|
- The Refind Binary File Is Missing Aborting Installation Guide .
- Wikipedia:rEFInd
- The REFInd Boot Manager: Installing REFInd
- The Refind Binary File Is Missing Aborting Installation Guide
Installing rEFInd to the partition mounted at '/' Copied rEFInd binary files Copying sample configuration file as refind.conf; edit this file to configure rEFInd. WARNING: If you have an Advanced Format disk,.DO NOT. attempt to check the bless status with 'bless -info', since this is known to cause disk corruption on some systems!! If refind-install worked for your original installation of rEFInd, you can rerun it to copy the updated files. The new configuration file will be copied as refind.conf-sample so that you can integrate changes into your existing configuration file using a diff tool. Installing rEFInd to the partition mounted at /Volumes/ESP Found suspected Linux partition(s); installing ext4fs driver. Installing driver for ext4 (ext4ia32.efi) Copied rEFInd binary files Copying sample configuration file as refind.conf; edit this file to configure rEFInd. Installation has completed successfully. Unmounting install dir.
< Unified Extensible Firmware Interface
This article or section needs expansion.
Reason: Need to explain the relationship with Win8 which is already documented in Dual boot with Windows#UEFI Secure Boot. Not sure how to integrate the info without duplication. (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#)
For an overview about Secure Boot in Linux see Rodsbooks' Secure Boot article. Free youtube to mp3 converter for pc and mac malware. This article focuses on how to set up Secure Boot in Arch Linux.
The factual accuracy of this article or section is disputed.
Reason: Secure Boot is in no way related to LUKS. Secure Boot has dbx for blacklisting keys and hashes. Using a unified kernel image signed with a custom key, althought the most secure, is not the only way to use Secure Boot. (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#)
Secure Boot is a security feature of modern motherboards, which can protect boot manager, kernel and initramfs from tampering: e.g. from installing an keylogger or bootkit able to steal your LUKS master key. Minimal configuration in which using Secure boot worth time spent:
- UEFI considered trusted, despite it still can have backdoors or being vulnerable to Evil Maid able to flash your hardware
- User must not use 3rd party keys, especially from Microsoft (there is at least one known boot manager, signed by Microsoft, able to load anything [1])
- UEFI loads EFISTUB with both kernel+initram signed by user Image Signing Key, so no one can tamper it
- Kernel mounts encrypted root and home filesystems (LVM on LUKS), so no one can tamper them, read mentioned private keys, password hashes or user sensitive data
Avast mac security 13 128. In future, Evil Maid attack can be potentially prevented by using a TPM.
- 1Secure Boot status
- 1.1Check the status
- 2Using a signed boot loader
- 2.1PreLoader
- 2.1.1Set up PreLoader
- 2.2shim
- 2.2.1Set up shim
- 2.2.1.2shim with key
- 2.2.1Set up shim
- 2.1PreLoader
- 3Using your own keys
- 3.1Custom keys
- 3.2Signing EFI binaries
- 3.2.1Signing the kernel and boot manager
- 3.4Enroll keys in firmware
- 3.5Dual booting with other operating systems
- 5Booting an installation medium
Secure Boot status
Check the status
Before booting the OS
At this point, one has to look at the firmware setup. If the machine was booted and is running, in most cases it will have to be rebooted.
You may access the firmware configuration by pressing a special key during the boot process. The key to use depends on the firmware. It is usually one of
Esc
, F2
, Del
or possibly another Fn
key. Sometimes the right key is displayed for a short while at the beginning of the boot process. The motherboard manual usually records it. You might want to press the key, and keep pressing it, immediately following powering on the machine, even before the screen actually displays anything.After entering the firmware setup, be careful not to change any settings without prior intention. Usually there are navigation instructions, and short help for the settings, at the bottom of each setup screen. The setup itself might be composed of several pages. You will have to navigate to the correct place. The interesting setting might be simply denoted by secure boot, which can be set on or off.
After booting the OS
To check if the machine was booted with Secure Boot, use this command:
The factual accuracy of this article or section is disputed.
Reason: This command might display more than five digits even though secure boot is enabled. (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#)
If Secure Boot is enabled, this command returns
1
as the final integer in a list of five, for example:For a verbose status, another way is to execute:
Change the status
This article or section needs expansion.
