Background
Ubuntu 21.10 can load on my computer through secure boot, and the shim version is 15.4. Then refer to the official tutorial, I installed rEFInd v0.13.2 (the latest version when I posted this blog) via PPA in Ubuntu 21.10. However, when I restart the system and load rEFInd, it always fails with the message Verification failed:(0x1A)Security Violation
. I'm sure that both refind_local.cer
and refind.cer
under the EFI/refind/keys/
have been enrolled through MokManager
(Although only refind_local.cer
is needed through PPA installation).
Cause
From this post, I got that rEFInd currently (v0.13.2) lacks the .sbat
section. For shim 15.3 and later versions, SBAT is mandatory, resulting in failure to start rEFInd.
The post also indicates that the author of rEFInd is currently studying how to solve the related problems. I hope the later versions can fix this issue.
Solution
To conclude, you need to use shim 15 to solve this problem. For this purpose, you can perform the following steps (applicable to amd64. Steps are also similar if you are on other architectures):
- Obtain MokManager and the shim efi file signed by Microsoft from Ubuntu launchpad. To achieve this, download shim_15+1552672080.a4a1fbe-0ubuntu2_amd64.deb and shim-signed_1.45+15+1552672080-064ubuntub_bed64.deb.
- Unpack the downloaded shim_15+1552672080.a4a1fbe-0ubuntu2_amd64.deb and take out the
mmx64.efi
file. (data.tar.xz
->.
->usr/lib/shim/mmx64.efi
) - Unpack the download shim-signed_1.45+15+1552672080.a4a1fbe-0ubuntu2_amd64.deb, take out the
shimx64.efi.dualsigned
file. (data.tar.xz
->.
->usr/lib/shim/shimx64.efi.dualsigned
) Rename it toshimx64.efi
. - Go to download refind-bin-0.13.2.zip. Then create a new folder, and put the two files taken out together with the downloaded zip file into the new folder.
- Open terminal in the fore-mentioned folder, then execute the following commands:
unzip refind-bin-0.13.2.zip
cd refind-bin-0.13.2
sudo ./refind-install --shim ../shimx64.efi
If you encounter any confirmation during the installation process, just enter y
to confirm.
- After restarting, if it prompts
Verification failed
, refer to step 9 of the official tutorial. SelectEnroll key from disk
, and then select the ESP disk where you installed rEFInd. Finally, choose the file of pathEFI/refind/keys/refind.cer
to import. - If you use a non-Ubuntu Linux system on your computer, you can continue to import the cer files corresponding to your distributions in
EFI/refind/keys
as above. Failure to do so may cause your Linux distribution to be unable to boot via rEFInd.
Top comments (1)
I am so glad I found your blog because I just could not get rEFInd to work with secure boot despite the fact that I followed R. W. Smith's guide to the letter. With your suggestion I made progress in that the initial 0x1A error is gone, but rEFInd still does not load.
I finally found the last piece of the puzzle from this posting:
forum.manjaro.org/t/howto-enable-s...
So I replaced the shimx64.efi you suggested with a 15.2 shimx64.efi downloaded from: koji.fedoraproject.org/koji/buildi...
I was able to repeat the procedure by basically following Smith's guide using the shimx64 and mmx64 from Ubuntu 20, boot and setup MOK, and finally replace the shimx64.efi with the 15.2 version from fedora.