quoting support for entering quotes in config files.
-0.5.0 (??/??/2012):
--------------------
+0.5.0 (12/5/2012):
+------------------
- Changed refind.conf-sample to uncomment the scan_all_linux_kernels
option by default. If this option is deleted or commented out, the
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>\r
\r
<p>Originally written: 3/14/2012; last Web page update:\r
-10/7/2012, referencing rEFInd 0.4.7</p>\r
+12/5/2012, referencing rEFInd 0.5.0</p>\r
\r
\r
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>\r
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-11/6/2012, referencing rEFInd 0.4.7</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 4/19/2012; last Web page update:
-11/15/2012, referencing rEFInd 0.4.7</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-11/6/2012, referencing rEFInd 0.4.7</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<li>Drivers for ISO-9660 and HFS+, which are not included in rEFIt. (The ISO-9660 driver is based on code from the rEFIt project, but was never completed by its original author. It was completed by Oracle for VirtualBox.)</li>
+<li>Beginning with version 0.5.0, the ability to "talk" to the <a href="http://mjg59.dreamwidth.org/20303.html">shim boot loader</a> to validate binaries supported by shim or its machine owner key (MOK) list when booting in EFI mode. As of version 0.5.0, this support is still crude and buggy; it should be considered an alpha-level feature at the moment.</li>
+
</ul>
<p>On the flip side, at least for Mac users, rEFInd comes with less sophisticated Mac installation tools than does rEFIt, in favor of more OS-agnostic packaging.</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-11/6/2012, referencing rEFInd 0.4.7</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<ul>
<li><b><a
- href="http://sourceforge.net/projects/refind/files/0.4.7/refind-src-0.4.7.zip/download">A
+ href="http://sourceforge.net/projects/refind/files/0.5.0/refind-src-0.5.0.zip/download">A
source code zip file</a></b>—This is useful if you want to
compile the software locally. Note that I use Linux with the <a
href="https://sourceforge.net/projects/tianocore/">TianoCore EFI
possible, but I've not attempted it.</li>
<li><b><a
- href="http://sourceforge.net/projects/refind/files/0.4.7/refind-bin-0.4.7.zip/download">A
+ href="http://sourceforge.net/projects/refind/files/0.5.0/refind-bin-0.5.0.zip/download">A
binary zip file</a></b>—Download this if you want to install
rEFInd and/or its filesystem drivers on an <i>x</i>86 or <i>x</i>86-64
computer and have no need to test rEFInd first by booting it on an
<p class="sidebar"><b>Tip:</b> If you want a bootable USB flash drive, download the binary zip file or CD-R image file, prepare a USB flash drive with a FAT32 ESP, and then use the <tt>install.sh</tt> program's <tt>--usedefault</tt> option, as in <tt class="userinput">bash install.sh --usedefault /dev/sdd1</tt> to install to the first partition on <tt>/dev/sdd</tt>. This procedure should work even on a BIOS-booted computer.</p>
<li><b><a
- href="http://sourceforge.net/projects/refind/files/0.4.7/refind-cd-0.4.7.zip/download">A
+ href="http://sourceforge.net/projects/refind/files/0.5.0/refind-cd-0.5.0.zip/download">A
CD-R image file</a></b>—This download contains the same files as
the binary zip file, but you can burn it to a CD-R to test rEFInd
(and its filesystem drivers) without installing it first. (It boots on
<ul>
<li><b>Arch Linux</b>—You can obtain rEFInd from the Arch
- repositories, in both <a
- href="https://www.archlinux.org/packages/extra/any/refind-efi/">stable</a>
- and <a
- href="https://aur.archlinux.org/packages/refind-efi-tianocore-git/">git
- (experimental)</a> releases. The git release is likely to include
+ repositories, in both a stable version (the <tt>refind-efi</tt> package
+ installable via <tt>pacman</tt>) and an experimental release built from
+ rEFInd's git repository in the Arch User Repository (AUR), under the
+ name <tt>refind-efi-git</tt>. The git release is likely to include
pre-release bug fixes and new features, but those features may be
poorly tested or undocumented. The last I checked, both builds used the
Tianocore toolkit, and so support booting BIOS/legacy boot loaders on
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-11/6/2012, referencing rEFInd 0.4.7</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<li><a href="http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/efi-boot-process.html">The EFI Boot Process</a> describes, in broad strokes, how EFI systems boot.</li>
-<li><a href="https://lkml.org/lkml/2011/10/17/81">A Linux kernel mailing list thread</a> describing the new EFI stub loader that's appearing in the Linux 3.3 kernel series.</li>
+<li><a href="https://lkml.org/lkml/2011/10/17/81">A Linux kernel mailing list thread</a> describing the new EFI stub loader that was introduced in the Linux 3.3 kernel series.</li>
<li>The <a href="https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface">Arch Linux UEFI wiki page</a> has a great deal of information on UEFI and Linux.</li>
<li>Phoenix Technologies maintains a <a href="http://wiki.phoenix.com/wiki/index.php/Main_Page">wiki on EFI topics,</a> including <a href="http://wiki.phoenix.com/wiki/index.php/Category:UEFI_2.0">information on many EFI system calls</a> useful to programmers.</li>
