[ipxe-devel] iPXE on uefi and secure boot enabled boxes
Charak, Vikas
vicharak at verisign.com
Fri Jun 23 13:29:05 UTC 2017
Hi Christian,
See my comments below:
On 6/22/17, 5:28 PM, "Christian Nilsson" <nikize at gmail.com> wrote:
On Thu, Jun 22, 2017 at 11:20 PM, Charak, Vikas <vicharak at verisign.com> wrote:
> Hello,
>
> I have been recently experimenting iPXE on “UEFI and SECURE” boot enabled
> boxes.
>
> Here is what I did and my findings:
>
> 1.I generated CA certs.
>
> 2. Generated a signing cert and signed with my CA , which will be used to
> sign binaries which iPXE will trust.
>
> 3.Created ipxe.efi and embedded required certs as follows:
>
>
>
> make bin-x86_64-efi/ipxe.efi EMBED=chain.ipxe TRUST=ca.crt
> CERT=signing.crt DEBUG=script,scsi,iscsi,image
>
here TRUST=ca.crt CERT=signing.crt is mainly used for https transfers
and certificate validation and is not related to secure boot.
===========>This is not entirely true. As per docs these certs are also used to verify images by using “imgverify” command.
You are correct in saying that this is not related to secure boot and I 100% agree. Secure boot has already done its job by letting ipxe.efi execute.
I was just trying to explain my setup.
> (Also IMAGE_TRUST_CMD was enabled)
>
>
>
> 4.I also signed ipxe.efi and enrolled that Cert in UEFI firmware.
>
> 5. Re started machine . From UEFI firmware shell, executed ipxe.efi .
>
> Machine’s UEFI firmware verified signatures of iPXE and ran it successfully.
> All good so far.
>
> Now iPXE presents me a iPXE command prompt (because of my embedded
> chain.ipxe (#!ipxe dhcp shell). )
>
> To test iPXE signature verification process , I down loaded a debian efi
> test file “bootnetx64.efi” and placed it on my local http server.
>
> Now, I tried booting from it
>
> Ipxe> chain http://<server>/bootnetx64.efi
>
> Failed with message “Invalid magic number”. As expected , which is good.
>
>
>
> Then I signed “bootnetx64.efi” with “signing.crt”, and created
> bootnetx64.efi.signed ( with embedded signatures),
>
> Ipxe> chain http://<server>/bootnetx64.efi.signed
>
> Worked fine!!
>
>
>
> Now, here are my questions:
>
> Does iPXE allows you to run ONLY signed EFI binaries, when UEFI and secure
> boot is enabled ? At least that’s what my findings show.
> When I created a file boot.ipxe with following script:
>
> #!ipxe
>
> imgtrust --permanent
>
> initrd initrd.img
>
> kernel vmlinuz initrd=initrd.img
>
> imgverify vmlinuz http://<server>/vmlinuz.sig
>
> boot vmlinuz
>
>
>
> and tried following
>
> ipxe>chain http://<server>/boot.ipxe,
>
>
>
> I get error :
>
> EFIIMAGE 0x7745d7c8 could not load: Error 0x7f048183
>
> IMAGE boot.secure is not EFI: Error 0x7f048183
>
> IMAGE boot.secure is script
>
> IMAGE boot.secure unregistered
>
>
>
> All these are probably valid errors, since boot.ipxe is not UEFI file and
> also not signed.
>
> In this case, you will not be able to run iPXE script files . Is that the
> case?
>
>
I think you also get links to ipxe.org for those errors that could
explain what each of them mean?
I don't think ipxe scripts is ever validated (unless you explicitly
verify the dl), and the secure boot part is (for now) done simply by
calling the firmwares EFI loading rutines. iPXE itself don't do any
validation before booting - that is all up to the firmware. (there
have been requests to modify this behavior, don't know if any changes
is planed tho)
/Christian
>
>
>
>
>
> Regards,
>
> Vik
>
>
> _______________________________________________
> ipxe-devel mailing list
> ipxe-devel at lists.ipxe.org
> https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7177 bytes
Desc: not available
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20170623/4c78198e/attachment.p7s>
More information about the ipxe-devel
mailing list