[ipxe-devel] ipxe and uefi secure boot

Christian Nilsson nikize at gmail.com
Thu Sep 27 09:02:18 UTC 2018


On Thu, 27 Sep 2018 at 09:06, Tamas Baumgartner-Kis <tbk-ipxe at yals.de>
wrote:

> Hi,
>
> I'm wondering how ipxe handles image loading with uefi secure boot enabled.
>
> I have my own uefi secure boot keys (so no microsoft keys).
>
> When I sign ipxe with my own key everything is ok and I'm able to boot
> ipxe
> over the network and uefi secure boot isn't complaining.
>
> If I boot from ipxe a uefi_shell.efi signed with my key the shell is
> loading fine
> and again uefi secure boot is satisfied.
>
> But if I boot a kernel signed with my key ipxe stops to execute the kernel
> with following error:
>
> Could not boot image: Exec format error (http://ipxe.org/2e008081)
>
> Kind regards
>    Tamas Baumgartner-Kis
>
>
>
This will be a simplified quick explanation. Sourcecode for details ;)
iPXE loads the binary and then calls the firmware LoadImage - meaning that
it is up to the firmware LoadImage function to validate the signature, and
return error to iPXE if the signature is not valid.
iPXE itself does not have any code to check the signature, and by using the
firmware to check it, it isn't needed.
In this case it seems that the image is not valid according to Firmware
functions?
Could you validate that the kernel loads fine from the efi_shell, or
without having iPXE in between?

/Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20180927/716a87ab/attachment.htm>


More information about the ipxe-devel mailing list