+<li>Matthew J. Garrett, the developer of the shim boot loader to manage Secure Boot, maintains <a href="http://mjg59.dreamwidth.org/">a blog</a> that often describes EFI issues.</li>
+
</ul></li> <!-- Informational Web pages -->
<li><b>Additional programs</b>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-11/15/2012, referencing rEFInd 0.4.7</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
changes to the computer's NVRAM. The idea is that you can easily create
a bootable USB flash drive with this option: Create a proper
FAT-formatted ESP on a disk (say, <tt>/dev/sdd1</tt>) and then type <tt
- class="userinput">sh ./install --usedefault /dev/sdd1</tt> to turn the
- disk into an emergency disk. This option can also be used to install
- rEFInd to an ESP using the <a href="#naming">alternative naming
+ class="userinput">bash ./install --usedefault /dev/sdd1</tt> to turn
+ the disk into an emergency disk. This option can also be used to
+
install rEFInd to an ESP using the <a href="#naming">alternative naming
options</a> described later. This latter usage will result in a
bootable rEFInd only if no other OS has already created an NVRAM
variable pointing to itself.</li>
<p>In all cases, if the new version includes new or altered configuration file options, you may need to manually update your configuration file. Alternatively, if you've used the default configuration file, you can replace your working <tt>refind.conf</tt> with <tt>refind.conf-sample</tt> from the rEFInd zip file. (When using <tt>install.sh</tt>, this file will be copied to rEFInd's installation directory under its original name, so you can rename it within that directory to replace the old file.</p>
+<p>If you're upgrading to rEFInd from rEFIt, you can simply run the <tt>install.sh</tt> script as described earlier or perform a manual installation. Once installed, rEFInd will take over boot manager duties. You'll still be able to launch rEFIt from rEFInd; a rEFIt icon will appear in rEFInd's menu. You can eliminate this option by removing the rEFIt files, which normally reside in <tt>/EFI/refit</tt>.</p>
+
<a name="addons">
<h2>Installing Additional Components</h2>
</a>
<ul>
<li><b><a
- href="http://tianocore.git.sourceforge.net/git/gitweb.cgi?p=tianocore/edk2;a=blob_plain;f=EdkShellBinPkg/FullShell/X64/Shell_Full.efi;hb=HEAD">shell.efi</a></b>—This
+ href="http://tianocore.git.sourceforge.net/git/gitweb.cgi?p=tianocore/edk2;a=blob_plain;f=EdkShellBinPkg/FullShell/X64/Shell_Full.efi;hb=HEAD"><tt>shell.efi</tt></a></b>—This
file, placed in the ESP's <tt>efi/tools</tt> directory, adds the
ability to launch a text-mode EFI shell from rEFInd. Note that the
download link is to a 64-bit binary that must be renamed before rEFInd
Linux wiki,</a> and on other sites; try a Web search if the shell you
find doesn't work to your satisfaction.</li>
-<li><b>
gptsync.efi</b>—This program creates a <a
+<li><b>
<tt>gptsync.efi</tt></b>—This program creates a <a
href="http://www.rodsbooks.com/gdisk/hybrid.html">hybrid MBR</a> from
your regular GPT disk. A hybrid MBR is a dangerous hack that enables
Windows and OS X to coexist on a Macintosh disk. If you're using a
<a href="drivers.html">Using EFI Drivers</a> page for more on this
topic.</li>
+<li><b>Secure Boot files</b>—If you're running on a system that
+ supports Secure Boot, chances are you'll need extra support files, such
+ as <tt>shim.efi</tt> and <tt>MokManager.efi</tt>. I describe these in
+ detail on the <a href="secureboot.html">Managing Secure Boot</a>
+ page.</li>
+
</ul>
<p>I've seen links to other versions of these tools from time to time on the Web, so if you try one of these programs and it crashes or behaves strangely, try performing a Web search; you may turn up something that works better for you than the one to which I've linked.</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/19/2012; last Web page update:
-11/6/2012, referencing rEFInd 0.4.7</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p class="subhead">by Roderick W. Smith, <a
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
-<p>Last Web page update: 11/6/2012</p>
+<p>Last Web page update: 12/5/2012</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<ul>
+<li><b>0.5.0 (12/5/2012)</b>—I've focused on adding support for Matthew J. Garrett's shim program to this version of rEFInd; with this support, rEFInd is capable of launching Linux kernels and other programs signed with a suitable key while the computer is in Secure Boot mode. This initial release, however, requires significant manual configuration and has some known bugs and limitations. See the <a href="secureboot.html">Managing Secure Boot</a> page for details. Beyond this major new feature, this version includes several more minor improvements. These include a change to the <tt>resolution</tt> token so that it applies to text mode as well as to graphics mode; a bug fix that caused the line editor to blank out lines that were left unedited; a new <tt>dont_scan_files</tt> option to blacklist boot programs by filename; support for launching MokManager and Apple's Recovery HD partitions via tools (2nd-row) icons; new <tt>--usedefault</tt> and <tt>--drivers</tt> options to the <tt>install.sh</tt> script; and a change of the <tt>esp</tt> installation script option to <tt>--esp</tt>.</li>
