2018-06-20, 14:10
Hi,
I want to use iPXE in a secure boot environment, therefor I tried what was written on https://github.com/ipxe/shimdemo and played a little bit with it and after I sorted out everything (especially to append a key to UEFI DB variable) everything works out fine.
Because shim also use the UEFI MokList variable and not only the UEFI DB variable. I tried to put my vendor key in the MokList, signed the iPXE image with the vendor key and use the Microsoft signed version of shim for Fedora.
This is all working fin. I'm able to load shim because it is signed by Microsoft and so I don't have to modify the UEFI secure boot variable. shim loads the vendor signed iPXE binary because the vendor.esl file is in the MokList. But the iPXE is refusing to execute a further efi binary even if it is signed by the vendor key. I always get the following error:
Could not boot image: Exec format error (http://ipxe.org/2e008081)
Because everything is working if the vendor key is in the UEFI DB variable rather then in den UEFI MokList variable, I'm wondering if this is some how connected with iPXE and no MokList support?
Thanks
Tamas
I want to use iPXE in a secure boot environment, therefor I tried what was written on https://github.com/ipxe/shimdemo and played a little bit with it and after I sorted out everything (especially to append a key to UEFI DB variable) everything works out fine.
Because shim also use the UEFI MokList variable and not only the UEFI DB variable. I tried to put my vendor key in the MokList, signed the iPXE image with the vendor key and use the Microsoft signed version of shim for Fedora.
This is all working fin. I'm able to load shim because it is signed by Microsoft and so I don't have to modify the UEFI secure boot variable. shim loads the vendor signed iPXE binary because the vendor.esl file is in the MokList. But the iPXE is refusing to execute a further efi binary even if it is signed by the vendor key. I always get the following error:
Could not boot image: Exec format error (http://ipxe.org/2e008081)
Because everything is working if the vendor key is in the UEFI DB variable rather then in den UEFI MokList variable, I'm wondering if this is some how connected with iPXE and no MokList support?
Thanks
Tamas