Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
UEFI Secureboot with iPXE (selfsigned db,pk keys or shim + company cert signed by M$)
2016-10-19, 13:43
Post: #1
UEFI Secureboot with iPXE (selfsigned db,pk keys or shim + company cert signed by M$)
Hi!

If we assume the following scenario to be true:
"Someone got Micro$oft to sign a ipxe.efi file so we could use ipxe.efi with full secureboot=on support (stock M$ uefi certificates in firmware)."

From within ipxe, we would not be able to start any linux installations the way we're used to, in other words this would not work:
initrd http://192.168.1.100/rhel72/images/pxeboot/initrd.img
chain http://192.168.1.100/rhel72/images/pxeboot/vmlinuz initrd=initrd.img inst.repo=http://192.168.1.100/centos7/

Because these linux kernels are not signed by Microsoft, only Red Hat.
I do understand that by adding our own selfsigned keys to UEFI firmware (db,kek,pk), and sign everything ourself it works as expected (I have that tested to be true, and it works fine).

But could it be possible for iPXE to work together with shim (first stage bootloader), as shim+grub works for Red Hat/Fedora and ubuntu?
If we got Microsoft to sign our own custom shim, with our company cert (VENDOR_CERT_FILE), then iPXE would have to have to do some "shim_lock|verify" function as grub does. Could this work?

(The idea is to just use stock uefi firmware keys, so we don't need to install our own uefi keys in db,kek,pk).

--
Torgeir
Find all posts by this user
Quote this message in a reply
2016-10-19, 17:43
Post: #2
RE: UEFI Secureboot with iPXE (selfsigned db,pk keys or shim + company cert signed by M$)
One issue with shim + ipxe is how would it be possible for it to PXE chainload the shim and then ipxe when there is no driver etc in the shim? or can grub boot over the network via shim as well?

Currently all loading of anything from within ipxe is done via normal firmware load, so all the verifying is done by efi firmware.

An alternative might be to use a signed shim.efi that can just take extra options for what it loads and with options, so your ipxe script would end up as
Code:
#!ipxe
initrd http://192.168.1.100/rhel72/images/pxeboot/initrd.img
initrd http://192.168.1.100/rhel72/images/pxeboot/vmlinuz
chain http://192.168.1.100/rhel72/images/pxeboot/shim.efi vmlinuz initrd=initrd.img inst.repo=http://192.168.1.100/centos7/

This is similar to what wimboot currently does.

This is just ideas based on what I have read about the ipxe signing.
We will need mcb30's input here.

Use GitHub Discussions
VRAM bin
Visit this user's website Find all posts by this user
Quote this message in a reply
2016-10-19, 17:58
Post: #3
RE: UEFI Secureboot with iPXE (selfsigned db,pk keys or shim + company cert signed by M$)
shim+iPXE in uefi mode with secureboot off works fine.
Yes you can pxeboot the signed shim+grub with secureboot on too, that works great. I have used that as an alternative to using the DVD (which works too when secureboot is on).

I'm not sure if you can boot shim that way. As far as I know the stock version just fires off a hardcoded file named "grubx64.efi" from the same folder.

Will test tomorrow though.

--
Torgeir
Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)