Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Preliminary support for Shim/MOK Secure Boot validation

2012-12-03
2012-12-28
  • I've just finished with my first pass at support for Secure Boot authentication in rEFInd using Matthew Garrett's Shim boot loader as a back-end. In case you haven't been paying much attention to this, new computers (with Windows 8) ship with Secure Boot active. In its default configuration, this prevents booting any boot loader not signed with a Microsoft key. This includes rEFInd, and for licensing reasons it always will. (Microsoft reportedly won't sign anything distributed under the GPLv3, which rEFInd is.) You can disable Secure Boot on x86-64 computers, but the user interface for doing so varies from one system to another, and Secure Boot does have security advantages, so you might want to leave it active. Every Linux distribution is in a similar boat, so Matthew Garrett (until recently a Red Hat employee) developed Shim: A simple EFI boot loader that adds its own cryptographic signing scheme to the mix, one that enables users to more easily add keys to the computer. Future versions of Fedora, SUSE, Ubuntu, and probably many others will ship with Shim. (Ubuntu 12.10 already includes an early version, but you can't add your own keys to it, so it can't be used to launch rEFInd.)

    Previous versions of rEFInd could work with Secure Boot if they were signed (they aren't by default), but would only launch boot loaders that are themselves signed. The latest version (only in the git repository for the moment), if launched from Shim, can take advantage of Shim's signing keys, thus expanding the range of binaries that rEFInd can launch with Secure Boot active. In the long term this will make it easier to install and maintain rEFInd on a computer that uses Secure Boot; you'll install Shim and a version of rEFInd signed with your own key. When you boot, Shim will launch, which will in turn launch rEFInd, which will then launch any EFI program signed with either a valid UEFI Secure Boot key for your machine or a Shim Machine Owner Key (MOK) that you've accepted as valid.

    I'm still working on fixing up the details and writing the documentation, but I thought I'd post this message to let you know what's coming. If you're brave and technically inclined, you can try the code now, but you'll need to compile and sign it yourself, install Shim, and install your own public key in Shim's MOK list. All this is a bit tedious, but it will get easier with time.

    If you're not using Secure Boot, this won't affect you; rEFInd will start up and launch other boot loaders just as it always has.

     
  • I've cleaned up some of the details and updated the version in git. I've also got a preliminary binary version available:

    http://www.rodsbooks.com/refind-bin-0.4.7.9.zip

    Documentation is in the docs/refind/secureboot.html file. Note that these binaries are not signed, so you'll need to sign them yourself to use them. (As a practical matter, you'll probably need to sign something to use rEFInd with shim/MOK at least until some distributions start shipping pre-signed boot loaders and kernels along with public keys to add to other shims' MOK lists.)

     
  • An update: I've got a new version here:

    http://www.rodsbooks.com/refind-bin-0.4.7.12.zip

    This is nearing the initial full release (which will be 0.5.0), but there are still some important glitches and limitations. Most importantly, only one shim/MOK-signed driver can load and ELILO can't find its configuration file (GRUB 2 seems better, but I've not tried with GRUB Legacy yet). Also, these binaries are not yet signed, although I'll probably sign the 0.5.0 binaries and include a public key with the package.

     
  • Version 0.5.0 is out, with self-signed binaries. I'm removing the preliminary versions from my Web site.

     
  • I've just implemented a major overhaul of this code. It now works in an entirely different way that should be more reliable and that supports loading more than one shim/MOK-signed driver, so if anybody would care to test it, I'd appreciate it. It's up in source form via git, or you can get a binary here:

    http://www.rodsbooks.com/refind-bin-0.6.1.3.zip