Set Up rEFInd Secure Boot Manager from Ubuntu 16.04

You can follow these instructions to set up multi-boot after installing Ubuntu on your Secure Boot machine from a USB stick.

Overview of Components to Set Up

Using EFI Secure Boot for booting (multiple) OS images requires that a binary image be signed with a trusted key before it can be booted. It involves:
  • EFI System Partition (ESP): The so-called Extensible Firmware Interface partition stores all the binary boot images loaded by the BIOS and Boot Manager (rEFInd in our case). It is a FAT partition with a special file system type ID, and flags.
  • shim (signed by developers): This is the binary that will be loaded by the BIOS. It will validate the cryptographic signature of the rEFInd binary and launch it. It will also enroll new certificates you create for signing binary images you want to boot, such as kernels you compile.
  • Machine Owner Key (MOK):  The new private key and certificate pair that you will use to designate which kernel images are allowed to be booted. Keep the private key secret, and use it to sign images that you trust. Give the corresponding certificate to shim, so it can verify that an image is trusted before it is booted.
  • rEFInd (signed by your new private Machine Owner Key): This is the binary that scans your EFI partition for bootable images (such as GRUB and Windows booters) and shows them in a GUI at boot-up.
  • EFI Boot Manager NVRAM table: An area of non-volatile random access memory (NVRAM) storing variables that configure how the BIOS boots images from the EFI partition. It includes a list of paths to files on the EFI partition containing boot images, and the boot order in which they are tried.

Mount Your EFI System Partition (ESP)

Identify your EFI System Partition (ESP) and mount it, so you can read and write files to it. If you are running Windows with 'Fast startup' and booting in other operating systems, you may want to disable 'Fast startup', since it may cause Windows to leave file systems unflushed to disk when you boot in another OS, and cause file system corruption.

After you do that, as a precaution, check your ESP for errors before writing to it from Linux. Run 'cmd' as Administrator on Windows, then run:

Windows> mountvol /S S:
Windows> chkdisk S:

 Reboot to Ubuntu (use the installation USB stick).

Ubuntu$ sudo apt-add-repository ppa:rodsmith/refind
Ubuntu$ sudo apt-get update
Ubuntu$ sudo apt-get install refind shim-signed mokutil efibootmgr sbsigntool

 During the configuration of the refind package, you'll be asked if you want to automatically install rEFInd to your ESP. That may work in many common configurations. The default script will generate a private Machine Owner Key (MOK) and certificate, but has the disadvantage of not prompting you to encrypt the private key before storing it at </etc/refind.d/keys/refind_local.key>. (I submitted a pull request adding that feature, but, at least, in the mean time, you may be better off with the manual setup.)

Create a MOK Key Pair


Ubuntu$ sudo su -
Ubuntu# cd /etc/refind.d/keys
# Remove any keys that may have been generated during installation:
Ubuntu# rm -f refind_local.{key,crt,cer}
# Generate new MOK, supply a passphrase to encrypt your private key:
Ubuntu# openssl req -new -x509 -newkey rsa:2048 -keyout refind_local.key -out refind_local.crt -days 3650 -subj "/CN=Locally-generated rEFInd key/"
Ubuntu# openssl x509 -in refind_local.crt -out refind_local.cer -outform DER
Ubuntu# chmod 0600 refind_local.key

Copy shim and rEFInd Boot Images to the ESP

Ubuntu$ sudo su -
Ubuntu# cd /boot/efi # or wherever your ESP is mounted
Ubuntu# cd EFI
# Some BIOSes don't honor the boot order, and boot image
# paths in the EFI NVRAM, and always boot
# <\EFI\Boot\bootx64.efi>, or <\EFI\Microsoft\Boot\bootmgfw.efi>.
# In that case you'll have to put shim and rEFInd into
# \EFI\Boot, or \EFI\Microsoft\Boot, and rename
# <shimx64.efi.signed> to <bootx64.efi>, or
# <bootmgfw.efi>. In our example, we use
# <\EFI\Boot\bootx64.efi>. You can use <\EFI\refind\shimx64.efi>,
# if your BIOS supports it. Also, you will need to
# replace 'x64' with 'aa64', or 'ia32' as appropriate for
# your CPU architecture.

# Keep a copy of your previous <Boot> directory:
Ubuntu# mv -i Boot Boot.bak
Ubuntu# mkdir Boot
Ubuntu# cd Boot
Ubuntu# cp -i /usr/lib/shim/shimx64.efi.signed bootx64.efi
Ubuntu# sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output grubx64.efi /usr/share/refind/refind/refind_x64.efi
Ubuntu# cp -R /usr/share/refind/refind/icons .
Ubuntu# mkdir keys
Ubuntu# cp /etc/refind.d/keys/*.{cer,der} keys/
Ubuntu# mkdir drivers_x64
# Repeat for each driver you want to copy, ext4 may be enough:
Ubuntu# sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output drivers_x64/ext4_x64.efi /usr/share/refind/refind/drivers_x64/ext4_x64.efi
Ubuntu# cp -i /usr/share/refind/refind/refind.conf-sample refind.conf

 Enroll Your New MOK Certificate

Ubuntu$ sudo su -
Ubuntu# mokutil --import /etc/refind.d/keys/refind_local.cer

 Being able to enroll certificates to trust requires a password. If you haven't set up a password with mokutil before, you'll be asked to set one up.

After running `mokutil --import` the new certificate will be queued for enrollment. When you reboot, when shim starts, it will ask you to view the queued key certificates and supply the password from the commands above to enroll them.

Set the shim Boot Image as First in the Boot Order

View registered boot images, and boot order:

# Omit -v for less verbose output:
Ubuntu$ sudo efibootmgr -v

 If you see entries that list the path to where you installed shim (<\EFI\Boot\bootx64.efi> in our example), remove them. The entries are identified by the number between 'Boot' and the '*' in the output from `efibootmgr -v`. (E.g. '1' for 'Boot0001*'). To remove an entry run:

# Remove entry Boot0001*:
# WARNING: This is only an example value:
Ubuntu$ sudo efibootmgr -b 1 -B

 Create an entry for your newly copied shim:

# Replace with your device path, and partition number below:
Ubuntu$ sudo efibootmgr -c -d /dev/sda -p 2 -L "rEFInd Boot Manager" -l '\EFI\Boot\bootx64.efi'
Make sure the new entry is first in the boot order with `efibootmgr`, and reorder with `efibootmgr -o 1,2,3` if necessary.

Reboot

Now you can reboot, and hope you won't have to restore your ESP partition, or your hard drive from the backup you made before you started trying these instructions.

Comments

  1. UnknownMay 18, 2017 at 2:11 AM

    Backup, what backup? :)

    ReplyDelete
    Replies
    1. UnknownMay 24, 2017 at 11:50 PM

      Hopefully, not the one you wish you had when a ransomware asks you to pay 0.1 bitcoins.

      Delete

Post a Comment

Popular posts from this blog

Patching a TAILS USB Stick for UEFI Secure Boot on Ubuntu

The current latest release of The Amnesic Incognito Live System is 3.2. Ironically, the ISO of the operating system distribution that is supposed to provide you with security and anonymity does not work with Secure Boot. So, you'll either have to disable your Secure Boot (and become vulnerable to boot attacks that can compromise your anonymity), or patch the TAILS boot partition (e.g., as described below). These instructions are based on patching a USB on a Debian-derived platform, such as Ubuntu. Hopefully, you can adapt them to another platform without too much effort. Create a TAILS USB Stick and Mount Its EFI Partition Create a TAILS USB stick. E.g., follow the instructions on the Tails website to create a USB. Mount the TAILS EFI partition from the USB for modification. Identify the partition device path. You could look at the output of df , mount and use cfdisk , or gparted to identify the device path of the TAILS EFI partition. We sh
Read more