I read that there is another way than using shim and signed GRUB binaries for Secure Boot by using the Linux Foundation's PreLoader or Linux Foundation's Secure Boot System, but how do I use it?
moved from https://askubuntu.com/a/520351/40581
Asked
Active
Viewed 2.2k times
1 Answers
8
Comment from the author in 2024: See "Tips for TUI screenshots during early boot stages" section below if you are wondering about the ASCII art.
Setting up PreLoader
- Find and mount your EFI system partition and backup its contents. Some files may be manufacturer specific and cannot be restored by reinstalling Windows.
- In a working UEFI Ubuntu installation it is mounted as
/boot/efi/and at least contains a folder namedEFI. From the platform perspective (your computer) this folder is\EFI\during the boot stage. (/media/my_efi_system_partition/EFI=\EFI\)
- In a working UEFI Ubuntu installation it is mounted as
- Copy or rename which ever EFI loader you want to use to
\EFI\BOOT\loader.efi. Some loaders like gummiboot need to be configured properly. - Copy PreLoader.efi to
\EFI\BOOT\bootx64.efiandHashTool.efito the same directory.
You can find more detailed explanations over at Rod Smith's site.
Using HashTool
If you followed the instructions carefully and have Secure Boot enabled, you should be greeted by the following screens upon next boot, which guide you through enrolling the hash of the unsigned loader that would otherwise break the chain of trust.
┌──────────────────────────────────────────────────────────────────────────────┐
│ Failed to start loader │
│ │
│ It should be called loader.efi (in the current directory) │
│ Please enrol its hash and try again │
│ │
│ I will now execute HashTool for you to do this │
│ │
│ │
│ ┌────┐ │
│ │ OK │ │
│ └────┘ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ Select Binary │
│ │
│ The Selected Binary will have its hash Enrolled │
│ This means it will Subsequently Boot with no prompting │
│ Remember to make sure it is a genuine binary before Enroling its hash │
│ │
│ │
│ ┌─────────────────────┐ │
│ │ Enroll Hash │ │
│ │ Reboot to UEFI Menu │ │
│ │ Reboot System │ │
│ │ Exit │ │
│ └─────────────────────┘ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ Select Binary │
│ │
│ The Selected Binary will have its hash Enrolled │
│ This means it will Subsequently Boot with no prompting │
│ Remember to make sure it is a genuine binary before Enroling its hash │
│ │
│ │
│ ┌──────────────┐ │
│ │ ../ │ │
│ │ loader.efi │ │
│ │ HashTool.efi │ │
│ │ bootx64.efi │ │
│ └──────────────┘ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ Enroll this hash into MOK database? │
│ │
│ File: \loader.efi │
│ Hash: 8D1B74227CB2EE6B23B829595B761BAA34D171337F70D44ABF542D5318BDBA08 │
│ │
│ │
│ │
│ │
│ ┌─────┐ │
│ │ No │ │
│ │ Yes │ │
│ └─────┘ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
Tips for TUI screenshots during early boot stages
I wrote this answer almost a decade ago and handcrafted ASCII art to explain and document parts for myself. These days I use inexpensive HDMI-to-USB capture cards on Linux to make screenshots from TUIs during early boot stages, and optimize these to just a few KB or eventually convert them automatically (some boring converter I have not found yet or some fancy AI tool).
This was supposed to be a short comment, but for anyone wondering about capturing:
# Install packages.
sudo apt install v4l-utils
List available devices.
v4l2-ctl --list-devices
Play the stream.
mpv av://v4l2:/dev/video0
Press "s" for creating screenshots
Configure the location and filename as needed.
These days I set up conventions and sub-folders
in my pictures folder to keep everything organized.
LiveWireBT
- 29,597