[RESPONDED] rEFInd booloader + secure boot - anyone got it to work?

I’ve got a Framework 13, recently updated to AMD, and I’m trying to get rEFInd working with secure boot. I tried before with an 11th gen Intel board, but I’m getting exactly the same results.

I’m running Fedora, and using its refind package, installing with the refind-install command. I’m using the guide at The rEFInd Boot Manager: Managing Secure Boot :

  • refind-install --shim /boot/efi/EFI/fedora/shimx64.efi --localkeys
  • mokutil -i /boot/efi/EFI/refind/keys/refind_local.cer

This goes through the mok registration on reboot, and it all looks good. But when it actually tries to start the bootloader it gets a security exception and falls back to grub.

Is there something I’m missing? How can I debug this?

I’ve gone through the same process on my desktop machine and it all works as expected, so I’m not sure what’s different.

Hi @Jeremy_Fitzhardinge , The link seems to 404

and is this with Fedora 39?

What’s the reason for running rEFInd? Are the stock bootloaders not working for you? I’ve only used rEFInd on Macs in the past, as it was constantly broken on other devices, but YMMV.

@Loell_Framework: Oops, fixed. Trailing : got attached. Yes, Fedora 39.

@Alex_S: I use it on all my other machines. It’s not essential, but it’s worked well for me and its a bit easier to set up for things like extra memtest86 boot targets. And it’s a bit prettier. Not essential, but I just thought I’d try to make it work again, and perhaps learn something in the process.

2 Likes

I solved this, here’s what I did that seemed to fix it:

  1. Install refind with

refind-install

  1. Boot with Secure Boot
  2. Install refind again with

refind-install --shim /boot/efi/EFI/refind/shim.whatever (point to the shim inside of the refind installation) --localkeys

  1. Register refind.cer and refind_local.cer in /boot/efi/EFI/refind/keys/ when you reboot and it blows up in your face

I have no idea if this is the right solution