PopOS 20.04 - w/ Secure Boot and rEFInd
My goal was to have PopOS installed on an external hard drive so I can experiment with the OS.
I 've got a company laptop that runs Windows 10 and has Secure Boot enabled. Bitlocker is also enabled. It's company policy to have Bitlocker and Secure Boot enabled, so it's not an option to turn them off.
So I thought, I 'd buy an nvme drive, a usb-c caddy, install PopOS and off to the races. Apparently it's not that straight forward.
Here's what I 've done to get it working.
Disable Secure Boot. On a Dell Laptop, turn the laptop on and press F2. Then go to Settings > Secure Boot. Select Disabled and click on Apply and then Exit.
Assuming that you have a bootable USB stick with PopOS, boot from it and install PopOS. I 've installed PopOS on the external drive.
Install reEFInd.
sudo add-apt-repository ppa:rodsmith/refind
sudo apt-get update
4. Install shim and shim-signed and prevent them from updating. Do not install the latest version, as you might not be able to enroll your keys. Bug: https://github.com/rhboot/shim/issues/143
wget
http://archive.ubuntu.com/ubuntu/pool/main/s/shim/shim_13-0ubuntu2_amd64.deb
sudo apt-get install -f ./shim_13-0ubuntu2_amd64.deb
sudo apt-mark hold shim=13-0ubuntu2
wget
http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_1.34.9+13-0ubuntu2_amd64.deb
sudo apt-get install -f ./shim-signed_1.34.9+13-0ubuntu2_amd64.deb
sudo apt-mark hold shim-signed=1.34.9+13-0ubuntu2
5. Run the rEFInd script and use the ubuntu signed shim file.
sudo refind-install --shim /usr/lib/shim/shimx64.efi.signed --localkeys
rEFInd will generate local signed keys and re-sign the rEFInd binaries with your own key too. rEFInd will store the .key file in /etc/refind.d/keys (You will need that later)
6. Copy the PopOS certificate to the EFI
sudo cp /var/lib/shim-signed/mok/MOK.der /boot/efi/EFI/refind/keys/popos.der
7. Sign the bootloader and kernel. If the commands below don't work with sudo, sudo su - and run them as root.
cd /boot/efi/EFI/systemd/
sbsign --key /etc/refind.d/keys/refind_local.key --cert ../refind/keys/refind_local.crt --output systemd-bootx64-signed.efi systemd-bootx64.efi
sbsign --key /etc/refind.d/keys/refind_local.key --cert ../refind/keys/refind_local.crt --output <Your PopOS directory>/vmlinuz-signed.efi vmlinuz.efi
mv vmlinuz.efi vmlinuz.efi.old
mv vmlinuz-signed.efi vmlinuz.efi
8. Reboot and enable Secure Boot.
9. Enroll your keys.
Once you boot again, you 'll see the MokManager program. Each of the long strings represents a disk partition. Select the partition where you have stored your keys.
Enroll refind_local.cer which is in /boot/efi/EFI/refind/keys and then enroll popos.der which is in the same directory.
Finally, select continue boot.
10. You should now see rEFInd's interface. You can verify that you have booted into rEFInd Secure Boot mode by going to About. Select the kernel you have signed before and click enter.
BOOM! There you have it :) PopOS 20.04 with Secure Boot enabled. Reboot again, disconnect the external hard drive and you can now boot into Windows again. Bitlocker hasn't prompted me to enter a recovery key :)
I believe he means the button `Enroll Keys` which is the secure boot authentication keys.
Do you have to do this before rebooting from the live USB to Pop OS?
Or can I do that at any point without reinstalling?
About Community
Members
Online
Similar to this post
r/pop_os
PopOS 21.04 - Disable Overlay Key (the Super key)100%247/19/2021r/pop_os
POPOS 22.04 - Firefox play youtube video, high CPU...88%265dr/pop_os
PopOS 20.04 nvidia-driver-515:The following packages have...100%9Jul 22r/pop_os
PopOS Bootloader not providing option to boot into Windows100%112/2/2021r/System76
PopOs question- installed latest version on my HP...100%2Sep 17r/pop_os
I switched to pop recently cause I wanted to try out...98%256dr/pop_os
Pop OS and custom theme. Never going back to windows.95%405dr/pop_os
Pop_OS Working Great.90%441dr/pop_os
Resurrected an old laptop and would appreciate your input...94%593dr/pop_os
PSA: After installing the kernel 6.0.2 update, you may...100%246dr/pop_os
Thanks Pop OS Team97%126dr/pop_os
Pop Shop design flaw97%154dr/pop_os
Pop OS! x Ubuntu98%1024dr/pop_os
When updating to 6.0 with nvidia gpu!100%212dr/pop_os
linux-firmware update released to fix RTL8822CE regression100%94d