REFIND-SB-HEALTHCHECK(8) rEFInd Manual REFIND-SB-HEALTHCHECK(8)
any later version

refind-sb-healthcheck - Interactively check and update Shim and Secure Boot keys

refind-sb-healthcheck

Booting via Secure Boot relies upon a number of keys and, in most cases under Linux, the an EFI binary known as Shim (typically shimx64.efi for x86-64 computers). This Shim binary, and the keys upon which the whole process relies, can age out of usefulness. Because most distributions are not rEFInd-centric, keeping the keys and Shim binary up-to-date falls on the individual system administrator. The refind-sb-healthcheck script helps with that; it performs a number of checks, and can optionally update binaries and key files (but not public keys stored in NVRAM):

*
The script first attempts to identify the Shim binary that launched the current boot session. The script then searches the EFI System Partition (ESP) and /usr for newer Shim binaries (as identified by the files' timestamps). If any newer Shim binaries are found, the script offers to update the currently-in-use Shim with the newer binary. The MokManager program (mmx64.efi on x86-64 systems) is updated along with Shim.

*
The refind-install script generates local rEFInd keys, to be used when signing rEFInd binaries that are not signed or to override existing signatures. These keys have a 10-year lifespan by default. The refind-sb-healthcheck script checks the age of the current local rEFInd signing key and, if it's expired or within one year of expiration, offers to replace the existing key. Note that, even if the user opts to update the key, existing rEFInd binaries are not re-signed. The new key may be added to the MOK list, but if the rEFInd key was added to the Secure Boot db, updating the db is left to the user.

*
The Machine Owner Key (MOK) list is stored in NVRAM. It can contain keys for rEFInd, Linux distributions, and other keys, all of which will eventually expire. The refind-sb-healthcheck script scans the MOK and reports if there are any expired keys or keys that will expire within a year. If the user wants to update such keys, the user must track down appropriate updates and install them manually with mokutil or MokManager. Note that keeping expired keys in the MOK is not necessarily a problem, although deleting expired keys is advisable from a security point of view. Also, expired keys have probably been updated by their maintainers, so their updates should probably be installed.

*
refind-sb-healthcheck scans the Secure Boot db, KEK, and PK for expired keys much as it scans the MOK list. The issues here are similar, except that these keys cannot be easily updated by the user without first taking full control of the Secure Boot subsystem. Updates provided by Microsoft, a Linux distribution, or a computer manufacturer may, however, include updates to one or more of these key sets.

refind-sb-healthcheck is an interactive program that provides no command-line options. Instead, the program scans for the information it needs, or occasionally asks the user for input depending on the environment it discovers.

refind-sb-healthcheck is a tool to assist in maintaining a rEFInd installation that uses Secure Boot. It is not meant to completely and automatically handle all Secure Boot maintenance tasks. Some notable limitations include:

*
refind-sb-healthcheck cannot update Secure Boot variables (except for the MOK). Even updating the MOK requires a reboot and manual interaction with MokManager at reboot.

*
refind-sb-healthcheck relies on files' timestamps to locate Shim binaries that are newer than the one currently in use. This is not completely reliable; a binary that was recently copied using the default cp flags will appear to be recent, even if it's very old by version number standards.

*
The script does not attempt to maintain non-rEFInd key files, such as those a user might maintain to sign kernel binaries or kernel modules.

*
refind-sb-healthcheck incorporates a number of assumptions about the locations of rEFInd key files, the existence of common support programs, and the nature of the current installation. It may fail in unusual ways if these assumptions are violated.

*

*

q

Primary author: Roderick W. Smith (rodsmith@rodsbooks.com)

mvrefind(8), mkrlconf(8), refind-install(8), refind-mkdefault(8), efibootmgr(8).

https://www.rodsbooks.com/refind/

The refind-mkdefault command is part of the rEFInd package and is available from Roderick W. Smith.

0.14.2 Roderick W. Smith