Thursday, September 17, 2015

linux - PreLoader.efi: What's wrong with my Secure Boot settings?


I installed Arch Linux with Secure Boot enabled using PreLoader. I enrolled the hash for loader.efi, containing rEFInd, and vmlinuz-linux using HashTools. The problem is that I get a message saying:



The system found unauthorized changes on the firmware, operating system or UEFI drivers. Press [N] to run the next boot device, or enter directly to BIOS Setup if there are no other boot devices installed. Go to BIOS Setup > Advanced >Boot and change the current boot device into other secured boot devices.



I always get this message twice. When I press N after the first message shows up, the rEFInd menu shows up. After I select Arch Linux and hit enter, the message shows up for the second time and I have to press N again to boot into Arch. It seems to me that the hashes are correctly enrolled, since both rEFInd and Arch is booting. I also checked the EFI boot entry, and it only contained the entries for rEFInd and Windows, so it can't be another unsigned boot loader getting in the way. Is there any way I can get rid of this message besides disabling Secure Boot? BTW, I'm using an ASUS motherboard with the latest firmware.


EDIT: I have the following files under /boot:



  • initramfs-linux.img

  • initramfs-linux-fallback.img

  • intel-ucode.img

  • refind_linux.conf

  • vmlinuz-linux

  • EFI/refind/HashTool.efi

  • EFI/refind/loader.efi

  • EFI/refind/PreLoader.efi

  • EFI/refind/refind.conf

  • EFI/refind/icons/*.png

  • EFI/refind/keys/*.cer


EDIT: output of efibootmgr -v:


BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0001,0004
Boot0000* rEFInd Boot Manager   HD(1,GPT,276084db-5749-4226-8cd8-7e7d9e065af6,0x800,0x17a000)/File(\EFI\refind\PreLoader.efi)
Boot0001* Windows Boot Manager  HD(1,GPT,25a79d18-794f-4b9a-851b-cc4a02315628,0x800,0x32000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................
Boot0004  Hard Drive    BBS(HD,,0x0)AMGOAMNO........o.I.N.T.E.L. .S.S.D.S.C.2.C.T.2.4.0.A.4....................A...........................>..Gd-.;.A..MQ..L.V.C.I.K.4.2.4.8.1.0.C.A.4.2.D.0.N.G. . ......AMBOAMNO........o.P.L.E.X.T.O.R. .P.X.-.2.5.6.M.5.S....................A...........................>..Gd-.;.A..MQ..L.0.P.2.2.5.2.0.1.5.3.6.3. . . . . . . . ......AMBOAMNO........u.H.i.t.a.c.h.i. .H.D.P.7.2.5.0.5.0.G.L.A.3.6.0....................A.................................>..Gd-.;.A..MQ..L. . . . . . .E.G.5.A.1.3.E.R.G.0.9.S.A.Z......AMBOAMNO........u.I.N.T.E.L. .S.S.D.S.A.2.M.1.6.0.G.2.G.C....................A.................................>..Gd-.;.A..MQ..L.V.C.O.P.3.9.2.9.0.0.V.U.6.1.A.0.N.G. . ......AMBO

Answer



Switching to Shim did the trick.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...