[SOLVED] Preloader concerns

makosmos · 2020-01-21 18:49:36

Hello,

I'm currently reading the doc about Refind bootloader and especially how to boot third party OS using refind with secure boot enabled.
I've the choice to either use Shim or Preloader which is described to be easier to install.
But i'm a bit annoyed by the problem described below (Refind & Preloader)

Preloader issue wrote:

Although PreLoader is easier to set up than Shim, particularly if you need to launch programs or kernels that aren't already signed, it suffers from the problem that you must register every new program you install, including Linux kernels if you launch them directly from rEFInd. This need can be a hassle if you update your kernels frequently, and every new registration chews up a little space in your NVRAM. Nonetheless, PreLoader can be a good Secure Boot solution for many users or if you want to build a portable Linux installation that you can use on any computer with minimal fuss

I don't know how often is the linux kernel on ArchLinux updated but I would not like to have to check arch's efi executable each time I update it.

Thanks in advance for your help.

Last edited by makosmos (2020-01-26 11:11:54)

jasonwryan · 2020-01-21 19:38:22

What is your problem/issue? Do you want to know how often the kernel is updated? There is a log.

makosmos · 2020-01-21 20:16:56

jasonwryan wrote:

What is your problem/issue? Do you want to know how often the kernel is updated? There is a log.

I would like to know of often would I have to do the process about checking efi executables in order to keep secure boot enable.
From the doc I read, the process has to be done each time the program is updated but I'm not sure to what extent can an Archlinux update envolve doing the process one more time.

jasonwryan · 2020-01-21 20:19:34

The log is a very clear record of the frequency of kernel updates. Arch is a rolling release: as soon as Linus marks a kernel as stable it is pushed to our repos*.

* Major version bumps generally sit in [testing] for a week first.

makosmos · 2020-01-21 20:35:59

Thus if I use Preloader I will have to check efi binaries roughly once a week ?
It doesn't sound reliable and convienent at all.
This makes Shim more appropriate than Preloader then right ?

loqs · 2020-01-22 01:15:50

You could use a hook to automate kernel signing. Secure_Boot#Signing_the_kernel_with_a_pacman_hook

Head_on_a_Stick · 2020-01-22 13:42:10

makosmos wrote:

This makes Shim more appropriate than Preloader then right ?

Yes. A hook wouldn't work with the PreLoader.

makosmos · 2020-01-23 09:18:29

Ok, I'm going to try with shim and I'll keep you informed.
Thanks for your help

Why a pacman hook wouldn't work for Preloader ?

Head_on_a_Stick · 2020-01-23 10:18:16

makosmos wrote:

Why a pacman hook wouldn't work for Preloader ?

Because a pacman hook can't enroll the hash.

makosmos · 2020-01-25 11:41:04

Hello,

I'm now close to boot in "Secure boot" mode.
I successfully reinstalled refind using the command :

refind-install --shim /path/to/shim.efi

and as planned (https://www.rodsbooks.com/refind/secureboot.html), I'm asked to select an X509 certificate to enroll when I boot my computer with "secure boot" on.
The issue is I don't find the

refind.cer

file needed

Does anyknow where to find this file ?

Head_on_a_Stick · 2020-01-25 11:47:34

makosmos wrote:

Does anyknow where to find this file ?

From Rod Smith's page (already linked in your post):

Copy the refind.cer file from the rEFInd package to your ESP

From the rEFInd package file list:

usr/share/refind/keys/refind.cer

progandy · 2020-01-25 11:51:04

makosmos wrote:

Does anyknow where to find this file ?

pacman -Fy
pacman -Fl refind-efi

You might also be interested in the --localkeys option that is mentioned in the refind documentation.

nl6720 · 2020-01-25 11:56:01

Head_on_a_Stick wrote:

usr/share/refind/keys/refind.cer

That is Rod Smith's certificate with which he signs his published EFI binaries.
If makosmos is using the refind-efi package then that certificate will not be needed.

All the needed instructions for rEFInd with shim with keys are in https://wiki.archlinux.org/index.php/RE … _Owner_Key . It's all fairly simple.

Last edited by nl6720 (2020-01-25 11:57:13)

makosmos · 2020-01-25 17:54:30

Indeed nl6720, it wasn't that hard.
To get it working, I just had to follow the steps described on https://wiki.archlinux.org/index.php/RE … _Owner_Key:
-install refind-efi, sbsigntools and shim-signed (aur)
-run refind-install --shim /usr/share/shim-signed/shimx64.efi --localkeys
-run sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux
-create a pacman hook
-And then boot up my computer, execute the MokManager utility avaible on rEFInd menu in order to certificate vmllinuz-linux using the certificate available at /EFI/refind/keys/refind_local.cer

The issue is now fixed since I can now boot on Arch with "Secure Boot" enable (the secure boot is set on "Windows & 3rd party").
There is still a problem but it's because of Bitlocker who encrypts Windows's partition because the "Secure Boot" isn't set to "Windows only"...
The only way to boot Windows is to set "Secure Boot" on "Windows only" wich makes Arch Linux unbootable.
It's very annoying and the only way I see to get around this problem is to definitively disable BitLocker.

Thanks a Lot to all of you for your answers !

Arch Linux

#1 2020-01-21 18:49:36

[SOLVED] Preloader concerns

#2 2020-01-21 19:38:22

Re: [SOLVED] Preloader concerns

#3 2020-01-21 20:16:56

Re: [SOLVED] Preloader concerns

#4 2020-01-21 20:19:34

Re: [SOLVED] Preloader concerns

#5 2020-01-21 20:35:59

Re: [SOLVED] Preloader concerns

#6 2020-01-22 01:15:50

Re: [SOLVED] Preloader concerns

#7 2020-01-22 13:42:10

Re: [SOLVED] Preloader concerns

#8 2020-01-23 09:18:29

Re: [SOLVED] Preloader concerns

#9 2020-01-23 10:18:16

Re: [SOLVED] Preloader concerns

#10 2020-01-25 11:41:04

Re: [SOLVED] Preloader concerns

#11 2020-01-25 11:47:34

Re: [SOLVED] Preloader concerns

#12 2020-01-25 11:51:04

Re: [SOLVED] Preloader concerns

#13 2020-01-25 11:56:01

Re: [SOLVED] Preloader concerns

#14 2020-01-25 17:54:30

Re: [SOLVED] Preloader concerns

Board footer