Robert K. - 2021-04-11

I have my doubts on how secure is using Shim/PreLoader to allow booting Linux with Secure Boot enabled. It's not a question regarding rEFInd precisely, but as rEFInd documentation references and explains working with those 2 loaders in detail, I thought it's a good place to ask.

My doubt comes from the fact that it seems to me Shim's MokManager and PreLoader's HashTool can be run by anyone with physical access to the device. They are not password protected nor limit their use in any other way. rEFInd even exposes them in the boot menu, so that their execution is very straightforward. By running the tool the attacker can whitelist his own binary, and then boot this binary. How more secure is that than having Secure Boot disabled?

Even if I remove the MokManager/HashTool from ESP, the attacker could provide his own copy of that binary, as they are easily available in the internet. They are all signed by Microsoft certificates, so they will pass Secure Boot validation without problems.

Please correct me if I'm wrong on some parts. I may have misunderstood something.

 

Last edit: Robert K. 2021-04-11