You are not logged in.

#1 2015-10-25 21:37:45

From: London
Registered: 2015-09-29
Posts: 8,759

UEFI BunsenLabs Part 2: Secure Boot

This guide only applies to BunsenLabs systems booting with UEFI enabled.

See here for a guide to converting a non-UEFI BunsenLabs system:

Thanks to the Linux Foundation [1] it should be possible to enrol non-signed kernel images into the NVRAM of a UEFI motherboard as a verified image and boot it with Secure Boot enabled.

First, download the PreLoader.efi & HashTool.efi from here: … -released/

Unfortunately, Secure Boot doesn't work with GRUB at the moment so gummiboot must be used instead.

Install gummiboot:

sudo apt install gummiboot

Set up should be automagical but multi-boot systems will require further work-arounds.

Then copy the files to the EFI system partition (the system *must* be booted in UEFI mode with the ESP mounted to /boot/efi for this to work):

sudo cp PreLoader.efi /boot/efi/EFI/boot/bootx64.efi
sudo cp HashTool.efi /boot/efi/EFI/boot

Now copy the gummiboot .efi binary over and rename it to "loader.efi":

sudo cp /usr/lib/gummiboot/gummibootx64.efi /boot/efi/EFI/boot/loader.efi

You may also have to change the booting order: view this with `efibootmgr` and change the order with:

sudo efibootmgr -o xxxx,yyyy,zzzz

Replace xxxx with the bootnumber of the "Default .efi loader" to make that the first to load.

Reboot the system and enable Secure Boot.

When the system boots, the PreLoader should load up the HashTool -- follow this guide to use the HashTool: … -preloader

More information here: … #preloader

To revert the system to boot without the PreLoader, copy the gummiboot .efi loader back to the default location:

sudo cp /usr/lib/gummiboot/gummibootx64.efi /boot/efi/EFI/boot/bootx64.efi

[1] … pen-source

“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks


Board footer

Powered by FluxBB