Can RefindPlus Work with Secure Boot?

[chevcheli0s]

Hi!
Is there any way to boot with Secure Boot enabled?
I tried to install RefindPlus with refind-install from original refind.

refind-install --shim /boot/efi/EFI/debian/shimx64.efi --localkeys

Also tried to add hash /boot/efi/EFI/refind/grub64.efi from MOK.
Always receive error "Verification failed: (0x1A) Security Violation"
With original refind all work fine.

[dakanji]

I don't use this myself but seems you basically treat it like an upstream file that needs to be self-signed.

You should be able to get it going by following the guidance here: https://www.rodsbooks.com/refind/secureboot.html#mok.

EDIT
It seems newer versions of shim wouldn't load a binary that doesn't have an sbat section even if signed.

The RefindPlus binary does not have an sbat section as hasn't been a priority: See Item #71

The preloader option on the upstream doc page might work without sbat. Don't really know as haven't really looked into this subject.

[chevcheli0s]

Thanks!
I added sbat section like described there
then signed

sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output /boot/efi/EFI/refind/grubx64.efi grubx64.efi

After rebooting and enrolling my key through MOK, ReFindPlus boot with secure boot option enabled.

[dakanji]

Great. What was the content of the CSV file?

[chevcheli0s]

Step by step guide for debian 12

objcopy way

sudo apt install wget unzip sbsigntool -y
mkdir refindplus && cd ./refindplus
wget https://sourceforge.net/projects/refind/files/0.14.2/refind_0.14.2-1_amd64.deb/download -O refind_0.14.2-1_amd64.deb
sudo dpkg -i refind_0.14.2-1_amd64.deb
wget https://github.com/dakanji/RefindPlus/releases/download/v0.14.1.AA/x64-RefindPlus_001401-AA.zip
unzip x64-RefindPlus_001401-AA.zip
sudo mv ./x64-RefindPlus_001401-AA/x64_RefindPlus_REL.efi /usr/share/refind-0.14.2/refind/refind_x64.efi
sudo mv ./x64-RefindPlus_001401-AA/OtherBinaries/Drivers/* /usr/share/refind-0.14.2/refind/drivers_x64
sudo echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md">refind_x64.csv
sudo echo "refind,1,Roderick W. Smith,refind,0.14.1,https://www.rodsbooks.com/refind">>refind_x64.csv
sudo echo "refind.plus,1,Dayo Akanji,RefindPlus,1.0,https://github.com/dakanji/RefindPlus">>refind_x64.csv
sudo objcopy --set-section-alignment '.sbat=512' --add-section .sbat=refind_x64.csv --adjust-section-vma .sbat+10000000 /usr/share/refind-0.14.2/refind/refind_x64.efi
sudo /usr/share/refind-0.14.2/refind-install --shim /boot/efi/EFI/debian/shimx64.efi --localkeys
sudo chown root: ./x64-RefindPlus_001401-AA/config.conf && sudo mv ./x64-RefindPlus_001401-AA/config.conf /boot/efi/EFI/refind/
sudo rm /boot/efi/EFI/refind/shimx64.efi~ && sudo rm /boot/efi/EFI/refind/mmx64.efi~ && sudo rm -rf /boot/efi/EFI/refind/icons-backup

