I am encoutering issues while booting directly a kernel using refind.
My setup is :
Microsoft Surface Pro 2017
Official Windows is installed
I partitioned an SD card with 2 partitions (ext4 and swap), installed Manjaro rootfs in the ext4 partition and installed Manjaro grub in windows ESP partition.
I then installed refind within windows ESP along with Windows boot manager and grub.
I disabled grub and windows boot manager in UEFI. Only refind is booting.
I booted the first time with refind wihout secure boot enabled and I booted Manjaro using automatically detected grub bootloader. I generated my key pair/certificate, added the certificate to keys folder in ESP partition within refind/keys folder, installed the shim-signed arch linux package and reinstalled refind using my keys (copied keypair/certificate in /etc/refind.d/keys) and shim.
Then, I signed the linux kernel located in the SD card partition /boot/vmlinuz-4.19-x86_64 and Manjaro grub using my key pair (and sbsign, also verified using sbverify), It worked fine.
When I reboot, I enabled secure boot, I enrolled my certificate associated with my key pair along with refind.cer and managed to boot normally Windows and Manjaro grub without any issue.
However my issue comes from booting the Manjaro linux kernel directly from the sd card (ext4 partition /boot/vmlinuz-4.19-x86_64), the menuentry is automatically detected in refind however when I select it I have an error like "Secure boot validation failure to verify vmlinuz-4.19-x86_64".
Initially I thought I did not sign correctly the binary but when I did so before I had multiple error logs like [...]shim.c check_db ... and so on but in this case I only have the above error.
My first test to resolve the issue, I did a dirty test to make sure the linux kernel is correctly signed. I copied the /boot/vmlinuz-4.19-x86_64 to ESP partition within refind folder and created a manual entry for this kernel, it managed to boot correctly without the error "Secure boot validation failure to verify vmlinuz-4.19-x86_64" but then failed because of rootfs not foud (this is normal) so I am sure that I signed properly the linux kernel.
My second test I disabled secure boot and still wanted to boot this kernel directly from refind but it immediately come back to refind menu when I select it, I had only few ms to read the message which is the same as above even when secure boot is disabled.
My guess is that refind cannot load kernel (or any file) from an SD card even if partitioned ext4 (forgot to mention ext4 refind driver is installed and signed properly). The same kernel is loaded correctly from the ESP partition (vfat). Do you have an ideae on why it cannot load the kernel ?
Currently, I dont want to use grub even if it works, I want to have refind boot the signed linux kernel.
Thanks for you help
Last edit: Sid-Ali 2019-02-11
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
rEFInd can definitely load files from USB flash drives and SD cards; that's not the issue -- at least, not directly. My first guess is that there's some subtle filesystem problem on the SD card -- something that's affecting the EFI filesystem driver for ext4fs but not the Linux kernel. (This could arguably be a bug in the EFI filesystem driver, rather than filesystem damage.) Running e2fsck on the filesystem from another Linux distribution might clear this up. If it's more of a driver problem, then you might need to do something else, like adjust the mount options and re-write the kernel file.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I am encoutering issues while booting directly a kernel using refind.
My setup is :
Microsoft Surface Pro 2017
Official Windows is installed
I partitioned an SD card with 2 partitions (ext4 and swap), installed Manjaro rootfs in the ext4 partition and installed Manjaro grub in windows ESP partition.
I then installed refind within windows ESP along with Windows boot manager and grub.
I disabled grub and windows boot manager in UEFI. Only refind is booting.
I booted the first time with refind wihout secure boot enabled and I booted Manjaro using automatically detected grub bootloader. I generated my key pair/certificate, added the certificate to keys folder in ESP partition within refind/keys folder, installed the shim-signed arch linux package and reinstalled refind using my keys (copied keypair/certificate in /etc/refind.d/keys) and shim.
Then, I signed the linux kernel located in the SD card partition /boot/vmlinuz-4.19-x86_64 and Manjaro grub using my key pair (and sbsign, also verified using sbverify), It worked fine.
When I reboot, I enabled secure boot, I enrolled my certificate associated with my key pair along with refind.cer and managed to boot normally Windows and Manjaro grub without any issue.
However my issue comes from booting the Manjaro linux kernel directly from the sd card (ext4 partition /boot/vmlinuz-4.19-x86_64), the menuentry is automatically detected in refind however when I select it I have an error like "Secure boot validation failure to verify vmlinuz-4.19-x86_64".
Initially I thought I did not sign correctly the binary but when I did so before I had multiple error logs like [...]shim.c check_db ... and so on but in this case I only have the above error.
My first test to resolve the issue, I did a dirty test to make sure the linux kernel is correctly signed. I copied the /boot/vmlinuz-4.19-x86_64 to ESP partition within refind folder and created a manual entry for this kernel, it managed to boot correctly without the error "Secure boot validation failure to verify vmlinuz-4.19-x86_64" but then failed because of rootfs not foud (this is normal) so I am sure that I signed properly the linux kernel.
My second test I disabled secure boot and still wanted to boot this kernel directly from refind but it immediately come back to refind menu when I select it, I had only few ms to read the message which is the same as above even when secure boot is disabled.
My guess is that refind cannot load kernel (or any file) from an SD card even if partitioned ext4 (forgot to mention ext4 refind driver is installed and signed properly). The same kernel is loaded correctly from the ESP partition (vfat). Do you have an ideae on why it cannot load the kernel ?
Currently, I dont want to use grub even if it works, I want to have refind boot the signed linux kernel.
Thanks for you help
Last edit: Sid-Ali 2019-02-11
rEFInd can definitely load files from USB flash drives and SD cards; that's not the issue -- at least, not directly. My first guess is that there's some subtle filesystem problem on the SD card -- something that's affecting the EFI filesystem driver for ext4fs but not the Linux kernel. (This could arguably be a bug in the EFI filesystem driver, rather than filesystem damage.) Running
e2fsckon the filesystem from another Linux distribution might clear this up. If it's more of a driver problem, then you might need to do something else, like adjust the mount options and re-write the kernel file.