Roderick W. Smith - 2023-03-01

Hi all,

I've recently added a new Linux script to the rEFInd project, refind-sb-healthcheck, to help with managing Shim binaries and Secure Boot keys. This script does three things, in an interactive way:

  1. It scans the computer for newer Shim binaries than the one that was used to boot most recently. If found, it offers to replace the current Shim with the newer one. Note that "newer" means "has a more recent file timestamp"; the script does not dig into the code to try to identify the version number.
  2. It checks the expiration date of the local rEFInd keys (stored as /etc/refind.d/keys/refind_local.*). (For this it does dig into the file.) If the key is expired, or if it will expire within a year, the script offers to generate a new set of keys and use mokutil to install the new public key.
  3. It scans your in-NVRAM MOK, db, KEK, and PK to summarize the keys it finds and highlight any that have already expired. The tool does not do anything to remove outdated or redundant keys, but it will at least help you identify them.

A caution: Replacing a Shim binary that launches rEFInd 0.13.3.1 is likely to cause rEFInd to fail to launch because newer Shims insist on seeing an .sbat section, and that was only added to rEFInd in the current development cycle. The refind-sb-healthcheck script doesn't automatically replace Shim binaries; it asks first. Thus, you can test the script but pass on replacing the Shim binaries until after you update rEFInd. You can get an SBAT-enabled pre-release rEFInd here:

http://www.rodsbooks.com/refind-bin-0.13.3.8.zip

If you care to test the script, it's here:

https://sourceforge.net/p/refind/code/ci/master/tree/refind-sb-healthcheck?format=raw

Documentation is in the updated documentation page on Secure Boot:

https://sourceforge.net/p/refind/code/ci/master/tree/docs/refind/secureboot.html?format=raw

If anybody tries this, I'd appreciate feedback. I'm aiming to do a full release this weekend. (I'd hoped to do it last weekend, but that got away from me.)

Thanks!