This guide only applies to systems installed and booting in UEFI mode.
This guide applies to amd64 machines, for i386 systems replace "bootx64.efi" with "bootia32.efi"
Follow the advice in this link to install a UEFI system:
https://blog.jasper.la/openbsd-uefi-bootloader-howto/
It is possible to boot OpenBSD with Secure Boot enabled by using the Linux Foundation's PreLoader & HashTool utilities.
http://www.linuxfoundation.org/news-...em-open-source
To implement this method, download the PreLoader.efi and HashTool.efi from here:
http://blog.hansenpartnership.com/li...stem-released/
Then rename the OpenBSD UEFI bootloader to "loader.efi":
Code:
# mount /dev/sd0i /mnt
# mv /mnt/efi/boot/BOOTX64.EFI /mnt/efi/boot/loader.efi
(this presumes that the EFI system partition is located at /dev/sd0i -- adjust if necessary)
Then copy over HashTool.efi & PreLoader.efi and rename the latter as the default UEFI loader:
Code:
# cp HashTool.efi /mnt/efi/boot
# cp PreLoader.efi /mnt/efi/boot/bootx64.efi
Now reboot the machine and enable Secure Boot.
When the system starts the PreLoader will detect an unauthorised image (the OpenBSD bootloader) and will offer to start the HashTool so that the loader.efi can be authorised.
Use the menu options in the HashTool to enrol the loader.efi and reboot again.
See
https://askubuntu.com/questions/5947...ions-preloader
More information here:
http://www.rodsbooks.com/efi-bootloa...html#preloader
To revert the system, simply copy loader.efi back to bootx64.efi
Note that whenever the base system is upgraded, the bootloader should be copied back:
Code:
# mount /dev/sd0i /mnt
# cp /usr/mdec/BOOTX64.EFI /mnt/efi/boot/loader.efi
When the system is rebooted, the HashTool should load up again to enrol the new loader.efi