loading kernel with secure boot
|
2019-03-05, 11:23
Post: #1
|
|||
|
|||
loading kernel with secure boot
Hello,
I'm trying to build a iPXE efi file to boot a specific network image. I build my own efi file and included a sript pointing to the kernel and initrd on the network. If I try to load the kernel I get a Exec format error, this only happens if secureboot is enabled. I tried this using http and nfs with the same results. The Kernel is signed correctly, I build a bootable USB stick using the exact same kernel and initrd and it works with secure boot. Do I need to load the kernel in a special way if secureboot is enabled? |
|||
2019-03-06, 01:43
Post: #2
|
|||
|
|||
RE: loading kernel with secure boot
How did you sign the efi build of iPXE?
is kernel and iPXE signed by different keys, or the same? iPXE just sends the binary to the EFI firmware which does the verification, so it must be that the firmware somehow denies this. I also think that this can be seen in the error code returned - could you please post the _full_ error message you get from iPXE (this includes the ipxe.org url) please make sure you post the message - and not the resulted redirected url. Use GitHub Discussions VRAM bin |
|||
2019-03-11, 15:12
Post: #3
|
|||
|
|||
RE: loading kernel with secure boot
(2019-03-06 01:43)NiKiZe Wrote: How did you sign the efi build of iPXE? Hello, Thank for your reply. I signed the efi build of Ipxe with sbsign --key "path to key" --cert "path to cert" "path to ipxe efi". The kernel and the ipxe efi are both signed with the same key. If I try to boot the same kernel (downloaded from the server) from a USB stick it works. The error message I get: "Could not select: Exec format error (https://ipxe.org/2e008081)". I hope this helps. |
|||
2019-03-11, 15:43
Post: #4
|
|||
|
|||
RE: loading kernel with secure boot
build ipxe.efi with DEBUG=image
and let's see where it goes out when loading. But still this should only be the firmware that says no for some reason. have you tried starting the kernel from within efi shell to compare? Use GitHub Discussions VRAM bin |
|||
2019-03-14, 15:11
Post: #5
|
|||
|
|||
RE: loading kernel with secure boot
Thanks for the hint.
The Problem is the kernel is not recognized as efi file due to security police (http://ipxe.org/err/7f04819a), so this explains why this is only happening with secure boot. I copied the kernel on my EFI partition and used the efi shell to start it. It worked without a problem. The script I'm running is: Code: #!ipxe The hole process uses shim and a MOK keys to verify the files. |
|||
« Next Oldest | Next Newest »
|
User(s) browsing this thread: 2 Guest(s)