UEFI Secure Boot and unsigned EFI Shell
An EFI boot manager utility
Status: Beta
Brought to you by:
srs5694
Menu
▾
▴
Main objective:
I need to keep Secure Boot enabled and boot into an unsigned EFI Shell so I can run unsigned EFI executables.
I am using refind on a USB Flash Drive with WinPE4 x64 and an EFI Shell, the USB drive will be used on many different UEFI notebooks with Secure Boot enabled by default. The notebooks have the Microsoft Secure Boot key in the firmware. Other keys should not be added.
I am using the shim and boot files from the ArchLinux rescue cd (regular-rescue-latest-x86_64.iso) and have WinPE booting fine with Secure Boot enabled, but I cannot get the EFI Shell working. It gives the error:
ASSERT_EFI_ERROR (Status = Device Error)
ASSERT c:\dev\edk2tip\Build\Shell\RELEASE_VS2005\X64\ShellPkg\Application\Shell\Shell\DEBUG\AutoGen.c(431) : !EFI_ERROR (Status)
... so I tried a fresh EFI shell file (shellx64.efi) (Tianocore), it now boots into the EFI Shell but only when Secure Boot is turned off.
When Secure Boot is turned on it displays the refind message: 'shellx64.efi is not signed, you can either do this..do that..etc..'
Is it possible to chain boot a non-signed Shellx64.efi from the refind menu? Perhaps Elilo can finalize the Secure Boot process before loading the EFI shell?
What you want to do is not possible with unmodified binaries. Both rEFInd and the EFI shell, when launched in Secure Boot mode, honor that fact and will not launch an unsigned binary. rEFInd expands the Secure Boot definition to include binaries signed with a MOK, though. To achieve the effect you want, you'd need to modify the EFI shell source code so that it doesn't honor Secure Boot and then sign it with a MOK. I can't suggest how to do this, and in fact I can't recommend you try it. Even if you intend no harm, you could do so unintentionally, or if your binary becomes widely available, somebody else could. This might in turn result in the revocation of whatever key was used with whatever shim or PreLoader image was used in the process, which of course would cause a lot of problems for many people.
Instead, I recommend disabling Secure Boot on any computer that needs this functionality. Alternatively, you could sign all your binaries with a MOK and launch them in some way other than with a standard shell. (The regular EFI shell won't launch MOK-signed binaries when Secure Boot is active, in my experience.)