# If you change this file, run 'update-grub' afterwards to update # /boot/grub/grub.cfg. # For full documentation of the options in this file, see: # info -f grub -n 'Simple configuration' # 下面这个默认是0改成saved即可 GRUB_DEFAULT=saved GRUB_TIMEOUT_STYLE=hidden # 这个是等待时间,默认10s没啥必要改成3了 GRUB_TIMEOUT=3 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" GRUB_CMDLINE_LINUX=""
# Uncomment to enable BadRAM filtering, modify to suit your needs # This works with Linux (no patch required) and with any kernel that obtains # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
# Uncomment to disable graphical terminal (grub-pc only) #GRUB_TERMINAL=console
# The resolution used on graphical terminal # note that you can use only modes which your graphic card supports via VBE # you can see them in real GRUB with the command `vbeinfo' #GRUB_GFXMODE=640x480
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux #GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries #GRUB_DISABLE_RECOVERY="true"
# Uncomment to get a beep at grub start #GRUB_INIT_TUNE="480 440 1"
# refind.conf # Configuration file for the rEFInd boot menu # # Timeout in seconds for the main menu screen. Setting the timeout to 0 # disables automatic booting (i.e., no timeout). Setting it to -1 causes # an immediate boot to the default OS *UNLESS* a keypress is in the buffer # when rEFInd launches, in which case that keypress is interpreted as a # shortcut key. If no matching shortcut is found, rEFInd displays its # menu with no timeout. # #设置默认等待时间为5s #timeout 0代表无限等待 timeout -1代表立即进入对应的系统 timeout 5
# Set the screen's video resolution. Pass this option either: # * two values, corresponding to the X and Y resolutions # * one value, corresponding to a GOP (UEFI) video mode # Note that not all resolutions are supported. On UEFI systems, passing # an incorrect value results in a message being shown on the screen to # that effect, along with a list of supported modes. On EFI 1.x systems # (e.g., Macintoshes), setting an incorrect mode silently fails. On both # types of systems, setting an incorrect resolution results in the default # resolution being used. A resolution of 1024x768 usually works, but higher # values often don't. # Default is "0 0" (use the system default resolution, usually 800x600). # #分辨率设置,我建议这里别动,上面注释中也说了。1024*768以上的分辨率并不支持,我是默认的,没动它,所以没事别自己搞个1920 1080(更新:可用) #resolution 1024 768 #resolution 1440 900 #resolution 3
# Directories that should NOT be scanned for boot loaders. By default, # rEFInd doesn't scan its own directory, the EFI/tools directory, the # EFI/memtest directory, the EFI/memtest86 directory, or the # com.apple.recovery.boot directory. Using the dont_scan_dirs option # enables you to "blacklist" other directories; but be sure to use "+" # as the first element if you want to continue blacklisting existing # directories. You might use this token to keep EFI/boot/bootx64.efi out # of the menu if that's a duplicate of another boot loader or to exclude # a directory that holds drivers or non-bootloader utilities provided by # a hardware manufacturer. If a directory is listed both here and in # also_scan_dirs, dont_scan_dirs takes precedence. Note that this # blacklist applies to ALL the filesystems that rEFInd scans, not just # the ESP, unless you precede the directory name by a filesystem name or # partition unique GUID, as in "myvol:EFI/somedir" to exclude EFI/somedir # from the scan on the myvol volume but not on other volumes. # #这部分看注释的意思,应该是不扫描ESP分区的某些文件夹,我自己为了去除某些多余 #的启动项,于是设置了dont_scan_dirs ESP:/EFI/ubuntu,但不知道为什么,没有用,启动项里仍会出现Ubuntu的引导项,所以我不建议在这部分选择屏蔽引导项. #dont_scan_dirs ESP:/EFI/boot,EFI/Dell,EFI/memtest86
# Files that should NOT be included as EFI boot loaders (on the # first line of the display). If you're using a boot loader that # relies on support programs or drivers that are installed alongside # the main binary or if you want to "blacklist" certain loaders by # name rather than location, use this option. Note that this will # NOT prevent certain binaries from showing up in the second-row # set of tools. Most notably, various Secure Boot and recovery # tools are present in this list, but may appear as second-row # items. # The file may be specified as a bare name (e.g., "notme.efi"), as # a complete pathname (e.g., "/EFI/somedir/notme.efi"), or as a # complete pathname with volume (e.g., "SOMEDISK:/EFI/somedir/notme.efi" # or 2C17D5ED-850D-4F76-BA31-47A561740082:/EFI/somedir/notme.efi"). # OS tags hidden via the Delete or '-' key in the rEFInd menu are # added to this list, but stored in NVRAM. # The default is shim.efi,shim-fedora.efi,shimx64.efi,PreLoader.efi, # TextMode.efi,ebounce.efi,GraphicsConsole.efi,MokManager.efi,HashTool.efi, # HashTool-signed.efi,bootmgr.efi,fb{arch}.efi # (where "{arch}" is the architecture code, like "x64"). # #这部分和上面那部分类似,都是屏蔽之用,区别在于上面部分是针对文件夹,这部分是针 #对具体文件,这部分在去除某些启动项有着极为关键的作用,我将详细展开叙述。 #dont_scan_files shim.efi,MokManager.efi
# Hide user interface elements for personal preference or to increase # security: # banner - the rEFInd title banner (built-in or loaded via "banner") # label - boot option text label in the menu # singleuser - remove the submenu options to boot Mac OS X in single-user # or verbose modes; affects ONLY MacOS X # safemode - remove the submenu option to boot Mac OS X in "safe mode" # hwtest - the submenu option to run Apple's hardware test # arrows - scroll arrows on the OS selection tag line # hints - brief command summary in the menu # editor - the options editor (+, F2, or Insert on boot options menu) # all - all of the above # Default is none of these (all elements active) # hideui singleuser,hints,arrows,label,badges
# Set the name of a subdirectory in which icons are stored. Icons must # have the same names they have in the standard directory. The directory # name is specified relative to the main rEFInd binary's directory. If # an icon can't be found in the specified directory, an attempt is made # to load it from the default directory; thus, you can replace just some # icons in your own directory and rely on the default for others. # Default is "icons". #各种系统的启动图标 icons_dir themes/rEFInd-minimal/icons
# Use a custom title banner instead of the rEFInd icon and name. The file # path is relative to the directory where refind.efi is located. The color # in the top left corner of the image is used as the background color # for the menu screens. Currently uncompressed BMP images with color # depths of 24, 8, 4 or 1 bits are supported, as well as PNG images. #这是启动界面背景图片路径,也是相对路径,且暂时似乎只支持png格式的图片 banner themes/rEFInd-minimal/background.png
# Tells rEFInd whether to display banner images pixel-for-pixel (noscale) # or to scale banner images to fill the screen (fillscreen). The former is # the default. #默认全屏填充 banner_scale fillscreen
# Custom images for the selection background. There is a big one (144 x 144) # for the OS icons, and a small one (64 x 64) for the function icons in the # second row. If only a small image is given, that one is also used for # the big icons by stretching it in the middle. If only a big one is given, # the built-in default will be used for the small icons. # # Like the banner option above, these options take a filename of an # uncompressed BMP image file with a color depth of 24, 8, 4, or 1 bits, # or a PNG image. The PNG format is required if you need transparency # support (to let you "see through" to a full-screen banner). # selection_big themes/rEFInd-minimal/selection_big.png selection_small themes/rEFInd-minimal/selection_small.png
# Which non-bootloader tools to show on the tools line, and in what # order to display them: # shell - the EFI shell (requires external program; see rEFInd # documentation for details) # gptsync - the (dangerous) gptsync.efi utility (requires external # program; see rEFInd documentation for details) # apple_recovery - boots the Apple Recovery HD partition, if present # mok_tool - makes available the Machine Owner Key (MOK) maintenance # tool, MokManager.efi, used on Secure Boot systems # about - an "about this program" option # exit - a tag to exit from rEFInd # shutdown - shuts down the computer (a bug causes this to reboot # EFI systems) # reboot - a tag to reboot the computer # firmware - a tag to reboot the computer into the firmware's # user interface (ignored on older computers) # Default is shell,apple_recovery,mok_tool,about,shutdown,reboot,firmware # showtools shutdown
triority@triority-Surface-Pro-7-PLUS:~$ sudo apt install linux-surface-secureboot-mok [sudo] password for triority: Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: linux-surface-secureboot-mok 0 upgraded, 1 newly installed, 0 to remove and 94 not upgraded. Need to get 5,616 B of archives. After this operation, 18.4 kB of additional disk space will be used. Get:1 https://pkg.surfacelinux.com/debian release/main amd64 linux-surface-secureboot-mok amd64 20231003-1 [5,616 B] Fetched 5,616 B in 8s (678 B/s) Selecting previously unselected package linux-surface-secureboot-mok. (Reading database ... 195210 files and directories currently installed.) Preparing to unpack .../linux-surface-secureboot-mok_20231003-1_amd64.deb ... Unpacking linux-surface-secureboot-mok (20231003-1) ... Setting up linux-surface-secureboot-mok (20231003-1) ...
The secure-boot certificate has been installed to
/usr/share/linux-surface-secureboot/surface.cer
It will now be automatically enrolled for you and guarded with the password
surface
To finish the enrollment process you need to reboot, where you will then be asked to enroll the certificate. During the import, you will be prompted for the password mentioned above. Please make sure that you are indeed adding the right key and confirm by entering 'surface'.
Note that you can always manage your secure-boot keys, including the one just enrolled, from inside Linux via the 'mokutil' tool.