I previously had ubuntu 14.10, opensuse 13.1, and windows 8 all booting successfully in Secure Boot mode with refind 0.7.8. I completely removed opensuse 13.1 and did a fresh install of opensuse 13.2. Opensuse no longer boots from refind. I uninstalled refind 0.7.8 and installed 0.8.4 (using install.sh with --localkeys and --shim using shim-signed-0.2 from Matthew Garrett). Still no opensuse - by not booting I mean failing Secure Boot. Here is a copy of efibootmgr -v output:
Here are some more facts. When I boot ubuntu-secureboot or opensuse-secureboot directly from the EFI they both boot as expected (they both call shim). When I boot opensuse (boot option 5) it fails Secure Boot as expected as it is calling grubx64 directly. However when I boot ubuntu (boot option 9) it successfully boots even though it is calling grubx64 directly. This surprised me as I expected it to fail Secure Boot like opensuse.
So right now ubuntu and windows boot from refind but opensuse does not. I wonder if anyone has any thoughts?
Thanks,
Bill
Last edit: Bill 2015-01-16
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Think I found the problem. I used sbattach --detach on /EFI/opensuse/grubx64.efi and nothing comes out i.e. it appears that grubx64.efi from opensuse is not signed at all. Makes me wonder how /EFI/opensuse/shim.efi can launch it. I checked grubx64.efi in both the ubuntu and refind directories and they show the correct signatures. Guess I need to look into the opensuse installation procedure.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If the OpenSUSE grubx64.efi is unsigned, then that would indeed explain the behavior you're seeing. It could be that they distribute both signed and unsigned copies of the GRUB binary, and either you checked an unsigned version that was installed alongside the signed one (perhaps the latter's under another filename or in another directory) or the installer set up the unsigned version for some reason (maybe Secure Boot was disabled when you did the installation, or maybe there's a bug in the installer).
It should also be noted that Canonical arranged to have its own Secure Boot key included in many manufacturers' firmware prior to adopting the Shim approach to Secure Boot. Thus, even if you're not using Canonical's Shim and haven't imported its key, Canonical's copy of GRUB might well launch from rEFInd's menu. Given your discovery, this may not be relevant, but it's something to keep in mind.
Finally, you might consider launching your kernels directly from rEFInd rather than rely upon GRUB. This eliminates one piece of complex software (GRUB), although it requires you to either store your kernels on a FAT partition or load an EFI filesystem driver for whatever filesystem holds your kernels. Your rEFInd menu will become more cluttered if you keep multiple kernels around for each distribution. Personally I don't mind this, although some people do.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You're right. In addition to the unsigned grubx64.efi there is a signed grub.efi in the opensuse directory. I removed the unsigned version from the directory. opensuse-secureboot still boots directly from the EFI. The opensuse grub.efi shows up in the refind menu but it still fails Secure Boot. This was working in an earlier version of opensuse. If I have time I might install the earlier version to see if it still works in refind.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I previously had ubuntu 14.10, opensuse 13.1, and windows 8 all booting successfully in Secure Boot mode with refind 0.7.8. I completely removed opensuse 13.1 and did a fresh install of opensuse 13.2. Opensuse no longer boots from refind. I uninstalled refind 0.7.8 and installed 0.8.4 (using install.sh with --localkeys and --shim using shim-signed-0.2 from Matthew Garrett). Still no opensuse - by not booting I mean failing Secure Boot. Here is a copy of efibootmgr -v output:
root@Asus1-Ubuntu:~# efibootmgr -v
BootCurrent: 0004
Timeout: 2 seconds
BootOrder: 0004,0000,0001,0003,0009,0005,0002
Boot0000 ubuntu-secureboot HD(...)File(\EFI\ubuntu\shimx64.efi)
Boot0001 opensuse-secureboot HD(...)File(\EFI\opensuse\shim.efi)
Boot0002 fallback HD(...)File(\EFI\boot\bootx64.efi)
Boot0003 Windows Boot Manager HD(...)File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS...
Boot0004 rEFInd Boot Manager HD(...)File(\EFI\refind\shim.efi)
Boot0005 opensuse HD(...)File(\EFI\opensuse\grubx64.efi)
Boot0009* ubuntu HD(...)File(EFI\Ubuntu\grubx64.efi)
Here are some more facts. When I boot ubuntu-secureboot or opensuse-secureboot directly from the EFI they both boot as expected (they both call shim). When I boot opensuse (boot option 5) it fails Secure Boot as expected as it is calling grubx64 directly. However when I boot ubuntu (boot option 9) it successfully boots even though it is calling grubx64 directly. This surprised me as I expected it to fail Secure Boot like opensuse.
So right now ubuntu and windows boot from refind but opensuse does not. I wonder if anyone has any thoughts?
Thanks,
Bill
Last edit: Bill 2015-01-16
Think I found the problem. I used sbattach --detach on /EFI/opensuse/grubx64.efi and nothing comes out i.e. it appears that grubx64.efi from opensuse is not signed at all. Makes me wonder how /EFI/opensuse/shim.efi can launch it. I checked grubx64.efi in both the ubuntu and refind directories and they show the correct signatures. Guess I need to look into the opensuse installation procedure.
If the OpenSUSE
grubx64.efiis unsigned, then that would indeed explain the behavior you're seeing. It could be that they distribute both signed and unsigned copies of the GRUB binary, and either you checked an unsigned version that was installed alongside the signed one (perhaps the latter's under another filename or in another directory) or the installer set up the unsigned version for some reason (maybe Secure Boot was disabled when you did the installation, or maybe there's a bug in the installer).It should also be noted that Canonical arranged to have its own Secure Boot key included in many manufacturers' firmware prior to adopting the Shim approach to Secure Boot. Thus, even if you're not using Canonical's Shim and haven't imported its key, Canonical's copy of GRUB might well launch from rEFInd's menu. Given your discovery, this may not be relevant, but it's something to keep in mind.
Finally, you might consider launching your kernels directly from rEFInd rather than rely upon GRUB. This eliminates one piece of complex software (GRUB), although it requires you to either store your kernels on a FAT partition or load an EFI filesystem driver for whatever filesystem holds your kernels. Your rEFInd menu will become more cluttered if you keep multiple kernels around for each distribution. Personally I don't mind this, although some people do.
You're right. In addition to the unsigned grubx64.efi there is a signed grub.efi in the opensuse directory. I removed the unsigned version from the directory. opensuse-secureboot still boots directly from the EFI. The opensuse grub.efi shows up in the refind menu but it still fails Secure Boot. This was working in an earlier version of opensuse. If I have time I might install the earlier version to see if it still works in refind.
You might try (re-)importing the openSUSE Secure Boot key using MokManager. It's distributed with rEFInd.