API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 24th, 2023
97
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.16 KB | None | 0 0
raw download clone embed print report
  1. ## getting past secure boot - shim/refind
  2. ### start
  3. https://www.rodsbooks.com/refind/secureboot.html
  4. prereq - install shim from AUR...
  5.  
  6. ### installing shim from AUR
  7. https://wiki.archlinux.org/title/Arch_User_Repository#Installing_and_upgrading_packages
  8. https://aur.archlinux.org/packages/shim-signed
  9.  
  10. Following wiki instructions:
  11. installed `base-devel` and `git`
  12. seems like `makepkg` checks for valid keys on its own, no extra work
  13. change directory to the one downloaded
  14. checked `PKGBUILD` using `less PKGBUILD`
  15. built with `makepkg -s -r -c`
  16. installed using `pacman -U thenameofthepackage.pkg.tar.zst`
  17.  
  18. ### sbat?
  19. installation via pacman says something called an .sbat file is required for efis to launch
  20. refers here: https://github.com/rhboot/shim/blob/main/SBAT.md
  21. very technical, not super helpful
  22.  
  23. https://sourceforge.net/p/refind/discussion/general/thread/c54261c145/
  24. refind creator says new releases should be out soon (2/25/23) and another user says it works
  25.  
  26. https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim
  27. realized that the original page addresses this fact:
  28. "Run `objdump -j .sbat -s /path/to/binary.efi` to verify if an EFI binary has it"
  29. `objdump: section '.sbat' mentioned in a -j option, but not found in any input file`
  30.  
  31. i guess i'll skip it for now
  32.  
  33. ### back to shim
  34. https://wiki.archlinux.org/title/REFInd#Secure_Boot
  35. this says to follow the instructions here (https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim) but to skip all file copying
  36.  
  37. a step following the file copying ("create a new NVRAM entry to boot BOOTx64.EFI") requires a file resulting from the copying so i'll just skip that step i suppose (i'll just do the first step)
  38.  
  39. `sudo mv /boot/EFI/Boot/refind_x64.efi /boot/EFI/Boot/grubx64.efi`
  40.  
  41. ###
  42. back to https://wiki.archlinux.org/title/REFInd#Secure_Boot
  43. following 2.1.1.2.2:
  44. `sudo pacman -Syu sbsigntools`
  45. many `WARNING: Possibly missing firmware for module: ...`, should fix that later
  46.  
  47. `refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys`
  48. #### hold on...MoKList?
  49. before running that ^, the last step states to add `refind_local.cer` to the MoKList... what?
  50.  
  51. https://gist.github.com/danderson/78ba098c7089a690ef504e35212c2b4c
  52. this is something but doesn't really help me
  53.  
  54. upon reading https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim again, it states at the bottom of 3.2.2.1.2 that MokManager will be launched on boot if shim doesn't find the certificate. then the key can be added to the list from there.
  55.  
  56. #### anyways
  57. run the command above
  58. telling me that shim isn't necessary since i have secure boot on...way more complicated...etc.
  59. `Y` -> proceed
  60. again, warnings about me doing this since i'm not in secure boot (re-signing binaries with local keys -> local keys will be useless unless in secure boot)
  61. `Y` -> proceed
  62. backed up existing icons in `icons-backup`
  63. `refind.conf-sample` copied to avoid overwriting mine (`refind.conf`)
  64. `tmp/refind_local` deleted
  65. new NVRAM entry created
  66. rEFIND set as default boot manager
  67. done
  68.  
  69. now run next command, i guess?
  70. `sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux`
  71. can't load key, permission denied, try again with sudo
  72. `Signing Unsigned original image`
  73.  
  74. guess it's done?
  75.  
  76. reboot and enable secure boot
  77.  
  78. ### Secure Boot Violation
  79. ...Invalid signature detected. Check Secure Boot Policy in Setup
  80. reboot and disable secure boot
  81.  
  82. back to https://www.rodsbooks.com/refind/secureboot.html
  83. shim: step 5
  84. the boot item in the UEFI menu did say rEFIND... maybe it wasn't changed correctly
  85.  
  86. #### managing efis
  87. `efibootmgr`
  88. entries 0000, 0001, and 0003 are all rEFIND Boot Manager
  89.  
  90. https://www.rodsbooks.com/refind/secureboot.html
  91. "Be sure that rEFInd (as grubx64.efi), shimx64.efi, and MokManager.efi/mmx64.efi all reside in the same directory"
  92. okay, i'll check
  93.  
  94. check `/boot/EFI/Boot`
  95. only `grubx64.efi` in here, i made that
  96.  
  97. `/boot/EFI/refind` has both `grubx64.efi` and `refind_x64.efi`
  98. did i mess up?
  99.  
  100. `cmp -s /boot/EFI/Boot/grubx64.efi /boot/EFI/refind/grubx64.efi || echo "files are diff"`
  101. they are different
  102.  
  103. whatever... i'll rename the one i changed earlier back to its original name
  104. `sudo mv /boot/EFI/Boot/grubx64.efi /boot/EFI/Boot/refind_x64.efi`
  105.  
  106. ...delete the grub efi in /boot/EFI/refind
  107. `sudo rm /boot/EFI/refind/grubx64.efi`
  108.  
  109. ...and rename the refind efi to grub in /boot/EFI/refind
  110. `sudo mv /boot/EFI/refind/refind_x64.efi /boot/EFI/refind/grubx64.efi`
  111.  
  112. now /boot/EFI/refind has grubx64.efi, shimx64.efi, and mmx64.efi with no refind_x64.efi
  113.  
