Current state of SecureBoot support

[myxal]

Can someone enlighten me regarding the current state of secure-boot support in iPXE?

I need to boot clonezilla from the network with SB enabled on the machine (to be more specific, I don't care for security, I only need SB to test software on Windows on that machine). With SB enabled in firmware ("BIOS") setup, clonezilla (alternative-stable-amd64, version 20180812) boots from a flash drive, and iPXE loads and shows menu from the network. But trying to boot the same clonezilla version from iPXE results in error 0x7f04818f.
What am I missing?

EDIT: After googling around a bit, I've come with the following understanding:

• Since the machine is in stock configuration, its firmware will only accept boot images signed with MS key.
• The reason booting from a flash drive works is because the shim that is loaded is signed by the above, but the kernel itself (and initrd, presumably) is not, and iPXE tries to load these directly.
• Ubuntu's SB implementation uses the shim to verify Canonical's signature on the kernel.
  

From here, I would try to check what signature is on the clonezilla-alt kernel (Maybe canonical's? Maybe not..), and add keys for those into the firmware DB. Or is there another, simpler way? (I'd like to avoid rolling my own CA and having to sign everything.)

[NiKiZe]

You need to build ipxe, sign it with an EV certificate, and then have iPXE cross signed by Microsoft.
After iPXE starts you will in turn have to call shim to have the shim approve kernel or something else.

The only easy way is to disable SB on firmware level.
There is work going on that should make this easier in the future.

[myxal]

(2018-11-28 23:15)NiKiZe Wrote:  You need to build ipxe, sign it with an EV certificate, and then have iPXE cross signed by Microsoft.

My findings with Gigabyte Z87N are indeed strange - with SB on, ipxe efi image boots (into the menu) without issue, so I thought this was already signed, and the documentation just wasn't updated..? The ipxe image comes from Kali's repo.

(2018-11-28 23:15)NiKiZe Wrote:  After iPXE starts you will in turn have to call shim to have the shim approve kernel or something else.

The only easy way is to disable SB on firmware level.
There is work going on that should make this easier in the future.

I got lucky this time and the board's firmware allows me to set SB "execution policy" that basically says "boot whatever" - windows gets its "secureboot on" state and clonezilla boots through ipxe without issue.

Barring this loophole, SB should allow unsigned/arbitrary kernel as long as its hash is in the SB's DB, which I was able to manipulate with Keytool.

Oh, and yes - Clonezilla-alt's kernel is signed with Canonical's key, the certificate for which is available (along with many others) here.