+
<li><b>0.4.7 (11/6/2012)</b>—The most important new feature in this version is a boot options editor. From rEFInd's main menu, press Insert or F2 to see the options menu. Select one of the options and press Insert or F2 again and the screen switches to a text-mode display in which you can edit the options that will be passed to the boot loader. A second new feature is a new icon for <a href="http://freedesktop.org/wiki/Software/gummiboot">gummiboot,</a> which is another EFI boot manager. This version also alters the behavior of the <tt>scan_delay</tt> option, since I've been told that the previous version didn't work; the new one does. Finally, this version omits the space that followed boot options when booting most OSes. This behavior was inherited from rEFIt; a comment in the source code indicates it's needed by OS X, but I've been told it causes boot failures when launching Linux on some Macs. Thus, rEFInd now adds this space only when booting Mac OS X.</li>
<li><b>0.4.6 (10/6/2012)</b>—Thanks to contributor John Bressler, rEFInd can now boot legacy (BIOS) boot loaders on many UEFI PCs. (Previously, rEFInd could do this only on Macs.) Other changes include a new <tt>scan_delay</tt> option that inserts a delay between rEFInd starting and disk scans (to help detect disks that are slow to appear to the firmware) and a change in the default <tt>scanfor</tt> value so that legacy OSes are detected by default on Macs (but not on PCs). I've also fixed some memory management problems that caused error messages to appear on some systems when rEFInd was compiled with the TianoCore EDK2 toolkit. Finally, I'm now using the TianoCore toolkit to make my primary binary builds, since the new UEFI legacy boot support requires the TianoCore environment. (rEFInd still builds with GNU-EFI, but it doesn't support booting legacy OSes on UEFI systems when built in this way.)</li>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 11/13/2012; last Web page update:
-11/13/2012, referencing rEFInd 0.5.0</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p class="sidebar"><b>Note:</b> My <a href="http://www.rodsbooks.com/efi-bootloaders/">Managing EFI Boot Loaders for Linux</a> Web page includes a much more detailed description of Secure Boot in its <a href="http://www.rodsbooks.com/efi-bootloaders/secureboot.html">Dealing with Secure Boot</a> sub-page. You should consult this page if you want to disable Secure Boot, generate your own keys, or perform other such tasks.</p>
-<p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">secure boot basics</a> and two specific aspects of rEFInd and its interactions with Secure Boot: <a href="#installation">installation issues</a> and <a href="#mok">key management.</a></p>
+<p>If you're using a computer that supports Secure Boot, you may run into extra complications. This feature is intended to make it difficult for malware to insert itself early into the computer's boot process. Unfortunately, it also complicates multi-boot configurations such as those that rEFInd is intended to manage. This page describes some <a href="#basic">secure boot basics</a> and two specific aspects of rEFInd and its interactions with Secure Boot: <a href="#installation">installation issues</a> and <a href="#caveats">known bugs and limitations</a> in rEFInd's Secure Boot features.</p>
<a name="basic">
<h2>Basic Issues</h2>
<p>Because shim and MOK are being supported by several of the major players in the Linux world, I've decided to do the same with rEFInd. Beginning with version 0.5.0, rEFInd can communicate with the shim system to authenticate boot loaders. If a boot loader has been signed by a valid UEFI Secure Boot key, a valid shim key, or a valid MOK key, rEFInd will launch it. rEFInd will also launch unsigned boot loaders or those with invalid signatures <i>if</i> Secure Boot is disabled in or unsupported by the firmware. (If that's your situation, you needn't bother reading this page.)</p>
+<p>Version 0.5.0 doesn't yet ship in a pre-signed form; you'll need to create your own keys, as described shortly, and use them to sign your binary of rEFInd. I'm forcing you to do this because it's necessary to sign your post-rEFInd binaries anyhow.</p>
+
<a name="installation">
<h2>Installation Issues</h2>
</a>
<li><b>shim</b>—You can download a version of shim signed with Microsoft's Secure Boot key <a href="http://www.codon.org.uk/~mjg59/shim-signed/">here.</a> This version (created by shim's developer, Matthew J. Garrett) includes a shim key that's signed nothing but the <tt>MokManager.efi</tt> program that also ships with the program. Thus, to use this version of shim, you must use MOKs. Ubuntu 12.10 ships with its own shim, but that version doesn't support MOKs and so is useless for launching rEFInd. Future versions of Fedora, SUSE, and probably other distributions will come with their own variants of shim, most of which will no doubt support their own shim keys as well as MOKs. You should install shim just as you would install other EFI boot loaders, as described <a href="http://www.rodsbooks.com/efi-bootloaders/installation.html">here.</a>For use in launching rEFInd, it makes sense to install <tt>shim.efi</tt> in <tt>EFI/refind</tt> on your ESP, although of course this detail is up to you.</li>
