[ipxe-devel] iPXE on uefi and secure boot enabled boxes

Michael Brown mcb30 at ipxe.org
Fri Jun 23 00:36:36 UTC 2017


On 22/06/17 22:20, Charak, Vikas wrote:
>  1. Does iPXE allows you to run ONLY signed EFI binaries, when UEFI and
>     secure boot is enabled ? At least that’s what my findings show.

iPXE defers to the UEFI platform's LoadImage() and StartImage() 
mechanisms for UEFI binaries.  When secure boot is enabled, these will 
typically accept only UEFI binaries that have a valid secure boot signature.

There are two entirely independent security mechanisms at work in your 
setup:

- The UEFI secure boot policy, implemented by the UEFI platform 
independently of iPXE.  This policy affects iPXE's ability to execute 
UEFI binaries (but not iPXE scripts).

- The iPXE code signing policy (set via the "imgtrust" command).  This 
policy affects iPXE's ability to execute any image (including scripts).

Since you have enabled _both_ UEFI secure boot and iPXE's own code 
signing checks, you will find that:

- iPXE scripts must be validated via the "imgverify" command.

- UEFI binaries must be validated via the "imgverify" command and must 
also have a valid secure boot embedded signature.

Michael



More information about the ipxe-devel mailing list