When attempting to setup Secure Boot on my desktop machine, I ran into a Verification failed:(0x1A)Security Violation screen when trying to load rEFInd even though I was sure the proper keys were already enrolled in MOK Manager. The cause seems to be from a lacking .sbat section for rEFInd for shim>=15.3.
This article will attempt to workaround this by installing an earlier version of shim.
Extract the MOK Manager binary from the shim package from Ubuntu launchpad:
mkdir shim && cd shim && curl http://launchpadlibrarian.net/469850621/shim_15+1552672080.a4a1fbe-0ubuntu2_amd64.deb --output shim_15.deb && \
ar -x shim_15.deb data.tar.xz && tar -xf data.tar.xz && mv usr/lib/shim/mmx64.efi ./
Extract the shimx64.efi binary from the shim-signed package from Ubuntu launchpad:
curl http://launchpadlibrarian.net/502909051/shim-signed_1.45+15+1552672080.a4a1fbe-0ubuntu2_amd64.deb --output shim-signed_1.45.deb && \
ar -x shim-signed_1.45.deb data.tar.xz && tar -xf data.tar.xz && mv usr/lib/shim/shimx64.efi.dualsigned shimx64.efi
Use the refind-install script to install the new shim binary and sign the drivers with local keys:
refind-install --usedefault /dev/sdXY --shim shimx64.efi --localkeys
where sdX is the device and Y is the partition number for the ESP
Sign the kernel with the same keys:
sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/vmlinuz-linux-zen /boot/vmlinuz-linux-zen
You should replace vmlinuz-linux-zen
with your kernel image.
Then, enroll the key in MOK Manager the next time you boot. It can be found in ESP/EFI/BOOT/refind/keys/refind_local.cer
NOTE: If MOK Manager does not load because it was not found the next time you boot, copy mmx64.efi directly into the ESP:
cp /path/to/shim/mmx64.efi *ESP*/EFI/BOOT/
After succesfully setting Secure Boot, cleanup the files we created:
rm -rf /path/to/shim/
You may have to create these folders if they don't exist:
mkdir /etc/pacman.d/hooks
mkdir -p /usr/local/share/libalpm/scripts
Copy these files:
cp /usr/share/libalpm/hooks/90-mkinitcpio-install.hook /etc/pacman.d/hooks/90-mkinitcpio-install.hook
cp /usr/share/libalpm/scripts/mkinitcpio-install /usr/local/share/libalpm/scripts/mkinitcpio-install
In /etc/pacman.d/hooks/90-mkinitcpio-install.hook
, replace:
Exec = /usr/share/libalpm/scripts/mkinitcpio-install
with
Exec = /usr/local/share/libalpm/scripts/mkinitcpio-install
In /usr/local/share/libalpm/scripts/mkinitcpio-install
, replace:
install -Dm644 "{line}" "/boot/vmlinuz-${pkgbase}
with
sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output "/boot/vmlinuz-{pkgbase}" "${line}"