Secure boot, also known as mankind’s worst invention. If revisiting this page after a long time, please reread all the pages in Links. I always think I don’t need to but then end up slowly reading all the sections anyway.
- EFI partition, also called the EFI system partition (ESP)
- SBAT issues were fixed in rEFInd 0.14.0
shim is signed by Microsoft and is launched as the first bootloader that then launches “GRUB” (actually rEFInd in disguise). This is necessary because Microsoft’s keys are basically present on every laptop so we need to pass this first step.
Installing rEFInd
You can install rEFInd via a live USB. However, this means you have to manually mount the ESP. Arch has an example mounting the ESP at /boot. This replaces all contents in the boot/ folder until we unmount it.
- It seems like everything important is in the
EFIsubfolder. This the real path we care about. When doing stuff, just check/boot/EFI. - I’ve seen some places mount it at
/boot/efi. That means/boot/efi/EFIis the final path. Again, this is not what we’re doing.
Ubuntu ISO is good. This is because the shim-signed, sbsign, and efibootmgr packages are already pre-installed for us. This makes subsequent steps easier. Just need to install openssl.
shim-signed package
Find the file path. Last I checked (in Ubuntu) the binaries were in /usr/lib/shim. MOKManager is also in this directory under the name mmx64.efi.
Rename shimx64.efi.signed.latest to shimx64.efi before using it in refind-install. Rename the preexisting shimx64.efi to something else, like shimx64.efi.badandstupid because it is the unsigned version and I got jebaited by it.
- This can be confirmed by the AUR’s
shim-signedPKGBUILD, which copies and renames.signed.latestinstead.
refind-install install script
Command I used:
refind-install --alldrivers --shim /usr/lib/shim/shimx64.efi --localkeys--alldriversis necessary (I think) because we’re installing on live USB. The filesystem might be different from a regular Linux environment so this is just a precaution to include all driver files.shimx64.efiis the renamed version ofshimx64.efi.signed.latest.--localkeysrequiresopensslandsbsign. Ubuntu already provides the latter so just install the first package.- This signs all necessary EFI binaries with a local key that
refind-installcreates for us, and produces arefind_local.cercertificate that MOKManager can then consume. Any EFI binary signed by this local key will subsequently be trusted without any additional steps. - The key is valid for 10 years. I created it 1/10/25.
- This signs all necessary EFI binaries with a local key that
This script renames refind_x64.efi to grubx64.efi because shimx64.efi is hardcoded to launch GRUB using this filename. Incredible, I know.
Installation script will ask us to create a password for MOKManager. This will be used once when we first add our local key. Otherwise it doesn’t seem to be useful.
- Just don’t forget it immediately, basically.
- See Step 7 here under the header “Installing Shim and rEFInd.”
Other noteworthy flags:
--encryptkeysencrypts the local key when using--localkeys. Technically more secure, but who the hell is gonna hack my laptop?--keepnameletsrefind_x64.efikeep its name instead of being renamed togrubx64.efi. This requires passing some additional options toshimorefibootmgrand might not even work so I haven’t tried it.
Post-installation
DON’T SKIP THESE STEPS, OTHERWISE YOU’LL HAVE TO RESTART THE WHOLE PROCESS AND YOU’LL BE SAD.
- Go and delete any drivers that we don’t need that were added by
--alldrivers. - Copy the
refind_local.keyover from/etc/refind.d/keys/because this is what we’re going to use to sign all future EFI binaries. It was already used to sign therefind_x64.efibinary (which is now renamed togrubx64.efi). Place it somewhere accessible and secure. If we don’t do this, once we exit the live USB the key will forever be lost. - Delete any additional boot entries added by
efibootmgr. Not sure why, might be due to us being in a live USB environment. Anything withVenHw(...)can be deleted.- There should only be two boot entries we care about:
rEFInd (direct)which tries to bootgrubx64.efidirectly, andrEFIndwhich first goes throughshimx64.efi.
- There should only be two boot entries we care about:
rEFInd docs said that it would restart in secure boot mode after giving MOKManager our local keys, but that’s not true. We have to go into UEFI settings to manually enable it.