-<li><b>MokManager</b>—This program is included with shim 0.2 and later. It presents a crude user interface for managing MOKs, and it's launched by shim if shim can't find its default boot loader (generally <tt>grub.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a MOK, but the binary in Garrett's shim 0.2 is signed with a shim key, and I expect that versions distributed with most Linux distributions will also be signed by their respective shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
+<li><b>MokManager</b>—This program is included with shim 0.2 and later. It presents a crude user interface for managing MOKs, and it's launched by shim if shim can't find its default boot loader (generally <tt>grubx64.efi</tt>) or if that program isn't properly signed. In principle, this program could be signed with a MOK, but the binary in Garrett's shim 0.2 is signed with a shim key, and I expect that versions distributed with most Linux distributions will also be signed by their respective shim keys. This program should reside in the same directory as <tt>shim.efi</tt>, under the name <tt>MokManager.efi</tt>. Although you could theoretically do without MokManager, in practice you'll need it at least temporarily to install the MOK with which rEFInd is signed.</li>
-<li><b>rEFInd</b>—Naturally, you need rEFInd. Because shim is hard-coded to launch a program called <tt>grub.efi</tt>, you must install rEFInd using that name and to the same directory in which <tt>shim.efi</tt> resides. In theory, rEFInd could be signed with a Secure Boot key, a shim key, or a MOK; however, because Microsoft won't sign binaries distributed under the GPLv3, I can't distribute a version of rEFInd signed with Microsoft's Secure Boot key; and as I don't have access to the private shim keys used by any distribution, I can't distribute a rEFInd binary signed by them. Thus, rEFInd will normally be signed by a MOK. Beginning with rEFInd 0.5.0, I've signed my rEFInd binaries with a MOK I created, and I distribute the public key with rEFInd as <tt>refind.der</tt>. You can therefore add this key to your system by using MokManager. Alternatively, you can re-sign your rEFInd binary with your own MOK. If you plan to launch boot loaders and kernels that are signed with built-in shim keys, enrolling <tt>refind.der</tt> is the easiest way to go; however, if you plan to sign your own kernels or other boot loaders, you'll need to generate your own MOKs and you might prefer to sign rEFInd with it so as to reduce the number of MOKs on your system and to ensure that you won't run malware should my own private key fall into the wrong hands.</li>
+<li><b>rEFInd</b>—Naturally, you need rEFInd. Because shim is hard-coded to launch a program called <tt>grubx64.efi</tt>, you must install rEFInd using that name and to the same directory in which <tt>shim.efi</tt> resides. In theory, rEFInd could be signed with a Secure Boot key, a shim key, or a MOK; however, because Microsoft won't sign binaries distributed under the GPLv3, I can't distribute a version of rEFInd signed with Microsoft's Secure Boot key; and as I don't have access to the private shim keys used by any distribution, I can't distribute a rEFInd binary signed by them. Thus, rEFInd will normally be signed by a MOK. As of version 0.5.0, you must sign your rEFInd binary with your own MOK.</li>
<li><b>Your boot loaders and kernels</b>—Your OS boot loaders, and perhaps your Linux kernels, must be signed. They can be signed with any of the three key types. Indeed, your system may have a mix of all three types—a Windows 8 boot loader will most likely be signed with Microsoft's Secure Boot key, GRUB and kernels provided by most distributions will be signed with their own shim keys, and if you use your own locally-compiled kernel or a boot loader from an unusual source you may need to sign it with a MOK. Aside from signing, these files can be installed in exactly the same way as if your computer were not using Secure Boot.</li>
</ul>
-<p>Because of variables such as which version of shim you're using and whether you intend to rely exclusively on shim keys or make use of MOKs, I can't provide an absolutely complete procedure for installing rEFInd to work with Secure Boot. Broadly speaking, though, the procedure should be something like this:</p>
+<p>Because of variables such as which version of shim you're using, I can't provide an absolutely complete procedure for installing rEFInd to work with Secure Boot. Broadly speaking, though, the procedure should be something like this:</p>
<ol>
<li>Copy the <tt>shim.efi</tt> and <tt>MokManager.efi</tt> binaries to the directory you intend to use for rEFInd—for instance, <tt>EFI/refind</tt> on the ESP.</li>
-<li>Follow the manual installation instructions for rEFInd on the <a href="installing.html">Installing rEFInd</a> page; however, give it the filename <tt>grub.efi</tt> and register <tt>shim.efi</tt> with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt> in Windows.</li>
