Menu

Unable to secure boot to rEFInd in Fedora 23

General Discussion
Gene Snider
2016-01-06
2016-01-10

  • Gene Snider

    Gene Snider - 2016-01-06

    I installed rEFInd in a recent clean install of Fedora 23. After installing the rpm, I used mokutil to enroll the refind.cer key. MokManager ran at the next reboot as expected, and I successfully added the rEFInd key. But, with secure boot turned on, rEFInd still fails the secure boot check. With secure boot turned off, rEFInd boots successfully to F23. Let me know if you need more than the following:

    $ sudo dnf list installed refind

Installed Packages
refind.x86_64                       0.10.1-1                       @@commandline

$ sudo efibootmgr
BootCurrent: 0001
Timeout: 0 seconds
BootOrder: 0002,0001,0000
Boot0000* Windows Boot Manager
Boot0001* Fedora
Boot0002* rEFInd Boot Manager

$ sudo mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: d8:a8:6a:e5:b8:29:86:d0:b4:96:f3:85:f3:89:e7:72:f6:a4:28:ad
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16196611618070942286 (0xe0c5ec740c15524e)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Roderick W. Smith, rodsmith@rodsbooks.com
        Validity
            Not Before: Dec  6 21:38:28 2012 GMT
            Not After : Dec  1 21:38:28 2032 GMT
        Subject: CN=Roderick W. Smith, rodsmith@rodsbooks.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:4e:75:93:bd:f7:a6:1f:55:cf:e1:1a:a2:08:
                    84:e6:d5:9b:af:c2:29:75:f9:78:5c:71:8c:76:61:
                    0d:b7:21:4f:de:d4:3b:dd:9f:9c:6d:93:a4:24:d0:
                    84:1a:f2:96:06:f0:3a:d0:74:e4:09:90:8b:6f:dc:
                    f0:d8:b8:eb:b4:67:1f:dd:1d:59:bd:de:89:07:04:
                    04:b5:5f:62:49:72:c9:6c:c0:7b:ff:84:00:13:b3:
                    45:e7:bf:77:c9:b7:7d:26:27:48:da:f8:a0:db:48:
                    e6:77:57:43:07:fa:98:c1:91:cf:fa:3e:4e:f1:1e:
                    e3:a4:5b:08:c9:ea:23:f9:9d:e3:de:0f:ca:06:bd:
                    07:06:bb:06:5e:f5:78:62:2b:53:4a:6b:6d:e3:f5:
                    6c:d5:53:c8:65:d1:bb:a1:c9:ab:41:77:fc:40:4a:
                    cf:49:9d:4b:26:12:1b:06:76:a6:ac:76:65:a9:e9:
                    0a:93:be:3f:d0:c1:6a:09:77:b2:79:ce:65:34:93:
                    94:86:b7:92:34:90:a4:06:2a:8f:de:a4:25:3d:5d:
                    d0:1f:e7:3d:7d:f0:9d:03:e9:7c:8f:7c:dd:f2:d9:
                    96:13:3c:66:ff:d6:b3:0d:75:c7:90:5c:3c:61:97:
                    fa:6c:de:7e:00:fe:a2:0a:89:95:b7:2a:cf:1c:3a:
                    3f:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D3:0C:06:BD:39:58:A6:6C:98:75:7F:09:A8:08:55:E1:74:4A:5A:70
            X509v3 Authority Key Identifier: 
                keyid:D3:0C:06:BD:39:58:A6:6C:98:75:7F:09:A8:08:55:E1:74:4A:5A:70

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         a8:f7:fb:e1:46:21:bd:a0:c1:1a:26:d8:a1:cb:8f:e9:61:3b:
         3d:12:22:82:43:a7:b0:cd:c6:d0:68:1c:fb:98:f5:de:73:b8:
         79:13:82:ee:c6:11:3b:46:5f:fe:d7:fc:6a:df:d5:fc:0f:b0:
         b4:99:b0:f2:37:40:eb:b7:73:af:7f:e8:61:cd:67:69:90:32:
         10:ff:b3:fa:49:d4:53:c4:05:c4:fb:fc:54:3a:3e:7b:8c:43:
         4f:5d:95:95:d2:30:ed:53:2d:4c:19:93:7d:20:a0:14:5d:f9:
         cf:7e:6b:fb:d8:56:0d:f5:7a:14:56:fd:dd:e7:2c:bd:c1:20:
         9c:ff:d0:25:18:7c:7c:94:60:c9:fe:9e:c3:25:25:c6:98:12:
         8e:05:05:7f:d5:8d:fd:18:2c:5a:49:67:72:ad:c8:e7:57:5b:
         30:50:12:ce:f6:d7:ac:7c:24:70:7e:8a:3f:ac:d8:7e:c2:02:
         bd:3f:e7:a6:2d:b8:7e:8d:24:cb:ff:35:bf:61:ed:4d:4b:45:
         57:0f:7a:56:4e:cc:00:ec:ce:d7:60:ec:ba:28:e3:76:bc:ab:
         a9:17:21:e1:0e:3d:cd:33:3b:29:ab:cf:e8:0d:01:cb:bd:4c:
         ea:d4:8f:33:f7:db:1d:8a:df:76:79:62:76:24:aa:07:ea:74:
         8a:0c:a5:ea

    There is a second key for Fedora, and after rEFInd fails secure boot, I am able to start F23 with the Fedora boot manager entry. Any ideas?

    Gene

    P.S. I have tried the keys in both /etc/refind.d/keys and /boot/efi/EFI/refind/keys.

     

    Last edit: Gene Snider 2016-01-06

  • Gene Snider

    Gene Snider - 2016-01-10

    When I finally ran efibootmgr -v, I noticed that the entry was starting \EFI\refind\refind_x64.efi. The installation script failed to detect that I was using secure boot on my Asus X550-CA laptop. Running refind-install --shim "/boot/efi/EFI/fedora/shim.efi" fixed the problem! All is well, and thanks for a very nice boot manager. Oh, I tried to use --keepname, but secure boot failed, even though the "shim.efi refind_x64.efi" showed up in efibootmgr -v.

    Gene

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.