Reason: Layout quick steps how an Arch install can gain Secure Boot with either #Using a signed boot loader or #Using your own keys. In the steps it is best mentioned that the structure of those two sections relies on having booted into Arch, i.e. #Disable Secure Boot first. (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#)
Using a signed boot loader
Using a signed boot loader means using a boot loader signed with Microsoft's key. There are two known signed boot loaders PreLoader and shim, their purpose is to chainload other EFI binaries (usually boot loaders). Since Microsoft would never sign a boot loader that automatically launches any unsigned binary, PreLoader and shim use a whitelist called Machine Owner Key list, abbreviated MokList. If the SHA256 hash of the binary (Preloader and shim) or key the binary is signed with (shim) is in the MokList they execute it, if not they launch a key management utility which allows enrolling the hash or key.
PreLoader
When run, PreLoader tries to launch
loader.efi
. If the hash of loader.efi
is not in MokList, PreLoader will launch HashTool.efi
. In HashTool you must enroll the hash of the EFI binaries you want to launch, that means your boot loader (loader.efi
) and kernel.Note: Each time you update any of the binaries (e.g. boot loader or kernel) you will need to enroll their new hash.
Tip: The rEFInd boot manager's
refind-install
script can copy the rEFInd and PreLoader EFI binaries to the ESP. See rEFInd#Using PreLoader for instructions.Set up PreLoader
Note:
PreLoader.efi
and HashTool.efi
in efitools package are not signed, so their usefulness is limited. You can get a signed PreLoader.efi
and HashTool.efi
from preloader-signedAUR or download them manually.Installpreloader-signedAUR and copy
PreLoader.efi
and HashTool.efi
to the boot loader directory; for systemd-boot use:Now copy over the boot loader binary and rename it to
loader.efi
; for systemd-boot use:Finally, create a new NVRAM entry to boot
PreLoader.efi
:Replace
X
with the drive letter and replace Y
with the partition number of the EFI system partition.This entry should be added to the list as the first to boot; check with the
efibootmgr
command and adjust the boot-order if necessary.Fallback
If there are problems booting the custom NVRAM entry, copy
HashTool.efi
and loader.efi
to the default loader location booted automatically by UEFI systems:Copy over
PreLoader.efi
and rename it:For particularly intransigent UEFI implementations, copy
PreLoader.efi
to the default loader location used by Windows systems:Note: If dual-booting with Windows, backup the original
bootmgfw.efi
first as replacing it may cause problems with Windows updates.As before, copy
HashTool.efi
and loader.efi
to esp/EFI/Microsoft/Boot/
.Hearts of iron 4 white peace. When the system starts with Secure Boot enabled, follow the steps above to enroll
loader.efi
and /vmlinuz-linux
(or whichever kernel image is being used).How to use while booting?
A message will show up that says
Failed to Start loader. I will now execute HashTool.
To use HashTool for enrolling the hash of loader.efi
and vmlinuz.efi
, follow these steps. These steps assume titles for a remastered archiso installation media. The exact titles you will get depends on your boot loader setup.- Select OK
- In the HashTool main menu, select Enroll Hash, choose
loader.efi
and confirm with Yes. Again, select Enroll Hash andarchiso
to enter the archiso directory, then selectvmlinuz.efi
and confirm with Yes. Then choose Exit to return to the boot device selection menu. - In the boot device selection menu choose Arch Linux archiso x86_64 UEFI CD
Remove PreLoader
Note: Since you are going to remove stuff, is a good idea to backup it.
Uninstallpreloader-signedAUR and simply remove the copied files and revert configuration; for systemd-boot use:
Where
N
is the NVRAM boot entry created for booting PreLoader.efi
.Check with the efibootmgr command and adjust the boot-order if necessary.Note: The above commands cover the easiest case; if you have created, copied, renamed or edited further files probably you have to handle with them, too. If PreLoader was your operational boot entry, you obviously also need to #Disable Secure Boot.
shim
This article or section needs expansion.
Reason: Testing needed. (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#shim)
When run, shim tries to launch
grubx64.efi
. If MokList does not contain the hash of grubx64.efi
or the key it is signed with, shim will launch MokManager (mmx64.efi
). In MokManager you must enroll the hash of the EFI binaries you want to launch (your boot loader (grubx64.efi
) and kernel) or enroll the key they are signed with.Note: If you use #shim with hash, each time you update any of the binaries (e.g. boot loader or kernel) you will need to enroll their new hash.
Set up shim
Tip: The rEFInd boot manager's
refind-install
script can sign rEFInd EFI binaries and copy them along with shim and the MOK certificates to the ESP. See rEFInd#Using shim for instructions.Installshim-signedAUR.
Rename your current boot loader to
grubx64.efi
The Refind Binary File Is Missing Aborting Installation Guide .