+<li>If it's not already installed, install OpenSSL on your computer. (It normally comes in a package called <tt>openssl</tt>.</li>
+
+<li>Type the following two commands to generate your public and private keys:
+
+<pre class="listing">
+$ <tt class="userinput">openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt \
+ -days 3650 -subj "/CN=Your Name/"</tt>
+$ <tt class="userinput">openssl x509 -in MOK.crt -out MOK.cer -outform DER</tt>
+</pre>
+
+Change <tt>Your Name</tt> to your own name or other identifying characteristics, and adjust the certificate's time span (set via <tt>-days</tt> as you see fit. After you type the first command, it will prompt you for a passphrase. Remember this, since you'll need it to sign your binaries. The result is a private key file (<tt>MOK.key</tt>), which is highly sensitive since it's required to sign binaries, and two public keys (<tt>MOK.crt</tt> and <tt>MOK.cer</tt>), which can be used to verify signed binaries' authenticity.</li>
+
+<li>Copy the three key files to a secure location and adjust permissions such that only you can read <tt>MOK.key</tt>. You'll need these keys to sign future binaries, so don't discard them.</li>
+
+<li>Copy the <tt>MOK.cer</tt> file to your ESP, ideally to a location with few other files.</li>
-<li>Copy the <tt>refind.der</tt> file to the ESP, preferably in a directory with few other files. (MokManager's display has problems in directories that have too many files.)</li>
+<li>Download and install the <tt>sbsigntool</tt> package. Binary links for various distributions are available from the <a href="https://build.opensuse.org/package/show?package=sbsigntools&project=home%3Ajejb1%3AUEFI">OpenSUSE Build Service</a>, or you can obtain the source code by typing <tt class="userinput">git clone git://kernel.ubuntu.com/jk/sbsigntool</tt>.</li>
+
+<li>Sign the rEFInd binary by typing <tt class="userinput">sbsign --key MOK.key --cert MOK.crt --output grubx64.efi refind_x64.efi</tt>, adjusting the paths as necessary to the keys and the rEFInd binary. Note that you're giving the signed rEFInd binary the filename <tt>grubx64.efi</tt>. This is necessary to launch rEFInd from shim.</li>
+
+<li>Follow the manual installation instructions for rEFInd on the <a href="installing.html">Installing rEFInd</a> page; however, give rEFInd the filename <tt>grubx64.efi</tt> and register <tt>shim.efi</tt> with the EFI by using <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt> in Windows.</li>
<li>Reboot. With any luck, you'll see a simple text-mode user interface with a label of <tt>Shim UEFI key management</tt>. This is the MokManager program, which shim launched when rEFInd failed verification because its key is not yet enrolled.</li>
HEIGHT="186" ALT="MokManager's user interface is crude but effective."
BORDER=2> <br />
-<li>Each of the lines with a long awkward string represents a disk partition. Select one and you'll see a list of files. Continue selecting subdirectories until you find the <tt>refind.der</tt> file you copied to the ESP earlier.</li>
+<li>Each of the lines with a long awkward string represents a disk partition. Select one and you'll see a list of files. Continue selecting subdirectories until you find the <tt>MOK.cer</tt> file you copied to the ESP earlier.</li>
-<li>Select <tt>refind.der</tt>. MokManager will ask for verification that you want to enroll the key. Provide it.</li>
+<li>Select <tt>MOK.cer</tt>. You can type <tt class="userinput">1</tt> to view your certificate's details if you like, or skip that and type <tt class="userinput">0</tt> to enroll the key.</li>
<li>Back out of any directories you entered and return to the MokManager main menu.</li>
<p>At this point the computer may boot into its default OS, reboot, or perhaps even hang. When you reboot it, though, rEFInd should start up in Secure Boot mode. It should now be able to launch any boot loader signed with a key recognized by the firmware or by shim (including any MOKs you've enrolled). If you want to manage keys in the future, rEFInd displays a new icon in the second (tools) row you can use to launch MokManager. (This icon appears by default, but if you edit <tt>showtools</tt> in <tt>refind.conf</tt>, you must be sure to include <tt>mok_tool</tt> as an option in order to gain access to it.)</p>
-<p>Several variants on this procedure are possible. For instance, you can generate your own MOK, sign rEFInd with it, and enroll that MOK rather than the <tt>refind.der</tt> MOK. If you're using Ubuntu 12.10, you can't use its version of shim, but you can replace it with Garrett's shim. The problem is that Ubuntu's GRUB and kernel will then be signed by an unknown key. Unfortunately, I haven't found a suitable public key file on Ubuntu's distribution medium, so you may need to sign GRUB and/or your kernels with your own MOK. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.</p>
+<p>If you're using Ubuntu 12.10, you can't use its version of shim, but you can replace it with Garrett's shim. The problem is that Ubuntu's GRUB and kernel will then be signed by an unknown key. Unfortunately, I haven't found a suitable public key file on Ubuntu's distribution medium, so you may need to sign GRUB and/or your kernels with your own MOK. In principle, you should be able to use shim 0.2 or later from future distributions that include it; but you must be sure that whatever you use supports MokManager.</p>