  114. #### copy key
  115. step 6: says to copy `refind.cer` but there's only `refind_local.cer`
  116. wait, no
  117. found using `find / | grep refind.cer`
  118. (also `find / -iname refind.cer`)
  119. in `/usr/share/refind/keys/refind.cer`
  120.  
  121. now copy over
  122. `sudo cp /usr/share/refind/keys/refind.cer /boot/EFI/refind/refind.cer`
  123.  
  124. #### reboot again
  125. nope, forgot to register shimx64.efi with the EFI
  126. just boots into windows now, no other boot options are even there
  127.  
  128. ### add shim to EFI
  129. wait, i can't - no boot option besides windows
  130. i need installation drive again
  131. boot into drive...
  132.  
  133. mount, etc.
  134.  
  135.  
  136. first, run `refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys` again
  137. ...and `sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux`
  138. "Image was already signed; adding additional signature"
  139.  
  140. still no item seen in `efibootmgr`
  141.  
  142. add it manually
  143. https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface#efibootmgr
  144. `efibootmgr --create --disk /dev/nvme0n1p1 --loader /EFI/refind/shimx64.efi --label "rEFInd Boot Manager with shim" --unicode`
  145.  
  146. created as 0005
  147. priority list set to 5, 3, 0, 4, 2, 1
  148.  
  149. ensure boot priority list
  150. `efibootmgr -o 0005,0004,0000,0001,0003,0002`
  151. (rEFIND with shim, usb, rEFIND x3, windows)
  152.  
  153. reboot
  154. try adding item to NVRAM again?
  155. `efibootmgr -c -d /dev/nvme0n1p1 -l /refind/shimx64.efi -L "rEFInd Boot Manager with shimm"`
  156. boot order is 1,4,2,3,0 (rEFIND with shim, usb, windows, rEFIND x2)
  157. and just in case... `mv /boot/EFI/Microsoft /boot/EFI/Windows`
  158.  
  159. reboot
  160. rEFIND Boot Manager appears?
  161. boot into it...
  162. `efibootmgr`
  163. windows and rEFIND with shimm disappeared, just rEFIND x2 and then usb
  164.  
  165. run the refind-install thing again
  166. wait, no, one of the paths is to .../GRUBX64.EFI but another is to .../SHIMX64.EFI
  167.  
  168. did it work?
  169. just in case... `sudo efibootmgr -b 0 -B` (delete the other rEFIND one)
  170.  
  171. reboot
  172. rEFIND booted...surprisingly...but i couldn't enable secure boot to test
  173. BIOS from rEFIND...
  174.  
  175.  
  176. ### again with SBAT
  177. got `Verification failed: (0x1A) Security Violation`
  178. https://dev.to/hollowman6/a-solution-to-refind-unable-to-load-using-shim-when-secure-boot-is-enabled-1e8l
  179. this says it's because there's no SBAT file
  180.  
  181. pressing enter leads to MOK management
  182. follow steps in https://www.rodsbooks.com/refind/secureboot.html
  183. step 8
  184. "Enroll key from disk" ...
  185.  
  186. randomly turned off? restart process
  187. found at SYSTEM/EFI/refind/refind.cer
  188. enroll
  189. reboot
  190.  
  191. same deal, gonna disable secure boot
  192. reboot
  193.  
  194. `objdump -j .sbat -s /boot/EFI/refind/shimx64.efi`
  195. it does seem to contain an sbat (according to https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim)
  196.  
  197. i guess copy this command from here: https://github.com/rhboot/shim/issues/376#issuecomment-964137621
  198. `objcopy --set-section-alignment '.sbat=512' --add-section .sbat=refind_x64.csv --adjust-section-vma .sbat+10000000 /boot/EFI/refind/grubx64.efi`
  199. doesn't work, can't find refind_x64.csv
  200.  
  201. #### sudo got reset??
  202. sudo password for user account not working
  203. try changing pw to "jo", still doesn't work
  204. open in root
  205. visudo doesn't work again -> `export EDITOR=/usr/bin/nvim`
  206. uncomment wheel permissions
  207. try again -> not in sudoers file...
  208. wait no, it was never commented out, i just deleted a %
  209.  
  210. reset faillock and it worked (https://www.reddit.com/r/archlinux/comments/jyblz0/sudo_sometimes_stops_working/)
  211.  
  212.  
  213. #### refocus
  214. https://sourceforge.net/p/refind/discussion/general/thread/42495ff081/#3a2f
  215. following this guy's steps
  216.  
  217. ##### MOKS
  218. according to wiki
  219. `sudo pacman -Syu sbsigntools`
  220. `openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt`
  221. `openssl x509 -outform DER -in MOK.crt -out MOK.cer`
  222. `sudo sbsign --key MOK.key --cert MOK.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux`
  223. `sudo mv /boot/EFI/Boot/refind_x64.efi /boot/EFI/Boot/grubx64.efi`
  224. ``sudo sbsign --key MOK.key --cert MOK.crt --output /boot/EFI/Boot/grubx64.efi /boot/EFI/Boot/grubx64.efi`
  225. `refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys`
  226. `sudo pacman -Syu mokutil`
  227. ...
  228. reboot + enable secure boot
  229. nope
  230.  
  231. ##### try making sbat file again
  232. https://forum.manjaro.org/t/howto-enable-secure-boot-with-refind/121403/7
  233. `sudo mv /usr/share/refind/sbat.csv /boot/EFI/refind/refind_x64.csv`
  234. `objcopy --set-section-alignment '.sbat=512' --add-section .sbat=/boot/EFI/refind/refind_x64.csv --adjust-section-vma .sbat+10000000 /boot/EFI/refind/grubx64.efi`
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!