Thanks for the heads-up on this. Yet another Secure Boot hoop to jump through....
I've found a binary build for openSUSE, so I'll start testing with that soon. The documentation for how to add the .sbat section seems a bit tedious and isn't 100% clear to me on a first read, but I expect that after poking around a bit I'll figure it out. It's also oriented toward a traditional Linux/GNU-EFI build process; I'm not sure how to integrate this into Tianocore builds. That could just end up motivating a shift to GNU-EFI as the primary build environment for rEFInd -- but maybe I'll figure out how to do this with the Tianocore EDK2.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What's the progress on this issue? rEFInd still does not have any sbat section in its binary. Because rEFInd does not have a SBAT section, it doesn't work with shim, and doesn't work on OEM laptops with OEM/default secure boot keys enrolled.
If rEFInd had an SBAT section, it would make setting up Secure Boot much easier: people would just have to enroll the MOK keys with MokManager (mmx64.efi) and would not have to replace the PK, KEK and DB keys with KeyTool/efi-updatevar/sbkeysync; ONLY to make rEFInd work.
Replacing the Platform Key (PK), Key Exchange Keys (KEK) and Database Keys (DB) with your own keys is a big obstacle for many people.
I'm sorry it's taken so long to get to this; I've just been busy with other things. I've recently been making some changes to rEFInd, though, and I expect to make a new release in the next week or two. This includes .sbat support. I just uploaded it to the git repository, so you can download it and build it there; or you can try this binary:
I've tried to make this as seamless as possible; my own binaries should come with .sbat sections now; or they're added if you re-sign the binaries by installing an unsigned Debian package or running refind-install with the --localkeys option.
This is still barely tested by me. So far it's worked for me, but there may yet be bugs or incompatibilities with certain computers or Shims. If you have any feedback, I'd appreciate hearing it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
shim 15.3 introduced and now mandates SBAT. This means that shim 15.3+ will not launch any EFI binaries without a
.sbatsection.To continue to work with shim, rEFInd needs to add
.sbatsections to its binaries and provide a way to set thevendor*fields at build time.Thanks for the heads-up on this. Yet another Secure Boot hoop to jump through....
I've found a binary build for openSUSE, so I'll start testing with that soon. The documentation for how to add the
.sbatsection seems a bit tedious and isn't 100% clear to me on a first read, but I expect that after poking around a bit I'll figure it out. It's also oriented toward a traditional Linux/GNU-EFI build process; I'm not sure how to integrate this into Tianocore builds. That could just end up motivating a shift to GNU-EFI as the primary build environment for rEFInd -- but maybe I'll figure out how to do this with the Tianocore EDK2.For testing, you can also use shim 15.4 from Fedora.
What's the progress on this issue? rEFInd still does not have any sbat section in its binary. Because rEFInd does not have a SBAT section, it doesn't work with shim, and doesn't work on OEM laptops with OEM/default secure boot keys enrolled.
If rEFInd had an SBAT section, it would make setting up Secure Boot much easier: people would just have to enroll the MOK keys with MokManager (mmx64.efi) and would not have to replace the PK, KEK and DB keys with KeyTool/efi-updatevar/sbkeysync; ONLY to make rEFInd work.
Replacing the Platform Key (PK), Key Exchange Keys (KEK) and Database Keys (DB) with your own keys is a big obstacle for many people.
I found an example SBAT and script here, that describes how to add SBAT support to refind: https://github.com/rhboot/shim/issues/376#issuecomment-964137621
The /usr/share/grub/sbat.csv file for the real GRUB on my Arch Linux looks like this:
An updated version of the refind_sbat.csv file for REFIND could look like this:
A generalized version of the refind_sbat.csv file for REFIND could just take its data from the refind.spec file, which currently begins with:
The build program could just generate the sbat.csv file with this information, replacing ${...} with the corresponding values in refind.spec:
The script to add this refind_sbat.csv file as .sbat section to the refind_x64.efi would look like this:
I'm sorry it's taken so long to get to this; I've just been busy with other things. I've recently been making some changes to rEFInd, though, and I expect to make a new release in the next week or two. This includes
.sbatsupport. I just uploaded it to the git repository, so you can download it and build it there; or you can try this binary:https://www.rodsbooks.com/refind-bin-0.13.3.6.zip
I've tried to make this as seamless as possible; my own binaries should come with
.sbatsections now; or they're added if you re-sign the binaries by installing an unsigned Debian package or runningrefind-installwith the--localkeysoption.This is still barely tested by me. So far it's worked for me, but there may yet be bugs or incompatibilities with certain computers or Shims. If you have any feedback, I'd appreciate hearing it.
If I'm reading https://sourceforge.net/p/refind/code/ci/97998eacd72557f79664e16ce19af34128f40315/ correctly, then the
.sbatsection is added byrefind-install.Would it be possible to do it in the build process, i.e. in the
Makefile, instead? That way the EFI binaries could be used as-is.I thought it over, and that seems like a good suggestion, so the latest version (in git) does it this way.
I plan to make a new release soon (this weekend), so if anybody cares to test this, now is the time!
Works for me™ in a virtual machine.
Works for me on shim 15.6/refind 14.0.2.