Threaded Mode | Linear Mode

mijanek · 2014-11-12, 18:39

(2014-11-12 14:37)mcb30 Wrote:
(2014-11-11 22:10)mijanek Wrote: I'd like to ask regarding this ipxe-devel mailing post from Michael Brown, if there is any chance to get the undionly.efi signed.

I was trying to find something new about that but no luck..

I have unfortunately constrain, not allowing me te disable the stupid secure boot (I really didn't found until now good reason for it unless MS makes some $$ with it.)

UEFI code signing now requires an EV code-signing certificate, which I don't currently have. The certificate costs US$500 (for three years). The submission process is tedious and slow, but workable.

It's likely to happen as soon as someone thinks it's worth more than US$500 to get a SecureBoot-signed version of iPXE. By default, UEFI does not apply SecureBoot checks to binaries present in NIC ROMs, which reduces the utility of having a signed version of iPXE; it's only chainloading that would really benefit.

Michael

OK, thanks a lot. I know the constrains with the EV certificate (and know, that Verisign wan'ts 700$ per year for it).
Do you know however it would even pass the certification process at all?

And how is about the wimboot, does this need to be signed then too, or is it something like binary plugin to ipxe? (Microsoft says they sign only .efi files)

(Unfortunatelly I can't access NIC ROM, as I need this for the Tablets e.g. Surface 3 Pro with USB network card, so no chance here. )