Current state of SecureBoot support - Printable Version +- iPXE discussion forum (https://forum.ipxe.org) +-- Forum: iPXE user forums (/forumdisplay.php?fid=1) +--- Forum: General (/forumdisplay.php?fid=2) +--- Thread: Current state of SecureBoot support (/showthread.php?tid=15139) |
Current state of SecureBoot support - myxal - 2018-11-19 15:19 Can someone enlighten me regarding the current state of secure-boot support in iPXE? I need to boot clonezilla from the network with SB enabled on the machine (to be more specific, I don't care for security, I only need SB to test software on Windows on that machine). With SB enabled in firmware ("BIOS") setup, clonezilla (alternative-stable-amd64, version 20180812) boots from a flash drive, and iPXE loads and shows menu from the network. But trying to boot the same clonezilla version from iPXE results in error 0x7f04818f. What am I missing? EDIT: After googling around a bit, I've come with the following understanding:
From here, I would try to check what signature is on the clonezilla-alt kernel (Maybe canonical's? Maybe not..), and add keys for those into the firmware DB. Or is there another, simpler way? (I'd like to avoid rolling my own CA and having to sign everything.) RE: Current state of SecureBoot support - NiKiZe - 2018-11-28 23:15 You need to build ipxe, sign it with an EV certificate, and then have iPXE cross signed by Microsoft. After iPXE starts you will in turn have to call shim to have the shim approve kernel or something else. The only easy way is to disable SB on firmware level. There is work going on that should make this easier in the future. RE: Current state of SecureBoot support - myxal - 2018-11-29 09:15 (2018-11-28 23:15)NiKiZe Wrote: You need to build ipxe, sign it with an EV certificate, and then have iPXE cross signed by Microsoft. My findings with Gigabyte Z87N are indeed strange - with SB on, ipxe efi image boots (into the menu) without issue, so I thought this was already signed, and the documentation just wasn't updated..? The ipxe image comes from Kali's repo. (2018-11-28 23:15)NiKiZe Wrote: After iPXE starts you will in turn have to call shim to have the shim approve kernel or something else. I got lucky this time and the board's firmware allows me to set SB "execution policy" that basically says "boot whatever" - windows gets its "secureboot on" state and clonezilla boots through ipxe without issue. Barring this loophole, SB should allow unsigned/arbitrary kernel as long as its hash is in the SB's DB, which I was able to manipulate with Keytool. Oh, and yes - Clonezilla-alt's kernel is signed with Canonical's key, the certificate for which is available (along with many others) here. |