Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## getting past secure boot - shim/refind
- ### start
- https://www.rodsbooks.com/refind/secureboot.html
- prereq - install shim from AUR...
- ### installing shim from AUR
- https://wiki.archlinux.org/title/Arch_User_Repository#Installing_and_upgrading_packages
- https://aur.archlinux.org/packages/shim-signed
- Following wiki instructions:
- installed `base-devel` and `git`
- seems like `makepkg` checks for valid keys on its own, no extra work
- change directory to the one downloaded
- checked `PKGBUILD` using `less PKGBUILD`
- built with `makepkg -s -r -c`
- installed using `pacman -U thenameofthepackage.pkg.tar.zst`
- ### sbat?
- installation via pacman says something called an .sbat file is required for efis to launch
- refers here: https://github.com/rhboot/shim/blob/main/SBAT.md
- very technical, not super helpful
- https://sourceforge.net/p/refind/discussion/general/thread/c54261c145/
- refind creator says new releases should be out soon (2/25/23) and another user says it works
- https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim
- realized that the original page addresses this fact:
- "Run `objdump -j .sbat -s /path/to/binary.efi` to verify if an EFI binary has it"
- `objdump: section '.sbat' mentioned in a -j option, but not found in any input file`
- i guess i'll skip it for now
- ### back to shim
- https://wiki.archlinux.org/title/REFInd#Secure_Boot
- this says to follow the instructions here (https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim) but to skip all file copying
- a step following the file copying ("create a new NVRAM entry to boot BOOTx64.EFI") requires a file resulting from the copying so i'll just skip that step i suppose (i'll just do the first step)
- `sudo mv /boot/EFI/Boot/refind_x64.efi /boot/EFI/Boot/grubx64.efi`
- ###
- back to https://wiki.archlinux.org/title/REFInd#Secure_Boot
- following 2.1.1.2.2:
- `sudo pacman -Syu sbsigntools`
- many `WARNING: Possibly missing firmware for module: ...`, should fix that later
- `refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys`
- #### hold on...MoKList?
- before running that ^, the last step states to add `refind_local.cer` to the MoKList... what?
- https://gist.github.com/danderson/78ba098c7089a690ef504e35212c2b4c
- this is something but doesn't really help me
- upon reading https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim again, it states at the bottom of 3.2.2.1.2 that MokManager will be launched on boot if shim doesn't find the certificate. then the key can be added to the list from there.
- #### anyways
- run the command above
- telling me that shim isn't necessary since i have secure boot on...way more complicated...etc.
- `Y` -> proceed
- again, warnings about me doing this since i'm not in secure boot (re-signing binaries with local keys -> local keys will be useless unless in secure boot)
- `Y` -> proceed
- backed up existing icons in `icons-backup`
- `refind.conf-sample` copied to avoid overwriting mine (`refind.conf`)
- `tmp/refind_local` deleted
- new NVRAM entry created
- rEFIND set as default boot manager
- done
- now run next command, i guess?
- `sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux`
- can't load key, permission denied, try again with sudo
- `Signing Unsigned original image`
- guess it's done?
- reboot and enable secure boot
- ### Secure Boot Violation
- ...Invalid signature detected. Check Secure Boot Policy in Setup
- reboot and disable secure boot
- back to https://www.rodsbooks.com/refind/secureboot.html
- shim: step 5
- the boot item in the UEFI menu did say rEFIND... maybe it wasn't changed correctly
- #### managing efis
- `efibootmgr`
- entries 0000, 0001, and 0003 are all rEFIND Boot Manager
- https://www.rodsbooks.com/refind/secureboot.html
- "Be sure that rEFInd (as grubx64.efi), shimx64.efi, and MokManager.efi/mmx64.efi all reside in the same directory"
- okay, i'll check
- check `/boot/EFI/Boot`
- only `grubx64.efi` in here, i made that
- `/boot/EFI/refind` has both `grubx64.efi` and `refind_x64.efi`
- did i mess up?
- `cmp -s /boot/EFI/Boot/grubx64.efi /boot/EFI/refind/grubx64.efi || echo "files are diff"`
- they are different
- whatever... i'll rename the one i changed earlier back to its original name
- `sudo mv /boot/EFI/Boot/grubx64.efi /boot/EFI/Boot/refind_x64.efi`
- ...delete the grub efi in /boot/EFI/refind
- `sudo rm /boot/EFI/refind/grubx64.efi`
- ...and rename the refind efi to grub in /boot/EFI/refind
- `sudo mv /boot/EFI/refind/refind_x64.efi /boot/EFI/refind/grubx64.efi`
- now /boot/EFI/refind has grubx64.efi, shimx64.efi, and mmx64.efi with no refind_x64.efi
- #### copy key
- step 6: says to copy `refind.cer` but there's only `refind_local.cer`
- wait, no
- found using `find / | grep refind.cer`
- (also `find / -iname refind.cer`)
- in `/usr/share/refind/keys/refind.cer`
- now copy over
- `sudo cp /usr/share/refind/keys/refind.cer /boot/EFI/refind/refind.cer`
- #### reboot again
- nope, forgot to register shimx64.efi with the EFI
- just boots into windows now, no other boot options are even there
- ### add shim to EFI
- wait, i can't - no boot option besides windows
- i need installation drive again
- boot into drive...
- mount, etc.
- first, run `refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys` again
- ...and `sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux`
- "Image was already signed; adding additional signature"
- still no item seen in `efibootmgr`
- add it manually
- https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface#efibootmgr
- `efibootmgr --create --disk /dev/nvme0n1p1 --loader /EFI/refind/shimx64.efi --label "rEFInd Boot Manager with shim" --unicode`
- created as 0005
- priority list set to 5, 3, 0, 4, 2, 1
- ensure boot priority list
- `efibootmgr -o 0005,0004,0000,0001,0003,0002`
- (rEFIND with shim, usb, rEFIND x3, windows)
- reboot
- try adding item to NVRAM again?
- `efibootmgr -c -d /dev/nvme0n1p1 -l /refind/shimx64.efi -L "rEFInd Boot Manager with shimm"`
- boot order is 1,4,2,3,0 (rEFIND with shim, usb, windows, rEFIND x2)
- and just in case... `mv /boot/EFI/Microsoft /boot/EFI/Windows`
- reboot
- rEFIND Boot Manager appears?
- boot into it...
- `efibootmgr`
- windows and rEFIND with shimm disappeared, just rEFIND x2 and then usb
- run the refind-install thing again
- wait, no, one of the paths is to .../GRUBX64.EFI but another is to .../SHIMX64.EFI
- did it work?
- just in case... `sudo efibootmgr -b 0 -B` (delete the other rEFIND one)
- reboot
- rEFIND booted...surprisingly...but i couldn't enable secure boot to test
- BIOS from rEFIND...
- ### again with SBAT
- got `Verification failed: (0x1A) Security Violation`
- https://dev.to/hollowman6/a-solution-to-refind-unable-to-load-using-shim-when-secure-boot-is-enabled-1e8l
- this says it's because there's no SBAT file
- pressing enter leads to MOK management
- follow steps in https://www.rodsbooks.com/refind/secureboot.html
- step 8
- "Enroll key from disk" ...
- randomly turned off? restart process
- found at SYSTEM/EFI/refind/refind.cer
- enroll
- reboot
- same deal, gonna disable secure boot
- reboot
- `objdump -j .sbat -s /boot/EFI/refind/shimx64.efi`
- it does seem to contain an sbat (according to https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim)
- i guess copy this command from here: https://github.com/rhboot/shim/issues/376#issuecomment-964137621
- `objcopy --set-section-alignment '.sbat=512' --add-section .sbat=refind_x64.csv --adjust-section-vma .sbat+10000000 /boot/EFI/refind/grubx64.efi`
- doesn't work, can't find refind_x64.csv
- #### sudo got reset??
- sudo password for user account not working
- try changing pw to "jo", still doesn't work
- open in root
- visudo doesn't work again -> `export EDITOR=/usr/bin/nvim`
- uncomment wheel permissions
- try again -> not in sudoers file...
- wait no, it was never commented out, i just deleted a %
- reset faillock and it worked (https://www.reddit.com/r/archlinux/comments/jyblz0/sudo_sometimes_stops_working/)
- #### refocus
- https://sourceforge.net/p/refind/discussion/general/thread/42495ff081/#3a2f
- following this guy's steps
- ##### MOKS
- according to wiki
- `sudo pacman -Syu sbsigntools`
- `openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt`
- `openssl x509 -outform DER -in MOK.crt -out MOK.cer`
- `sudo sbsign --key MOK.key --cert MOK.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux`
- `sudo mv /boot/EFI/Boot/refind_x64.efi /boot/EFI/Boot/grubx64.efi`
- ``sudo sbsign --key MOK.key --cert MOK.crt --output /boot/EFI/Boot/grubx64.efi /boot/EFI/Boot/grubx64.efi`
- `refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys`
- `sudo pacman -Syu mokutil`
- ...
- reboot + enable secure boot
- nope
- ##### try making sbat file again
- https://forum.manjaro.org/t/howto-enable-secure-boot-with-refind/121403/7
- `sudo mv /usr/share/refind/sbat.csv /boot/EFI/refind/refind_x64.csv`
- `objcopy --set-section-alignment '.sbat=512' --add-section .sbat=/boot/EFI/refind/refind_x64.csv --adjust-section-vma .sbat+10000000 /boot/EFI/refind/grubx64.efi`
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement