[ipxe-devel] iPXE support for UEFI Secure Boot

Michael Brown mcb30 at ipxe.org
Mon Dec 11 16:56:50 UTC 2017


On 11/12/17 00:44, Ian Bobbitt wrote:
> It's unlikely that iPXE can, or will ever be able to, have a valid 
> Secure Boot signature. iPXE is licensed GPL v2 (or later) [1]. 
> Microsoft, who are in charge of Secure Boot signatures, will not sign 
> software subject to GPL v3 [2], because doing so would obligate them to 
> publicly disclose their signing keys [3]. Other Open Source projects 
> that do have Secure Boot signed loaders use a shim [4] with another 
> license (e.g. GPL v2 only, or a BSD variant) that is compatible with 
> signed code.

Microsoft is prepared to sign iPXE provided that various subsystems with 
known flaws are excluded.  You can exclude the relevant subsystems using 
instructions as per

   http://git.ipxe.org/ipxe.git/commitdiff/7428ab7

I have previously obtained signed iPXE builds from Microsoft.  The 
process of obtaining a signed build from Microsoft is tedious and very 
manual; this is the only reason that we do not have regular signed releases.

Michael



More information about the ipxe-devel mailing list