Copy shim and MokManager to your boot loader directory on ESP; use previous filename of your boot loader as as the filename for
shimx64.efi
:Finally, create a new NVRAM entry to boot
BOOTX64.efi
:shim can authenticate binaries by Machine Owner Key or hash stored in MokList.
- Machine Owner Key (MOK)
- A key that a user generates and uses to sign EFI binaries.
- hash
- A SHA256 hash of an EFI binary.
Using hash is simpler, but each time you update your boot loader or kernel you will need to add their hashes in MokManager. With MOK you only need to add the key once, but you will have to sign the boot loader and kernel each time it updates.
shim with hash
If shim does not find the SHA256 hash of
grubx64.efi
in MokList it will launch MokManager (mmx64.efi
).In MokManager select Enroll hash from disk, find
grubx64.efi
and add it to MokList. Repeat the steps and add your kernel vmlinuz-linux
. When done select Continue boot and your boot loader will launch and it will be capable launching the kernel.shim with key
Install sbsigntools.
You will need:
- .key
- PEM format private key for EFI binary signing.
- .crt
- PEM format certificate for sbsign.
- .cer
- DER format certificate for MokManager.
Create a Machine Owner Key:
Sign your boot loader (named
grubx64.efi
) and kernel:You will need to do this each time they are updated. You can automate the kernel signing with a pacman hook, e.g.:
Copy
MOK.cer
to a FAT formatted file system (you can use EFI system partition).Reboot and enable Secure Boot. If shim does not find the certificate
grubx64.efi
is signed with in MokList it will launch MokManager (mmx64.efi
).In MokManager select Enroll key from disk, find
MOK.cer
and add it to MokList. When done select Continue boot and your boot loader will launch and it will be capable launching any binary signed with your Machine Owner Key.shim with key and GRUB
This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.
Reason: Too long, written like a blog post. Also many formatting issues, see Help:Style. (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#)
Warning: With secureboot active GRUB can't chainload EFI binaries even if they are signed.
For signing you can for example use the grub2-signing extension:[2]
There is also a package in the aur: grub2-signing-extensionAUR
Run
gpg --gen-key
as root to create a keypair.If you get a permission denied error try:
Activate the gpg-agent:
Export your public key:
Mount your boot partition.(Re)install GRUB2:
Copy your publickey to your boot partiton.
Edit your GRUB custom config and add:
Tip: (crypt0) is the name of the partition in GRUB.
Rebuild your grub config:
Ensure that you created
MOK.key
and signed your kernel
and grubx64.efi
like described in shim with key.Sign the grub files:
grub-sign
Run
grub-verify
and check if there are errors.Here is a simple unsign hook:
And a bash script you can use to sign again after the update.
Remove shim
Uninstallshim-signedAUR, remove the copied shim and MokManager files and rename back your boot loader.
Using your own keys
This article or section needs expansion.
Reason: instructions needed, testing too, a subsection on backing up existing keys prior to replacing them should be added (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#)
Tip:- It is advised to read Rod Smith's Controlling Secure Boot.
- You can use
cryptboot-efikeys
script from cryptbootAUR package for simplified creating keys, enrolling keys, signing bootloader and verifying signatures.- Note that cryptbootAUR requires the encrypted
/boot
partition to be specified in/etc/crypttab
before it runs, and if you are using it in combination with sbupdate-gitAUR, sbupdate expects the/boot/efikeys/db.*
files created by cryptboot to be capitalized likeDB.*
unless otherwise configured in/etc/sbupdate.conf
. Users who do not use systemd to handle encryption may not have anything in their/etc/crypttab
file and would need to create an entry.
- Note that cryptbootAUR requires the encrypted
Secure Boot implementations use these keys:
- Platform Key (PK)
- Top-level key.
- Key Exchange Key (KEK)
- Keys used to sign Signatures Database and Forbidden Signatures Database updates.
- Signature Database (db)
- Contains keys and/or hashes of allowed EFI binaries.
- Forbidden Signatures Database (dbx)
- Contains keys and/or hashes of blacklisted EFI binaries.
See The Meaning of all the UEFI Keys for a more detailed explanation.
Custom keys
To use Secure Boot you need at least PK, KEK and db keys. While you can add multiple KEK, db and dbx certificates, only one Platform Key is allowed.
Once Secure Boot is in 'User Mode' keys can only be updated by signing the update (using sign-efi-sig-list) with a higher level key. Platform key can be signed by itself.
Wikipedia:rEFInd
Creating keys
To generate keys, installefitools and perform the following steps. As an alternative, install and run sbkeysAUR to generate a new set of keys automatically.
You will need private keys and certificates in multiple formats:
- .key
- PEM format private keys for EFI binary and EFI signature list signing.
