refind.efi does not .sbat section

[Arun G]

According to archwiki, shim won't launch efi which does not have sbat.
When I check sbat for refind, it does not exist.

[root@hp-fedora]/boot/efi/EFI/refind# objdump -j .sbat -s /tmp/refind_x64.efi

/tmp/refind_x64.efi:     file format pei-x86-64

objdump: section '.sbat' mentioned in a -j option, but not found in any input file

I have extracted the refind.efi from https://sourceforge.net/projects/refind/files/0.13.3.1/refind-0.13.3.1-1.x86_64.rpm/download

[das menschy]

You should be able to add a .sbat section with the information and script from here: https://github.com/rhboot/shim/issues/376#issuecomment-964137621

You can re-use the csv file from there, you should only correct the version number (0.13.2); which has changed, it is 0.13.3.1 now.

[Arun G]

That does not work. I have edited the csv with latest version number and followed the procedure and it produced an unbootable refindx64.efi

[das menschy]

Hmm, then I don't know what to do, sorry.

[npg_]

I actually got this work! (At least, I think)

First, I created my MOKs as per the Arch Wiki.

After downloading rEFInd through the .zip, I then ran ./refind-bin-0.13.3.1/refind-install --shim /boot/efi/EFI/fedora/shimx64.efi since I'm on Fedora (37).

Then, from this GitHub issue, I added my .sbat section, modifying the version inside my sbat.csv to resemble what I currently had.

Finally, I signed my grubx64.efi and drivers with sbsign as stated in the arch wiki, enrolled my key through mokutil -i MOK.cer, rebooted, finished enrolling the key, and everything appears to work.

[das menschy]

That's great! What offset for the sbat vma section did you use as hack/workaround, the one mentioned (1000000) or another one?

[npg_]

The one that steadfasterX said, 10000000, worked for me.