A solution to rEFInd unable to load using shim when Secure Boot is enabled

Background

Ubuntu 21.10 can load on my computer through secure boot, and the shim version is 15.4. Then refer to the official tutorial, I installed rEFInd v0.13.2 (the latest version when I posted this blog) via PPA in Ubuntu 21.10. However, when I restart the system and load rEFInd, it always fails with the message Verification failed:(0x1A)Security Violation. I'm sure that both refind_local.cer and refind.cer under the EFI/refind/keys/ have been enrolled through MokManager (Although only refind_local.cer is needed through PPA installation).

Cause

From this post, I got that rEFInd currently (v0.13.2) lacks the .sbat section. For shim 15.3 and later versions, SBAT is mandatory, resulting in failure to start rEFInd.

The post also indicates that the author of rEFInd is currently studying how to solve the related problems. I hope the later versions can fix this issue.

Solution

To conclude, you need to use shim 15 to solve this problem. For this purpose, you can perform the following steps (applicable to amd64. Steps are also similar if you are on other architectures):

1. Obtain MokManager and the shim efi file signed by Microsoft from Ubuntu launchpad. To achieve this, download shim_15+1552672080.a4a1fbe-0ubuntu2_amd64.deb and shim-signed_1.45+15+1552672080-064ubuntub_bed64.deb.
2. Unpack the downloaded shim_15+1552672080.a4a1fbe-0ubuntu2_amd64.deb and take out the mmx64.efi file. (data.tar.xz-> . -> usr/lib/shim/mmx64.efi)
3. Unpack the download shim-signed_1.45+15+1552672080.a4a1fbe-0ubuntu2_amd64.deb, take out the shimx64.efi.dualsigned file. (data.tar.xz-> . -> usr/lib/shim/shimx64.efi.dualsigned) Rename it to shimx64.efi.
4. Go to download refind-bin-0.13.2.zip. Then create a new folder, and put the two files taken out together with the downloaded zip file into the new folder.
5. Open terminal in the fore-mentioned folder, then execute the following commands:

unzip refind-bin-0.13.2.zip
cd refind-bin-0.13.2
sudo ./refind-install --shim ../shimx64.efi

If you encounter any confirmation during the installation process, just enter y to confirm.

1. After restarting, if it prompts Verification failed, refer to step 9 of the official tutorial. Select Enroll key from disk, and then select the ESP disk where you installed rEFInd. Finally, choose the file of path EFI/refind/keys/refind.cer to import.
2. If you use a non-Ubuntu Linux system on your computer, you can continue to import the cer files corresponding to your distributions in EFI/refind/keys as above. Failure to do so may cause your Linux distribution to be unable to boot via rEFInd.

Comments

[Tsao ST]

I am so glad I found your blog because I just could not get rEFInd to work with secure boot despite the fact that I followed R. W. Smith's guide to the letter. With your suggestion I made progress in that the initial 0x1A error is gone, but rEFInd still does not load.

I finally found the last piece of the puzzle from this posting:
forum.manjaro.org/t/howto-enable-s...
So I replaced the shimx64.efi you suggested with a 15.2 shimx64.efi downloaded from: koji.fedoraproject.org/koji/buildi...

I was able to repeat the procedure by basically following Smith's guide using the shimx64 and mmx64 from Ubuntu 20, boot and setup MOK, and finally replace the shimx64.efi with the 15.2 version from fedora.