Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Secure Boot with rEFInd

This is an awesome boot loader. It can boot pretty much anything.

With the impending Secure Boot and TPM forced requirement for Windows 11, for convenience, this means you need to comply with other boot loaders.

The good news is there is no need to faff around with Shim and MOK for motherboards that allow you to manage your secure boot keys. Both of which are chained boot tools to make secure boot work. These manual instructions ONLY work for these types of boards. Commonly DIY or SI. For other motherboards (OEM computers), you will need to read the current documentation for that. Though given the nature of OEM computers (can't manage keys manually), this may prove difficult and/or require a Linux install.

In this example for these instructions, I am using my ASUS ROG Crosshair VII Hero. An AMD X470. In the case of ASUS Intel motherboards, like a Z490, the steps are the same.

  • Download rEFInd (binary zip) and Explorer++
  • Start PowerShell/Terminal as admin.
  • Use the diskpart utility to locate and mount your EFI partition.
  • Start Explorer++ in admin mode to modify the contents of the EFI.
    • File Explorer will not work by default. This a Windows security feature. I suggest you do not attempt to modify permissions to get around this limitation.
  • Copy refind_x64.efi, refind.conf-sample, refind.cer and the icons folder to EFI\Boot.
  • Delete BOOTX64.efi and rename refind_x64.efi to BOOTX64.efi.
    • Yes, you want to relace the existing BOOTX64.efi file.
  • Rename refind.conf-sample to refind.conf.
    • Read over this file to customise what you want rEFInd to do.

Once you are satisfied with the customisations, you need to reboot into your firmware. You may hold the SHIFT key and click Restart to boot directly to this without having to spam a key.

Select the Boot tab.

Boot Tab

It is here you will be using the sub options, CSM and Secure Boot.

Disable CSM

Disable

This will prevent BIOS (legacy) based tools and boot loaders from working. This is intended.

Enable Secure Boot.

Secure Boot

If you have not already enabled Secure Boot, you should see "Setup" above the "OS Type". Disabled Secure Boot is in fact "Other OS" as this allows any boot signed or unsigned loader or shell executable to function.

Select Key Management

keys

Key Management

empty keys

If you have never enabled Secure Boot, you will have no keys installed. All modern UEFI firmwares ship with Microsoft's keys. Some ship with extras for Linux distributions like Ubuntu. You need to install the default keys.

prompt install

Adding rEFInd

DB man

"DB Management" is where you add additional keys manually.

append

You want to "Append key" to add it.

default

You will be prompted to load the default key db. You do not. You just loaded the complete secure boot configuration.

locate key

This is where it looks nuts. If you were not aware, your OS makes it very easy to navigate hard drives and their partitions. In your firmware, this luxury is removed. Therefor you are navigating your storage devices as how the computer (and your OS) sees them. Through the ACPI plane/path. If you have a lot of partitions and drives and have no idea where the EFI partition is, just start trying to each one until you find it. In my case I know where mine is and have it highlighted in the screen shot.

cert

Once the refind.cer file is located, select it and choose "Public Key Certificate."

confirm

Confirm installing key.

success

You're done!

db mixed

Your Secure Boot Key db will now say "Mixed" because you have added your own.

Your motherboard will now boot rEFInd securely. This will impact boot time by adding a few extra seconds. Don't forget to set the default boot device option as "UEFI OS" from your Boot tab. This is what rEFInd is labeled as.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment