Secure booting linux / additional certificates
|
2017-04-06, 20:45
Post: #2
|
|||
|
|||
RE: Secure booting linux / additional certificates
iPXE itself does not have any certificates at all that is used to check signing, actually there is nothing at all in iPXE in regards to signing - this is all up to the firmware EFI implementation to handle when exec of efi files is called.
Solutions to this: * Have MS sign iPXE then always load MS signed shim.efi from iPXE which in turn loads kernel - this shim should support loading and propagating efi fs and options, for example like this: Code: #!ipxe meaning that shim is only a wrapper. * Make sure shim.efi implements and replaces the firmware exec interface and use load shim.efi -> ipxe.efi Or it might even be possible to have MS signed ipxe.efi first which starts MS signed shim.efi which installs those interfaces and then returns to iPXE which can then boot efis signed by new certificates since the exec and signing check is now done by shim.efi instead. as you can see this all requires some help from shim, maybe it already exists in the shim? Anyone have link to official sources of recent shim.efis ? Use GitHub Discussions VRAM bin |
|||
« Next Oldest | Next Newest »
|
Messages In This Thread |
Secure booting linux / additional certificates - freaky - 2017-04-06, 09:33
RE: Secure booting linux / additional certificates - NiKiZe - 2017-04-06 20:45
RE: Secure booting linux / additional certificates - freaky - 2017-04-07, 10:54
RE: Secure booting linux / additional certificates - freaky - 2017-04-11, 11:00
RE: Secure booting linux / additional certificates - NiKiZe - 2017-04-11, 19:49
|
User(s) browsing this thread: 1 Guest(s)