iPXE discussion forum
iPXE and MokList? - Printable Version

+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: iPXE and MokList? (/showthread.php?tid=11722)



iPXE and MokList? - tbk - 2018-06-20 14:10

Hi,

I want to use iPXE in a secure boot environment, therefor I tried what was written on https://github.com/ipxe/shimdemo and played a little bit with it and after I sorted out everything (especially to append a key to UEFI DB variable) everything works out fine.

Because shim also use the UEFI MokList variable and not only the UEFI DB variable. I tried to put my vendor key in the MokList, signed the iPXE image with the vendor key and use the Microsoft signed version of shim for Fedora.

This is all working fin. I'm able to load shim because it is signed by Microsoft and so I don't have to modify the UEFI secure boot variable. shim loads the vendor signed iPXE binary because the vendor.esl file is in the MokList. But the iPXE is refusing to execute a further efi binary even if it is signed by the vendor key. I always get the following error:

Could not boot image: Exec format error (http://ipxe.org/2e008081)

Because everything is working if the vendor key is in the UEFI DB variable rather then in den UEFI MokList variable, I'm wondering if this is some how connected with iPXE and no MokList support?

Thanks
Tamas


RE: iPXE and MokList? - NiKiZe - 2018-06-21 18:22

AFAIK the shim.efi in shimdemo is not yet released/signed by Microsoft
the modified shim.efi is needed for iPXE to be able to start anything that is signed by anyone other then Microsoft.
It does so by providing it's own versions of the EFI start functions with internal certificate validation, which iPXE happily uses.