-<a name="mok">
-<h2>Managing MOKs</h2>
+<a name="caveats">
+<h2>Secure Boot Caveats</h2>
</a>
-<p>The idea behind MOKs is that you should be able to control the signing of your boot loader binaries. Broadly speaking, you can add recognized signing keys in either of two ways:</p>
+<p>rEFInd's Secure Boot support is brand-new with version 0.5.0 of the program. Unfortunately, rEFInd, like shim, must essentially bypass UEFI security features, and must simultaneously not create security problems, in order to work. Unfortunately, the procedures that rEFInd uses to do this (which were lifted straight from shim) play "fast and loose" with the UEFI rules. This fact creates a number of limitations, which include (but are almost certainly not limited to) the following:</p>
<ul>
-<li><b>From the OS</b>—You can add a key by modifying the EFI NVRAM variables located in <tt>/sys/firmware/efi/vars</tt>. When the computer reboots, shim will detect the change and ask for verification about enrollment of the new key.</li>
+<li>rEFInd can launch <i>one</i> shim/MOK-signed driver, no more. If you
+ try to launch two drivers, rEFInd throws up an <tt>Access Denied</tt>
+ error for the second driver.</li>
+
+<li>ELILO can't find its configuration file when launched from rEFInd in
+ Secure Boot mode. The same may be true of GRUB or other boot loaders,
+ but I haven't tested them.</li>
+
+<li>Under certain circumstances, the time required to launch a boot loader
+ can increase. This is unlikely to be noticeable for the average small
+ boot loader, but could be significant for larger boot loaders on slow
+ filesystems, such as Linux kernels on ext2fs, ext3fs, or ReiserFS
+ partitions.</li>
+
+<li>I haven't tested launching Windows from rEFInd in Secure Boot mode.
+ This is admittedly a huge omission; but I don't have a suitable
+ installation for testing.</li>
-<li><b>From EFI</b>—You can manually run MokManager to manage your MOKs. Since version 0.5.0, rEFInd has included support for this application by providing a second-row tag that launches the program.</li>
+<li>Secure Boot mode doesn't work on <i>x</i>86 (IA32) or ARM systems, just
+ on <i>x</i>86-64 (AMD64) computers. This is largely because shim has
+ the same limitations.</li>
</ul>
-<p>As I write, the methods for adding MOKs from the OS remain unclear to me, so I don't address them here. MOK management using MokManager, though, is fairly straightforward, as described earlier, near the end of <a href="#installation">Installation Issues.</a> The main caveat is that the MokManager user interface is extremely crude. A directory that contains too many entries tends to produce drawing errors that can interfere with selecting the correct file. Thus, I recommend keeping your ESP's root directory uncluttered and place any <tt>.der</tt> files you need in an equally uncluttered directory off of the root directory.</p>
+<p>My focus in testing rEFInd's Secure Boot capabilities has been on getting Linux kernels with EFI stub loaders to launch correctly.</p>
-<p>The biggest challenge to managing MOKs comes if you need to sign binaries using your own keys. This task requires using cryptographic software based on OpenSSL. The tools involved are crude and poorly documented. I describe a procedure for creating keys and signing binaries <a href="http://www.rodsbooks.com//efi-bootloaders/secureboot.html#shim">here,</a> so check that page if you need detailed instructions.</p>
+<p>At the moment, I consider rEFInd's shim/MOK support to be of alpha quality. I'm releasing it in this state in the hope of getting feedback from adventurous early adopters. I expect the improve the installation procedure, and with any luck fix some of the known bugs, in the next couple of versions. Some of the usability improvements are dependent upon MOK-capable versions of shim being released with major distributions; such versions of shim, with kernels signed with the key that matches the one built into shim, will greatly reduce the need for users to sign boot loaders.</p>
<hr />
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 4/19/2012; last Web page update:
-11/6/2012, referencing rEFInd 0.4.7</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-11/6/2012, referencing rEFInd 0.4.7</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<tt>/usr/local/UDK2010/MyWorkSpace/MdeModulePkg/Core/Dxe/Image/Image.c</tt>
for the reference UEFI implementation. --> </li>
+ <li>When launching ELILO in Secure Boot mode, ELILO can't find its
+ configuration file. It's possible that a similar problem exists for
+ other boot loaders, too.</li>
+
+ <li>When setting a resolution higher than about 800x600 (or maybe even
+ 640x480) in text mode, the text displayed by rEFInd, and on some
+ systems shells and other programs launched from rEFInd, is
+ restricted to an 80x24-character area in the top-left corner of the
+ screen.</li>
+
<li>The <a href="http://www.rodsbooks.com/gb-hybrid-efi/">Gigabyte
Hybrid EFI</a> has a bug that causes the allegedly case-insensitive
<tt>StriCmp()</tt> function to perform a case-sensitive comparison.
