iPXE discussion forum / iPXE user forums / General v / Secure booting linux / additional certificates

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Secure booting linux / additional certificates
2017-04-06, 20:45
Post: #2
NiKiZe Offline
iPXE nerd, and nerdy helper
*******
 		Posts: 975
Joined: 2015-Feb
Reputation: 23
RE: Secure booting linux / additional certificates
iPXE itself does not have any certificates at all that is used to check signing, actually there is nothing at all in iPXE in regards to signing - this is all up to the firmware EFI implementation to handle when exec of efi files is called.

Solutions to this:
* Have MS sign iPXE then always load MS signed shim.efi from iPXE which in turn loads kernel - this shim should support loading and propagating efi fs and options, for example like this:
Code:
#!ipxe
initrd initramfs.img
initrd kernelx64efi
kernel shim.efi kernelx64efi initrd=initramfs.img init=/bin/bash
This should result in a kernel cmdline which is: kernelx64efi initrd=initramfs.img init=/bin/bash
meaning that shim is only a wrapper.

* Make sure shim.efi implements and replaces the firmware exec interface and use load shim.efi -> ipxe.efi
Or it might even be possible to have MS signed ipxe.efi first which starts MS signed shim.efi which installs those interfaces and then returns to iPXE which can then boot efis signed by new certificates since the exec and signing check is now done by shim.efi instead.


as you can see this all requires some help from shim, maybe it already exists in the shim? Anyone have link to official sources of recent shim.efis ?
Use GitHub Discussions
VRAM bin
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
RE: Secure booting linux / additional certificates - NiKiZe - 2017-04-06 20:45



User(s) browsing this thread: 1 Guest(s)

Contact Us | iPXE home page | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication