Menu

Various questions related to refind and secure boot

General Discussion
Piggy
2021-12-27
2021-12-28

  • Piggy

    Piggy - 2021-12-27

    I'm experimenting with UEFI to learn secure boot better and to adopt Refind as my boot manager of 5 gpt OSs on one single disk (4 linux and one windows).

    My notebook is a HP 850G1 and I decided to go to the strong way to secure boot it, Infact, before, I was able to use shim and mok to authenticate all my OSs but Refind. mok never authenticated refind for me.

    So needing Refind I'm now able to load it in secure boot with my keys in my bios with personal keys (I choose to replaced the HP original with my key created on my PC using Rod brilliant UEFI guide), I built myself Refind under Gentoo (my first choice OS) and then signed it with my keys.

    Had that done, Refind (as I said unable to be launched on my system with any mok in secure boot) is now fully operational in Secure Boot MODE with my keys, Now I'm wondering how Refind can boot Microsoft Boot Manager (so WIndows) even if I choosed to completely delete any Microsoft keys!!!!!!! Great. Then, I can't understand how it can't do that and I ask if you can kindly explain it to me. It sounds to me like a failed implementation of Secure Boot from HP becouse if I run the boot manager executable via the Boot EFI File in my UEFI internal boot manager I do have a deny message, if I run authenticated Refind WITHOUT any Microsoft key it can boot, it loads all the needed drivers and it works perfectly fine!!! It shpuldn't in my humble opinion.

    Talking about loading Grub2 as an alternative to refind (just for testing) I think I should sign it with a pgp key and installing it with the embedded option, if I just sign the grubx64.efi executable it boot then it goes directly to the prompt complaining it doesn't verify normal.mod. Is this correct?

    Last question: can I delete signatures from binarys? I need that becouse if don't, I'm forced to start from scratch with a unsigned new Grubx64,efi file, a new kernel file and so on. I found that using Shim Moks before resetting the system I was able to have more than a mok signature in kernels and system used to boot anything signed. Example. I want to boot Debian kernel on the debian partition on the disk from Gentoo Grub of the boot partition and it works. When I changed the key from the HP pre installed to mine, I had to resign any kernel, it wasn't enough to add a new signature. So I had to rebuild with no signature and then sign it JUST with my personal keys.

    So I do ask and I didn't find explanation on the web: can I delete a signature inside a binary and if yes, how using efgi utilities of what?

    Thank you very much to Rod for his GREAT boot loader and all his fantastic documentation: without it I think I wouldn't be able to finally sign my system with my personal keys,

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.