Provided by: refind_0.14.2-2.1_amd64 bug

NAME
       refind-sb-healthcheck - Interactively check and update Shim and Secure Boot keys


SYNOPSIS
       refind-sb-healthcheck


DESCRIPTION
       Booting  via  Secure  Boot relies upon a number of keys and, in most cases under Linux, the an EFI binary
       known as Shim (typically shimx64.efi for x86-64 computers). This Shim binary, and the keys upon which the
       whole process relies, can age out of usefulness.  Because  most  distributions  are  not  rEFInd-centric,
       keeping  the keys and Shim binary up-to-date falls on the individual system administrator. The refind-sb-
       healthcheck script helps with that; it performs a number of checks, and can  optionally  update  binaries
       and key files (but not public keys stored in NVRAM):

       *      The  script first attempts to identify the Shim binary that launched the current boot session. The
              script then searches the EFI  System  Partition  (ESP)  and  /usr  for  newer  Shim  binaries  (as
              identified  by  the files' timestamps). If any newer Shim binaries are found, the script offers to
              update the currently-in-use Shim with the newer  binary.  The  MokManager  program  (mmx64.efi  on
              x86-64 systems) is updated along with Shim.

       *      The  refind-install  script  generates  local rEFInd keys, to be used when signing rEFInd binaries
              that are not signed or to override existing signatures. These keys  have  a  10-year  lifespan  by
              default.  The  refind-sb-healthcheck script checks the age of the current local rEFInd signing key
              and, if it's expired or within one year of expiration, offers to replace the  existing  key.  Note
              that, even if the user opts to update the key, existing rEFInd binaries are not re-signed. The new
              key  may be added to the MOK list, but if the rEFInd key was added to the Secure Boot db, updating
              the db is left to the user.

       *      The Machine Owner Key (MOK) list is stored in  NVRAM.  It  can  contain  keys  for  rEFInd,  Linux
              distributions,  and  other  keys,  all  of which will eventually expire. The refind-sb-healthcheck
              script scans the MOK and reports if there are any expired keys or keys that will expire  within  a
              year.  If  the  user  wants  to update such keys, the user must track down appropriate updates and
              install them manually with mokutil or MokManager. Note that keeping expired keys in the MOK is not
              necessarily a problem, although deleting expired keys is advisable from a security point of  view.
              Also,  expired  keys  have  probably  been  updated  by their maintainers, so their updates should
              probably be installed.

       *      refind-sb-healthcheck scans the Secure Boot db, KEK, and PK for expired keys much as it scans  the
              MOK list. The issues here are similar, except that these keys cannot be easily updated by the user
              without  first  taking full control of the Secure Boot subsystem. Updates provided by Microsoft, a
              Linux distribution, or a computer manufacturer may, however, include updates to  one  or  more  of
              these key sets.


OPTIONS
       refind-sb-healthcheck  is  an  interactive  program  that  provides no command-line options. Instead, the
       program scans for the information it needs, or occasionally asks the user  for  input  depending  on  the
       environment it discovers.


LIMITATIONS
       refind-sb-healthcheck  is a tool to assist in maintaining a rEFInd installation that uses Secure Boot. It
       is not meant to completely and automatically handle all  Secure  Boot  maintenance  tasks.  Some  notable
       limitations include:

       *      refind-sb-healthcheck  cannot update Secure Boot variables (except for the MOK). Even updating the
              MOK requires a reboot and manual interaction with MokManager at reboot.

       *      refind-sb-healthcheck relies on files' timestamps to locate Shim binaries that are newer than  the
              one currently in use. This is not completely reliable; a binary that was recently copied using the
              default cp flags will appear to be recent, even if it's very old by version number standards.

       *      The  script does not attempt to maintain non-rEFInd key files, such as those a user might maintain
              to sign kernel binaries or kernel modules.

       *      refind-sb-healthcheck incorporates a number of assumptions  about  the  locations  of  rEFInd  key
              files,  the  existence  of common support programs, and the nature of the current installation. It
              may fail in unusual ways if these assumptions are violated.

       *

       *

              q


AUTHORS
       Primary author: Roderick W. Smith (rodsmith@rodsbooks.com)


SEE ALSO
       mvrefind(8), mkrlconf(8), refind-install(8), refind-mkdefault(8), efibootmgr(8).

       https://www.rodsbooks.com/refind/


AVAILABILITY
       The refind-mkdefault command is part of the rEFInd package and is available from Roderick W. Smith.

Roderick W. Smith                                    0.14.2                             REFIND-SB-HEALTHCHECK(8)