[ipxe-devel] iPXE support for UEFI Secure Boot

Ian Bobbitt ian at icb.im
Mon Dec 18 14:53:04 UTC 2017


On Mon, Dec 11, 2017 at 11:56 AM, Michael Brown <mcb30 at ipxe.org> wrote:

> On 11/12/17 00:44, Ian Bobbitt wrote:
>
>> It's unlikely that iPXE can, or will ever be able to, have a valid Secure
>> Boot signature. iPXE is licensed GPL v2 (or later) [1]. Microsoft, who are
>> in charge of Secure Boot signatures, will not sign software subject to GPL
>> v3 [2], because doing so would obligate them to publicly disclose their
>> signing keys [3]. Other Open Source projects that do have Secure Boot
>> signed loaders use a shim [4] with another license (e.g. GPL v2 only, or a
>> BSD variant) that is compatible with signed code.
>>
>
> Microsoft is prepared to sign iPXE provided that various subsystems with
> known flaws are excluded.  You can exclude the relevant subsystems using
> instructions as per
>
>   http://git.ipxe.org/ipxe.git/commitdiff/7428ab7
>
> I have previously obtained signed iPXE builds from Microsoft.  The process
> of obtaining a signed build from Microsoft is tedious and very manual; this
> is the only reason that we do not have regular signed releases.
>
> Michael
>

That's great to hear. How were you able to get around the GPL v3 key
disclosure requirements?

Are you able to make these signed builds public? If so, will you be able to
release updates occasionally? Maybe yearly, or "major" iPXE release?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20171218/49387294/attachment.htm>


More information about the ipxe-devel mailing list