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com</a></p>
<p>Originally written: 3/14/2012; last Web page update:
-11/6/2012, referencing rEFInd 0.4.7</p>
+12/5/2012, referencing rEFInd 0.5.0</p>
<p>I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!</p>
<p>Ordinarily, rEFInd displays tags for OSes it finds on internal hard disks, external hard disks (including USB flash drives, CF disks, and so on), and optical discs. Sometimes, though, the firmware hasn't had time to fully examine these devices by the time rEFInd starts; or you might only insert or plug in the media after rEFInd appears. In these cases, you can press the Esc key to have rEFInd re-read its configuration file and re-scan your media for boot loaders. This action can take a few seconds to complete, so be patient. You can also use this feature to detect OSes if you launch a shell and use it to load a driver or edit the <tt>refind.conf</tt> file. If you regularly need to press Esc, you might look into the <tt>scan_delay</tt> configuration file option, described on the <a href="configfile.html">Configuring the Boot Manager</a> page.</p>
+<p>If your computer supports Secure Boot, you may find that some of your OSes and tools won't work; they'll produce <tt>Access Denied</tt> error messages. You can overcome this problem by creating a signing key, signing your binaries with it, and adding the public version of that key to your machine owner key (MOK) list. This process is described on the <a href="secureboot.html">Managing Secure Boot</a> page.</p>
+
<h2>Using Keyboard Shortcuts</h2>
<p>Although most rEFInd features can be activated via fairly obvious keyboard actions, some are not obvious. <a href="#table1">Table 1</a> summarizes the keystrokes that rEFInd accepts, and the action that each keystroke invokes.</p>
UINTN ReadTokenLine(IN REFIT_FILE *File, OUT CHAR16 ***TokenList)
{
BOOLEAN LineFinished, IsQuoted = FALSE;
- CHAR16 *Line, *Token, *p;
+ CHAR16 *Line, *Token, *p, *Temp;
UINTN TokenCount = 0;
*TokenList = NULL;
while (*p && *p != '"' && ((*p != ' ' && *p != '\t' && *p != '=' && *p != '#' && *p != ',') || IsQuoted)) {
if ((*p == '/') && !IsQuoted) // Switch Unix-style to DOS-style directory separators
*p = '\\';
+ if (*p == '|') {
+ Temp = StrDuplicate(&p[1]);
+ StrCpy(p, Temp);
+ }
p++;
} // if
if (*p == '"')
if (AboutMenu.EntryCount == 0) {
AboutMenu.TitleImage = BuiltinIcon(BUILTIN_ICON_FUNC_ABOUT);
- AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.4.7.10");
+ AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.4.7.11");
AddMenuInfoLine(&AboutMenu, L"");
AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2006-2010 Christoph Pfisterer");
AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2012 Roderick W. Smith");
CHAR16 ErrorInfo[256];
CHAR16 *FullLoadOptions = NULL;
CHAR16 *loader = NULL;
- BOOLEAN UseMok = FALSE, SecureMode;
+ BOOLEAN UseMok = FALSE;
if (ErrorInStep != NULL)
*ErrorInStep = 0;
// load the image into memory (and execute it, in the case of a shim/MOK image).
ReturnStatus = Status = EFI_NOT_FOUND; // in case the list is empty
- SecureMode = secure_mode();
-// SecureMode = TRUE;
for (DevicePathIndex = 0; DevicePaths[DevicePathIndex] != NULL; DevicePathIndex++) {
- // NOTE: Below commented-out line could simplify logic by loading the image once, but
- // it doesn't work on my 32-bit Mac Mini or my 64-bit Intel box when launching a
- // Linux kernel; the kernel returns a "Failed to handle fs_proto" error message.
+ // NOTE: Below commented-out line could be more efficient if the ReadFile() and
+ // FindVolumeAndFilename() calls were moved earlier, but it doesn't work on my
+ // 32-bit Mac Mini or my 64-bit Intel box when launching a Linux kernel; the
+ // kernel returns a "Failed to handle fs_proto" error message.
// TODO: Track down the cause of this error and fix it, if possible.
