATUS Status;
#define DebugPause()
#endif
VOID EndlessIdleLoop(VOID);
+BOOLEAN ReadAllKeyStrokes(VOID);
VOID PauseForKey(VOID);
BOOLEAN CheckFatalError(IN EFI_STATUS Status, IN CHAR16 *where);