- .crt
- PEM format certificates for sbsign(1), sbvarsign(1) and sign-efi-sig-list(1).
- .cer
- DER format certificates for firmware.
- .esl
- Certificates in an EFI Signature List for sbvarsign(1), efi-updatevar(1), KeyTool and firmware.
- .auth
- Certificates in an EFI Signature List with an authentication header (i.e. a signed certificate update file) for efi-updatevar(1), sbkeysync, KeyTool and firmware.
Create a GUID for owner identification:
Platform key:
Sign an empty file to allow removing Platform Key when in 'User Mode':
Key Exchange Key:
Signature Database key:
Updating keys
Once Secure Boot is in 'User Mode' any changes to KEK, db and dbx need to be signed with a higher level key.
For example, if you wanted to replace your db key with a new one:
- Create the new key,
- Convert it to EFI Signature List,
- Sign the EFI Signature List,
- Enroll the signed certificate update file.
If instead of replacing your db key, you want to add another one to the Signature Database, you need to use the option
-a
(see sign-efi-sig-list(1)):When
new_db.auth
is created, enroll it.Signing EFI binaries
When Secure Boot is active (i.e. in 'User Mode'), only signed EFI binaries (e.g. applications, drivers, unified kernel images) can be launched. Install sbsigntools to sign EFI binaries with sbsign(1).
Tip:- To check if a binary is signed and list its signatures use
sbverify --list /path/to/binary
. - The rEFInd boot manager's
refind-install
script can sign rEFInd EFI binaries and copy them together with the db certificates to the ESP. See rEFInd#Using your own keys for instructions.
Note: If running sbsign without
--output
the resulting file will be filename.signed
. See sbsign(1) for more information.Signing the kernel and boot manager
Warning: Signing kernel only will not protect the initramfs from tampering.
To sign your kernel and boot manager use sbsign. E.g.:
Signing the kernel with a pacman hook
Free kundli download. You can also use mkinitcpio's pacman hook to sign the kernel on install and updates.
Copy
/usr/share/libalpm/hooks/90-mkinitcpio-install.hook
to /etc/pacman.d/hooks/90-mkinitcpio-install.hook
and /usr/share/libalpm/scripts/mkinitcpio-install
to /usr/local/share/libalpm/scripts/mkinitcpio-install
.In
/etc/pacman.d/hooks/90-mkinitcpio-install.hook
, replace:with:
In
/usr/local/share/libalpm/scripts/mkinitcpio-install
, replace:with:
This article or section is a candidate for moving to systemd-boot.
Notes: Out of scope. (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#)
If you need a boot manager, you might want to trigger the hook when the former is updated. Here is an example with systemd-boot:
The
Target
needs to be duplicated each time you want to add a new package. Wrt. the find
statement, since we had a condition with the filenames and APLM hooks are being split on spaces, we had to surround the whole statement by quotes in order for the hook to be parsed properly. Since systemd-boot is located in sub-folders, the depth needed to be adjusted as well so that we removed the -maxdepth
argument. In order to avoid hassle, if you are unsure, try to reinstall the package you want to test to see if the hook and signing part are processed successfully. See Pacman#Hooks or alpm-hooks(5) for more info.Put firmware in 'Setup Mode'
Secure Boot is in Setup Mode when the Platform Key is removed. To put firmware in Setup Mode, enter firmware setup utility and find an option to delete or clear certificates. How to enter the setup utility is described in #Before booting the OS.
Enroll keys in firmware
Copy all
*.cer
, *.esl
, *.auth
to a FAT formatted file system (you can use EFI system partition).Launch firmware setup utility or KeyTool and enroll db, KEK and PK certificates.
If the used tool supports it prefer using .auth and .esl over .cer.
Warning: Enrolling Platform Key sets Secure Boot in 'User Mode', leaving 'Setup Mode', so it should be enrolled last in sequence.
Using firmware setup utility
Firmwares have various different interfaces, see Replacing Keys Using Your Firmware's Setup Utility for example how to enroll keys.
Using KeyTool
KeyTool.efi
is in efitools package, copy it to ESP. To use it after enrolling keys, sign it with sbsign
.Binding of isaac afterbirth + torrent mac. Launch
KeyTool-signed.efi
using firmware setup utility, boot loader or UEFI Shell and enroll keys.See Replacing Keys Using KeyTool for explanation of KeyTool menu options.
Dual booting with other operating systems
Microsoft Windows
This article or section needs expansion.
Reason: Is it possible to boot Windows by signing its bootloader with a custom key? (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#)
To dual boot with Windows, you would need to add Microsoft's certificates to the Signature Database. Microsoft has two db certificates:
- Microsoft Windows Production PCA 2011 for Windows
- Microsoft Corporation UEFI CA 2011 for third-party binaries like UEFI drivers, option ROMs etc.
Create EFI Signature Lists from Microsoft's DER format certificates using Microsoft's GUID (
77fa9abd-0359-4d32-bd60-28f4e78f784b
) and combine them in one file for simplicity:Sign a db update with your KEK. Use
sign-efi-sig-list
with option -a
to add not replace a db certificate:Follow #Enroll keys in firmware to add
add_MS_db.auth
to Signature Database.Disable Secure Boot
The Secure Boot feature can be disabled via the UEFI firmware interface. How to access the firmware configuration is described in #Before booting the OS.
If using a hotkey did not work and you can boot Windows, you can force a reboot into the firmware configuration in the following way (for Windows 10): Settings > Update & Security > Recovery > Advanced startup (Restart now) > Troubleshoot > Advanced options > UEFI Firmware settings > restart.
Note that some motherboards (this is the case in a Packard Bell laptop) only allow to disable secure boot if you have set an administrator password (that can be removed afterwards). See also Rod Smith's Disabling Secure Boot.
Booting an installation medium
Note: The official installation image does not support Secure Boot (FS#53864). To successfully boot the installation medium you will need to disable Secure Boot.
Secure Boot support was initially added in
archlinux-2013.07.01-dual.iso
and later removed in archlinux-2016.06.01-dual.iso
. At that time prebootloader was replaced with efitools, even though the latter uses unsigned EFI binaries. There has been no support for Secure Boot in the official installation medium ever since.Remastering the installation image
This article or section needs expansion.
Reason: Add explicit instructions. (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#)
One might want to remaster the Install ISO in a way described by previous topics of this article. For example, the signed EFI applications
PreLoader.efi
and HashTool.efi
from #PreLoader can be adopted to here. Another option would be to borrow the bootx64.efi
(shim) and grubx64.efi
from installation media of another GNU+Linux distribution that supports Secure Boot and modify the GRUB configuration to one's needs. In this case, the authentication chain of Secure Boot in said distribution's installation media should end to the grubx64.efi
( for example Ubuntu) so that GRUB would boot the unsigned kernel and initramfs from archiso. Note that up to this point, the article assumed one can access the ESP of the machine. But when installing a machine that never had an OS before, there is no ESP present. You should explore other articles, for example Unified Extensible Firmware Interface#Create UEFI bootable USB from ISO, to learn how this situation should be handled.Platform configuration registers
100 rock songs ever 320 kbps. This article or section needs expansion.
Reason: Add some links. (Discuss in Talk:Unified Extensible Firmware Interface/Secure Boot#)
Platform configuration registers (PCRs) are hashes that can be read at any time but can only be written via the extend operation, which depends on the previous hash value, thus making a sort of blockchain.
They can be used to unlock encryption keys and proving that the correct OS was booted.
PCR | Use | Notes |
---|---|---|
PCR0 | Core System Firmware executable code (aka Firmware) | May change if you upgrade your UEFI |
PCR1 | Core System Firmware data (aka UEFI settings) | |
PCR2 | Extended or pluggable executable code | |
PCR3 | Extended or pluggable firmware data | Set during Boot Device Select UEFI boot phase |
PCR4 | Boot Manager | |
PCR5 | GPT / Partition Table | |
PCR6 | Resume from S4 and S5 Power State Events | |
PCR7 | Secure Boot State | |
PCR 8 to 10 | Reserved for Future Use | |
PCR11 | BitLocker Access Control | |
PCR12 | Data events and highly volatile events | |
PCR13 | Boot Module Details | |
PCR14 | Boot Authorities | |
PCR 15 to 23 | Reserved for Future Use |
See also
The REFInd Boot Manager: Installing REFInd
- Dealing with Secure Boot by Rod Smith
- Controlling Secure Boot by Rod Smith
- UEFI secure booting (part 2) by Matthew Garrett
- UEFI Secure Boot by James Bottomley
- Will your computer's 'Secure Boot' turn out to be 'Restricted Boot'? — Free Software Foundation
- Intel's UEFI Secure Boot Tutorial[dead link 2020-04-03 ⓘ]
- UEFI Defensive Practices Guidance by NSA - National Security Agency
The Refind Binary File Is Missing Aborting Installation Guide
Retrieved from 'https://wiki.archlinux.org/index.php?title=Unified_Extensible_Firmware_Interface/Secure_Boot&oldid=633297'