iPXE discussion forum

Full Version: UEFI Secureboot with iPXE (selfsigned db,pk keys or shim + company cert signed by M$)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

If we assume the following scenario to be true:
"Someone got Micro$oft to sign a ipxe.efi file so we could use ipxe.efi with full secureboot=on support (stock M$ uefi certificates in firmware)."

From within ipxe, we would not be able to start any linux installations the way we're used to, in other words this would not work:
chain initrd=initrd.img inst.repo=

Because these linux kernels are not signed by Microsoft, only Red Hat.
I do understand that by adding our own selfsigned keys to UEFI firmware (db,kek,pk), and sign everything ourself it works as expected (I have that tested to be true, and it works fine).

But could it be possible for iPXE to work together with shim (first stage bootloader), as shim+grub works for Red Hat/Fedora and ubuntu?
If we got Microsoft to sign our own custom shim, with our company cert (VENDOR_CERT_FILE), then iPXE would have to have to do some "shim_lock|verify" function as grub does. Could this work?

(The idea is to just use stock uefi firmware keys, so we don't need to install our own uefi keys in db,kek,pk).

One issue with shim + ipxe is how would it be possible for it to PXE chainload the shim and then ipxe when there is no driver etc in the shim? or can grub boot over the network via shim as well?

Currently all loading of anything from within ipxe is done via normal firmware load, so all the verifying is done by efi firmware.

An alternative might be to use a signed shim.efi that can just take extra options for what it loads and with options, so your ipxe script would end up as
chain vmlinuz initrd=initrd.img inst.repo=

This is similar to what wimboot currently does.

This is just ideas based on what I have read about the ipxe signing.
We will need mcb30's input here.
shim+iPXE in uefi mode with secureboot off works fine.
Yes you can pxeboot the signed shim+grub with secureboot on too, that works great. I have used that as an alternative to using the DVD (which works too when secureboot is on).

I'm not sure if you can boot shim that way. As far as I know the stock version just fires off a hardcoded file named "grubx64.efi" from the same folder.

Will test tomorrow though.

Reference URL's