Hello,
I'm trying to build a iPXE efi file to boot a specific network image. I build my own efi file and included a sript pointing to the kernel and initrd on the network.
If I try to load the kernel I get a Exec format error, this only happens if secureboot is enabled. I tried this using http and nfs with the same results.
The Kernel is signed correctly, I build a bootable USB stick using the exact same kernel and initrd and it works with secure boot.
Do I need to load the kernel in a special way if secureboot is enabled?
How did you sign the efi build of iPXE?
is kernel and iPXE signed by different keys, or the same?
iPXE just sends the binary to the EFI firmware which does the verification, so it must be that the firmware somehow denies this.
I also think that this can be seen in the error code returned - could you please post the _full_ error message you get from iPXE (this includes the ipxe.org url) please make sure you post the message - and not the resulted redirected url.
(2019-03-06 01:43)NiKiZe Wrote: [ -> ]How did you sign the efi build of iPXE?
is kernel and iPXE signed by different keys, or the same?
iPXE just sends the binary to the EFI firmware which does the verification, so it must be that the firmware somehow denies this.
I also think that this can be seen in the error code returned - could you please post the _full_ error message you get from iPXE (this includes the ipxe.org url) please make sure you post the message - and not the resulted redirected url.
Hello,
Thank for your reply.
I signed the efi build of Ipxe with sbsign --key "path to key" --cert "path to cert" "path to ipxe efi".
The kernel and the ipxe efi are both signed with the same key. If I try to boot the same kernel (downloaded from the server) from a USB stick it works.
The error message I get: "Could not select: Exec format error (
https://ipxe.org/2e008081)".
I hope this helps.
build ipxe.efi with DEBUG=image
and let's see where it goes out when loading.
But still this should only be the firmware that says no for some reason.
have you tried starting the kernel from within efi shell to compare?
Thanks for the hint.
The Problem is the kernel is not recognized as efi file due to security police (
http://ipxe.org/err/7f04819a), so this explains why this is only happening with secure boot.
I copied the kernel on my EFI partition and used the efi shell to start it. It worked without a problem.
The script I'm running is:
Code:
#!ipxe
dhcp
initrd nfs://"server_ip":/data/tftp/zdv-live-secure/tftpboot/live/initrd.img
chain nfs://"server_ip":/data/tftp/zdv-live-secure/tftpboot/live/vmlinuz initrd=initrd.img boot=live components nosplash netboot=nfs nfsroot="server_ip":/data/tftp/zdv-live/zdv-live locales=de_DE.UTF-8,en_US.UTF8 keyboard-layouts=de,us noautologin timezone=Europe/Berlin
boot
The hole process uses shim and a MOK keys to verify the files.