or alternative way with python script

sudo apt install python3 python3-pip python3-venv wget unzip sbsigntool -y
mkdir refindplus && cd ./refindplus
wget https://sourceforge.net/projects/refind/files/0.14.2/refind_0.14.2-1_amd64.deb/download -O refind_0.14.2-1_amd64.deb
sudo dpkg -i refind_0.14.2-1_amd64.deb
wget https://github.com/dakanji/RefindPlus/releases/download/v0.14.1.AA/x64-RefindPlus_001401-AA.zip
unzip x64-RefindPlus_001401-AA.zip
sudo mv ./x64-RefindPlus_001401-AA/OtherBinaries/Drivers/* /usr/share/refind-0.14.2/refind/drivers_x64
sudo echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md">refind_x64.csv
sudo echo "refind,1,Roderick W. Smith,refind,0.14.1,https://www.rodsbooks.com/refind">>refind_x64.csv
sudo echo "refind.plus,1,Dayo Akanji,RefindPlus,1.0,https://github.com/dakanji/RefindPlus">>refind_x64.csv
python3 -m venv ~/refind-py
wget https://raw.githubusercontent.com/chenxiaolong/random-scripts/master/pe-add-sections.py
~/refind-py/bin/pip install pefile
sudo ../../refind-py/bin/python pe-add-sections.py -s .sbat refind_x64.csv -z .sbat -i ./x64-RefindPlus_001401-AA/x64_RefindPlus_REL.efi -o /usr/share/refind-0.14.2/refind/refind_x64.efi
sudo /usr/share/refind-0.14.2/refind-install --shim /boot/efi/EFI/debian/shimx64.efi --localkeys
sudo chown root: ./x64-RefindPlus_001401-AA/config.conf && sudo mv ./x64-RefindPlus_001401-AA/config.conf /boot/efi/EFI/refind/
sudo rm /boot/efi/EFI/refind/shimx64.efi~ && sudo rm /boot/efi/EFI/refind/mmx64.efi~ && sudo rm -rf /boot/efi/EFI/refind/icons-backup

Then reboot and enroll key from EFI/refind/keys/refind_local.cer if asked

Proof

[dakanji]

Nice. Thanks.

You might want to consider changing this ...

sudo echo "grubx64,1,dakanji,RefindPlus,0.14.1AA,https://github.com/dakanji/RefindPlus">>refind_x64.csv

to this ...

sudo echo "refind,1,Roderick W. Smith,refind,0.14.1,https://www.rodsbooks.com/refind">>refind_x64.csv
sudo echo "refind.plus,1,Dayo Akanji,RefindPlus,1.0,https://github.com/dakanji/RefindPlus">>refind_x64.csv

SBAT Metadata for RefindPlus:

• refind.plus: SBAT Name
  • Differentiates RefindPlus from rEFInd while maintaining the connection.
• 1: SBAT Generation
• Dayo Akanji: SBAT Vendor
• RefindPlus: SBAT Component
  • This component is RefindPlus
• 1.0: SBAT Vendor Version
  • Simplified for abstraction.
    • Does nothing and just human readable data
  • It will probably stay this way and only change if something significant happens
  • You will note that Upstream did not change the version number from 0.14.1 with the 0.14.2 release as not required
    • Could have been an oversight though
• Link to Github: Project URL

[chevcheli0s]

Are you mean to add one more line? Total 3 lines in csv like this

sudo echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md">refind_x64.csv
sudo echo "refind,1,Roderick W. Smith,refind,0.14.1,https://www.rodsbooks.com/refind">>refind_x64.csv
sudo echo "refind.plus,1,Dayo Akanji,RefindPlus,1.0,https://github.com/dakanji/RefindPlus">>refind_x64.csv

[dakanji]

Yes. Based on this from Upstream: https://raw.githubusercontent.com/dakanji/rEFInd/master/refind-sbat-local.csv.
Planning to distribute a similar file as from the next release and would be nice to verify

[chevcheli0s]

Done. I have edited my comment with the code.

[dakanji]

Excellent.

As you are on a roll, objcopy ABC ... XYZ --adjust-section-vma ETC is apparently prone to specification errors.

Can you try leveraging this python script, confirmed to work on OpenCore Project without issue, instead:
https://raw.githubusercontent.com/chenxiaolong/random-scripts/master/pe-add-sections.py

The calling command is apparently:
/path/to/pe-add-sections.py -s .sbat /path/to/sbat.csv -z .sbat -i /path/to/input.efi -o /path/to/output.efi
Can leave the -o bit out to amend the file in place

[chevcheli0s]

Confirm, it is work. Again edited my comment with the code.

[dakanji]

Nice. Thanks.