You are not logged in.

#1 2020-01-21 18:49:36

makosmos
Member
Registered: 2019-12-25
Posts: 11

[SOLVED] Preloader concerns

Hello,

I'm currently reading the doc about Refind bootloader and especially how to boot third party OS using refind with secure boot enabled.
I've the choice to either use Shim or Preloader which is described to be easier to install.
But i'm a bit annoyed by the problem described below (Refind & Preloader)

Preloader issue wrote:

Although PreLoader is easier to set up than Shim, particularly if you need to launch programs or kernels that aren't already signed, it suffers from the problem that you must register every new program you install, including Linux kernels if you launch them directly from rEFInd. This need can be a hassle if you update your kernels frequently, and every new registration chews up a little space in your NVRAM. Nonetheless, PreLoader can be a good Secure Boot solution for many users or if you want to build a portable Linux installation that you can use on any computer with minimal fuss

I don't know how often is the linux kernel on ArchLinux updated but I would not like to have to check arch's efi executable each time I update it.

Thanks in advance for your help.

Last edited by makosmos (2020-01-26 11:11:54)

Offline

#2 2020-01-21 19:38:22

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 28,339
Website

Re: [SOLVED] Preloader concerns

What is your problem/issue? Do you want to know how often the kernel is updated? There is a log.


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#3 2020-01-21 20:16:56

makosmos
Member
Registered: 2019-12-25
Posts: 11

Re: [SOLVED] Preloader concerns

jasonwryan wrote:

What is your problem/issue? Do you want to know how often the kernel is updated? There is a log.

I would like to know of often would I have to do the process about checking efi executables in order to keep secure boot enable.
From the doc I read, the process has to be done each time the program is updated but I'm not sure to what extent can an Archlinux update envolve doing the process one more time.

Offline

#4 2020-01-21 20:19:34

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 28,339
Website

Re: [SOLVED] Preloader concerns

The log is a very clear record of the frequency of kernel updates. Arch is a rolling release: as soon as Linus marks a kernel as stable it is pushed to our repos*.

* Major version bumps generally sit in [testing] for a week first.


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#5 2020-01-21 20:35:59

makosmos
Member
Registered: 2019-12-25
Posts: 11

Re: [SOLVED] Preloader concerns

Thus if I use Preloader I will have to check efi binaries roughly once a week ?
It doesn't sound reliable and convienent at all.
This makes Shim more appropriate than Preloader then right ?

Offline

#6 2020-01-22 01:15:50

loqs
Member
Registered: 2014-03-06
Posts: 9,773

Re: [SOLVED] Preloader concerns

You could use a hook to automate kernel signing.  Secure_Boot#Signing_the_kernel_with_a_pacman_hook

Offline

#7 2020-01-22 13:42:10

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 5,171
Website

Re: [SOLVED] Preloader concerns

makosmos wrote:

This makes Shim more appropriate than Preloader then right ?

Yes. A hook wouldn't work with the PreLoader.

Offline

#8 2020-01-23 09:18:29

makosmos
Member
Registered: 2019-12-25
Posts: 11

Re: [SOLVED] Preloader concerns

Ok, I'm going to try with shim and I'll keep you informed.
Thanks for your help

Why a pacman hook wouldn't work for Preloader ?

Offline

#9 2020-01-23 10:18:16

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 5,171
Website

Re: [SOLVED] Preloader concerns

makosmos wrote:

Why a pacman hook wouldn't work for Preloader ?

Because a pacman hook can't enroll the hash.

Offline

#10 2020-01-25 11:41:04

makosmos
Member
Registered: 2019-12-25
Posts: 11

Re: [SOLVED] Preloader concerns

Hello,

I'm now close to boot in "Secure boot" mode.
I successfully reinstalled refind using the command  :

refind-install --shim /path/to/shim.efi

and as planned (https://www.rodsbooks.com/refind/secureboot.html), I'm asked to select an X509 certificate to enroll when I boot my computer with "secure boot" on.
The issue is I don't find the

refind.cer

file needed

Does anyknow where to find this file ?

Offline

#11 2020-01-25 11:47:34

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 5,171
Website

Re: [SOLVED] Preloader concerns

makosmos wrote:

Does anyknow where to find this file ?

From Rod Smith's page (already linked in your post):

Copy the refind.cer file from the rEFInd package to your ESP

From the rEFInd package file list:

usr/share/refind/keys/refind.cer

Offline

#12 2020-01-25 11:51:04

progandy
Member
Registered: 2012-05-17
Posts: 3,682

Re: [SOLVED] Preloader concerns

makosmos wrote:

Does anyknow where to find this file ?

pacman -Fy
pacman -Fl refind-efi

You might also be interested in the --localkeys option that is mentioned in the refind documentation.


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#13 2020-01-25 11:56:01

nl6720
Wiki Admin
Registered: 2016-07-02
Posts: 188

Re: [SOLVED] Preloader concerns

Head_on_a_Stick wrote:

usr/share/refind/keys/refind.cer

That is Rod Smith's certificate with which he signs his published EFI binaries.
If makosmos is using the refind-efi package then that certificate will not be needed.

All the needed instructions for rEFInd with shim with keys are in https://wiki.archlinux.org/index.php/RE … _Owner_Key . It's all fairly simple.

Last edited by nl6720 (2020-01-25 11:57:13)

Offline

#14 2020-01-25 17:54:30

makosmos
Member
Registered: 2019-12-25
Posts: 11

Re: [SOLVED] Preloader concerns

Indeed nl6720, it wasn't that hard.
To get it working, I just had to follow the steps described on https://wiki.archlinux.org/index.php/RE … _Owner_Key:
-install refind-efi, sbsigntools and shim-signed (aur)
-run  refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys
-run sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux
-create a pacman hook
-And then boot up my computer, execute the MokManager utility avaible on rEFInd menu in order to certificate vmllinuz-linux using the certificate available at /EFI/refind/keys/refind_local.cer

The issue is now fixed since I can now boot on Arch with "Secure Boot" enable (the secure boot is set on "Windows & 3rd party").
There is still a problem but it's because of Bitlocker who encrypts Windows's partition because the "Secure Boot" isn't set to "Windows only"...
The only way to boot Windows is to set "Secure Boot" on "Windows only" wich makes Arch Linux unbootable.
It's very annoying and the only way I see to get around this problem is to definitively disable BitLocker.

Thanks a Lot to all of you for your answers !

Offline

Board footer

Powered by FluxBB