Secure Boot and ShimDemo - Printable Version +- iPXE discussion forum (https://forum.ipxe.org) +-- Forum: iPXE user forums (/forumdisplay.php?fid=1) +--- Forum: General (/forumdisplay.php?fid=2) +--- Thread: Secure Boot and ShimDemo (/showthread.php?tid=30867) |
Secure Boot and ShimDemo - dscoular@gmail.com - 2020-09-22 10:49 Hi All, I'm struggling to understand whether I can get EFI Secure Boot and ipxe working. I've searched the forums and mailing lists and am none the wiser. I've tried to follow the proof of concept work done here: https://github.com/ipxe/shimdemo But, while I managed to compile the various parts, I'm pretty confused as to how those parts are supposed to work together: $ ls -1 ipxe.efi ProxyLoader.efi Shell.efi Shell.secboot.efi Shell.vendor.efi shim.efi My simplistic understanding is that existing linux OS commonly have a Microsoft signed shim.efi which allows them to launch other bootloaders and kernels registered via the Machine Owners Key (MoK) database used by the shim e.g. when I look at an ubuntu system running under Secure Boot, I see this: # sbverify --list /boot/efi/EFI/ubuntu/shimx64.efi warning: data remaining[1171248 vs 1334816]: gaps between PE/COFF sections? signature 1 image signature issuers: - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 image signature certificates: - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root However, when I look at the shim.efi produced from the shimdemo project it seems to only have an embedded self-signed key. # sbverify --list shim.efi warning: data remaining[1150432 vs 1312888]: gaps between PE/COFF sections? signature 1 image signature issuers: - /CN=Secure Boot CA image signature certificates: - subject: /CN=Secure Boot CA issuer: /CN=Secure Boot CA The instructions seem to hint at adding this to the EFI "db" vars and the boot order being something like:
Is the expectation that we sign the shimdemo shim.efi with a valid Microsoft certificate (a potentially long and costly process) OR can we use the self-signed "secboot" certificate but somehow enroll it into the appropriate EFI variables, perhaps, using Linux efitools (my firmware seems to have no mechanism for adding or removing the various EFI Key Exchange Keys (KeKs) and Signature Databases)? Apologies for being thoroughly confused. Any advice hugely appreciated! Cheers Doug |