// ReturnStatus = Status = refit_call6_wrapper(BS->LoadImage, FALSE, SelfImageHandle, DevicePaths[DevicePathIndex],
// ImageData, ImageSize, &ChildImageHandle);
- // In Secure Boot mode, try to use shim/MOK-style loading first, and if
- // that fails, try the standard EFI system call (LoadImage()). This is
- // done for efficiency, to prevent loading a binary twice, which can
- // take several seconds to load a Linux kernel with EFI stub support on
- // some systems. Linux kernels are likely to be shim/MOK signed, so
- // this is quickest for them; and delays for most other boot loaders
- // will be unnoticeably short. To prevent delays or failures in case
- // of buggy shim/MOK code on non-SB systems, skip that attempt and
- // call LoadImage() directly when not in SB mode.
- if (SecureMode) {
+ ReturnStatus = Status = refit_call6_wrapper(BS->LoadImage, FALSE, SelfImageHandle, DevicePaths[DevicePathIndex],
+ NULL, 0, &ChildImageHandle);
+ if ((Status == EFI_ACCESS_DENIED) && (ShimLoaded())) {
FindVolumeAndFilename(DevicePaths[DevicePathIndex], &DeviceVolume, &loader);
if (DeviceVolume != NULL) {
Status = ReadFile(DeviceVolume->RootDir, loader, &File, &ImageSize);
} // if/else
if (Status != EFI_NOT_FOUND) {
ReturnStatus = Status = start_image(SelfImageHandle, loader, ImageData, ImageSize, FullLoadOptions,
- DeviceVolume, DevicePaths[DevicePathIndex]);
+ DeviceVolume, FileDevicePath(DeviceVolume->DeviceHandle, loader));
+// ReturnStatus = Status = start_image(SelfImageHandle, loader, ImageData, ImageSize, FullLoadOptions,
+// DeviceVolume, DevicePaths[DevicePathIndex]);
}
if (ReturnStatus == EFI_SUCCESS) {
UseMok = TRUE;
} // if
- // If shim/MOK load fails, try regular EFI load, in case it's an unsupported
- // binary type....
- if (!UseMok) {
- ReturnStatus = Status = refit_call6_wrapper(BS->LoadImage, FALSE, SelfImageHandle, DevicePaths[DevicePathIndex],
- NULL, 0, &ChildImageHandle);
- } // if (!UseMok)
- } else { // Secure Boot inactive; only do standard call....
- ReturnStatus = Status = refit_call6_wrapper(BS->LoadImage, FALSE, SelfImageHandle, DevicePaths[DevicePathIndex],
- NULL, 0, &ChildImageHandle);
- } // if/else (SecureMode)
+ } // if (UEFI SB failed; use shim)
if (ReturnStatus != EFI_NOT_FOUND) {
break;
}
return TRUE;
} // secure_mode()
+// Returns TRUE if the shim program is available to verify binaries,
+// FALSE if not
+BOOLEAN ShimLoaded(void) {
+ SHIM_LOCK *shim_lock;
+ EFI_GUID ShimLockGuid = SHIM_LOCK_GUID;
+
+ return (BS->LocateProtocol(&ShimLockGuid, NULL, (VOID**) &shim_lock) == EFI_SUCCESS);
+} // ShimLoaded()
+
/*
* Currently, shim/MOK only works on x86-64 (X64) systems, and some of this code
* generates warnings on x86 (IA32) builds, so don't bother compiling it at all
// Returns TRUE if the specified data is validated by Shim's MOK, FALSE otherwise
static BOOLEAN ShimValidate (VOID *data, UINT32 size)
{
- EFI_GUID ShimLockGuid = SHIM_LOCK_GUID;
SHIM_LOCK *shim_lock;
+ EFI_GUID ShimLockGuid = SHIM_LOCK_GUID;
if (BS->LocateProtocol(&ShimLockGuid, NULL, (VOID**) &shim_lock) == EFI_SUCCESS) {
if (!shim_lock)
#define SHIM_LOCK_GUID \
{ 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }
-#if defined(EFIX64)
-
typedef struct _SHIM_LOCK
{
EFI_STATUS __attribute__((sysv_abi)) (*shim_verify) (VOID *buffer, UINT32 size);
GNUEFI_PE_COFF_LOADER_IMAGE_CONTEXT *context);
} SHIM_LOCK;
-#endif
-
+BOOLEAN ShimLoaded(void);
BOOLEAN secure_mode (VOID);
EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath, VOID *data, UINTN datasize,
CHAR16 *Options, REFIT_VOLUME *DeviceVolume, IN EFI_DEVICE_PATH *DevicePath);
VOID FinishTextScreen(IN BOOLEAN WaitAlways)
{
if (haveError || WaitAlways) {
- SwitchToText(FALSE);
- PauseForKey();
+ PauseForKey();
+ SwitchToText(FALSE);
}
// reset error flag