Skip to content

Instantly share code, notes, and snippets.

@sudo-panda

sudo-panda/Pop-OS_secure_boot.md

Created July 23, 2022 09:24
Show Gist options
  • Save sudo-panda/11c80b20ff84bc18b5982614f189d5c0 to your computer and use it in GitHub Desktop.
Save sudo-panda/11c80b20ff84bc18b5982614f189d5c0 to your computer and use it in GitHub Desktop.
Download ZIP
Instructions for enabling secure boot in Pop-OS
Raw
Pop-OS_secure_boot.md

  1. Disable Secure Boot.

  2. Assuming that you have a bootable USB stick with PopOS, boot from it and install PopOS. I 've installed PopOS on the external drive.

  3. Install reEFInd.

sudo add-apt-repository ppa:rodsmith/refind

sudo apt-get update
  1. Install shim and shim-signed and prevent them from updating. Do not install the latest version, as you might not be able to enroll your keys. Bug: rhboot/shim#143
wget http://archive.ubuntu.com/ubuntu/pool/main/s/shim/shim_13-0ubuntu2_amd64.deb

sudo apt-get install -f ./shim_13-0ubuntu2_amd64.deb

sudo apt-mark hold shim=13-0ubuntu2

wget http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_1.34.9+13-0ubuntu2_amd64.deb

sudo apt-get install -f ./shim-signed_1.34.9+13-0ubuntu2_amd64.deb

sudo apt-mark hold shim-signed=1.34.9+13-0ubuntu2
  1. Run the rEFInd script and use the ubuntu signed shim file.
sudo refind-install --shim /usr/lib/shim/shimx64.efi.signed --localkeys

rEFInd will generate local signed keys and re-sign the rEFInd binaries with your own key too. rEFInd will store the .key file in /etc/refind.d/keys (You will need that later)

  1. Copy the PopOS certificate to the EFI
sudo cp /var/lib/shim-signed/mok/MOK.der /boot/efi/EFI/refind/keys/popos.der
  1. Sign the bootloader and kernel. If the commands below don't work with sudo, sudo su - and run them as root.
cd /boot/efi/EFI/systemd/

sbsign --key /etc/refind.d/keys/refind_local.key --cert ../refind/keys/refind_local.crt --output systemd-bootx64-signed.efi systemd-bootx64.efi

cd ../<Your PopOS directory>/

sbsign --key /etc/refind.d/keys/refind_local.key --cert ../refind/keys/refind_local.crt --output vmlinuz-signed.efi vmlinuz.efi

mv vmlinuz.efi vmlinuz.efi.old

mv vmlinuz-signed.efi vmlinuz.efi

  1. Reboot and enable Secure Boot.

  2. Enroll your keys.

Once you boot again, you 'll see the MokManager program. Each of the long strings represents a disk partition. Select the partition where you have stored your keys.

Enroll refind_local.cer which is in /boot/efi/EFI/refind/keys and then enroll popos.der which is in the same directory.

Finally, select continue boot.

  1. You should now see rEFInd's interface. You can verify that you have booted into rEFInd Secure Boot mode by going to About. Select the kernel you have signed before and click enter.
@v-127
Copy link

v-127 commented Apr 1, 2024

Error reading file vmlinuz.efi: No such file or directory

@eggbean
Copy link

eggbean commented Jun 4, 2024

Error reading file vmlinuz.efi: No such file or directory

Did you manage to do it, or just disabled Secure Boot in the end?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment