Refind download

Key, or a MOK; however, because Microsoft won't sign binaries distributed under the GPLv3, I can't distribute a version of rEFInd signed with Microsoft's Secure Boot key; and as I don't have access to the private Shim keys used by any distribution, I can't distribute a rEFInd binary signed by them. (Distributions can provide rEFInd binaries signed with the their own Shim keys. This appears to be the case with the rEFInd binaries distributed with ALT Linux, according to its package description. On the other hand, Ubuntu, for one, signs their GRUB binaries but not their rEFInd binaries.) Thus, rEFInd will normally be signed by a MOK. Beginning with version 0.5.0, rEFInd binaries that I provide are signed by me. Beginning with version 0.5.1, the installation script provides an option to sign the rEFInd binary with your own key, provided the necessary support software is installed.Your boot loaders and kernels—Your OS boot loaders, and usually your Linux kernels, must be signed. They can be signed with any of the three key types. Indeed, your system may have a mix of all three types—a Windows 8 or later boot loader will most likely be signed with Microsoft's Secure Boot key, GRUB and kernels provided by most distributions will be signed with their own Shim keys, and if you use your own locally-compiled kernel or a boot loader from an unusual source you may need to sign it with a MOK. Aside from signing, these files can be installed in exactly the same way as if your computer were not using Secure Boot.If you've installed a distribution that provides Shim and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file or Debian package that I provide or by running refind-install, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of Shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:Boot the computer. This can be a challenge in and of itself. You may need to use a Secure Boot–enabled Linux emergency disc, temporarily disable Secure Boot, or do the work from Windows.Download rEFInd in binary form (the binary zip or CD-R image file). If you download the binary zip file, unzip it; if you get the CD-R image file, burn it to a CD-R and mount it.Download Shim from your distribution. (Don't use an early 0.1 version, though; as noted earlier, it's inadequate for use with rEFInd.)Copy the shimx64.efi and MokManager.efi (or

Location on the ESP for rEFInd to locate it. Be sure to include any support files that it needs, too.Check your refind.conf file to ensure that the showtools option is either commented out or includes mok_tool among its options.Reboot. You can try launching the boot loader you just installed, but chances are it will generate an Access Denied message. For it to work, you must launch MokManager using the tool that rEFInd presents on its second row. You can then enroll your refind_local.cer key just as you enrolled the refind.cer key.At this point you should be able to launch the binaries you've signed. Unfortunately, there can still be problems; see the upcoming section, Secure Boot Caveats, for information on them. Alternatively, you can try using PreLoader rather than Shim.Using rEFInd with PreLoaderIf you want to use Secure Boot with a distribution that doesn't come with Shim but the preceding description exhausts you, take heart: PreLoader is easier to set up and use for your situation! (Alternatively, you can use recent versions of Shim with hashes instead of with keys, in which case the PreLoader instructions apply to Shim, albeit with some user interface differences.) Unfortunately, PreLoader is still not as easy to use as not using Secure Boot at all, and it's got some drawbacks, but it may represent an acceptable middle ground. To get started, proceed as follows:Boot the computer. As with Shim, this can be a challenge; you may need to boot with Secure Boot disabled, use a Secure Boot–enabled live CD, or do the installation from Windows.Download rEFInd in binary form (the binary zip or CD-R image file). If you download the binary zip file, unzip it; if you get the CD-R image file, burn it to a CD-R and mount it.Download PreLoader from its release page or by clicking the following links. Be sure to get both the PreLoader.efi and HashTool.efi files.Copy the PreLoader.efi and HashTool.efi binaries to the directory you intend to use for rEFInd—for instance, EFI/refind on the ESP.Follow the installation instructions for rEFInd on the Installing rEFInd page; however, give rEFInd the filename loader.efi and register PreLoader.efi with the EFI by using efibootmgr in Linux or bcdedit in Windows. Be sure that rEFInd (as loader.efi), PreLoader.efi, and HashTool.efi all reside in the same directory. (If you want to use Shim with hashes, name rEFInd grubx64.efi.)Reboot. With any luck, you'll see HashTool appear with a warning message stating that it was unable to launch loader.efi and declaring that it will launch HashTool.efi. Press the Enter key to continue.HashTool should now appear. It should give you three or four options, including Enroll Hash, as shown here. Select this option You can now select the binary

More commonly today, mmx64.efi) binaries to the directory you intend to use for rEFInd—for instance, EFI/refind on the ESP.Follow the installation instructions for rEFInd on the Installing rEFInd page; however, you should normally give rEFInd the filename grubx64.efi and register shimx64.efi with the EFI by using efibootmgr in Linux or bcdedit in Windows. Be sure that rEFInd (as grubx64.efi), shimx64.efi, and MokManager.efi/mmx64.efi all reside in the same directory. If you're using Shim 0.7 or later and are installing it under Linux, you may optionally keep rEFInd's refind_x64.efi name; but you must then tell Shim to use rEFInd by passing an additional -u "shimx64.efi refind_x64.efi" option to efibootmgr. (In early 2020, I discovered that some recent Shim binaries include a bug that prevents Shim from launching anything but grubx64.efi and its other internally-coded files. I haven't yet investigated to determine exactly which Shim versions are affected by this bug, though.) Change the filenames to the actual filenames used by Shim and rEFInd, respectively.Copy the refind.cer file from the rEFInd package to your ESP, ideally to a location with few other files. (The rEFInd installation directory should work fine.)Optionally, type mokutil -i refind.cer, adding whatever directory components are needed to access refind.cer; or you can substitute your own key file if you re-sign the rEFInd binaries, as described later, in Managing Your MOKs. You will be asked to enter a password, which is for temporary use only and need not match your user or root password. This action will store the rEFInd public key to the NVRAM, enabling MokManager to access it more easily. In theory, this step obviates the previous one; but it's generally a good idea to have rEFInd's Secure Boot public key on the boot disk so that it can be re-enrolled manually, if necessary.Reboot. With any luck, you'll see a simple text-mode user interface with a label of Shim UEFI key management. This is the MokManager program, which Shim launched when rEFInd failed verification because its key is not yet enrolled. You may be prompted to press a key to begin MOK management. You have only ten seconds to do so, or the boot will continue without enrolling the MOK, and rEFInd will probably not launch. What happens when you begin MOK management depends of whether you used mokutil to install the MOK....If you did not use mokutil, then you must locate and enroll the rEFInd key file as follows: Press your down arrow key and press Enter to select Enroll key from disk; or if you used mokutil earlier, instead select Enroll MOK. The screen will clear and, if you did not use mokutil to install the key, prompt you to select a key, as shown here: