<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Title content=""><meta name=Keywords content=""><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:182864849;
mso-list-type:hybrid;
mso-list-template-ids:1837957014 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:630483275;
mso-list-type:hybrid;
mso-list-template-ids:-1759729946 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2
{mso-list-id:847989919;
mso-list-type:hybrid;
mso-list-template-ids:-1197453922 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3
{mso-list-id:1652907397;
mso-list-type:hybrid;
mso-list-template-ids:-1688962890 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body bgcolor=white lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Hello,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>I have been recently experimenting iPXE on “UEFI and SECURE” boot enabled boxes.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Here is what I did and my findings:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>1.I generated CA certs.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>2. Generated a signing cert and signed with my CA , which will be used to sign binaries which iPXE will trust.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>3.Created ipxe.efi and embedded required certs as follows:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>make bin-x86_64-efi/ipxe.efi EMBED=chain.ipxe TRUST=ca.crt CERT=signing.crt DEBUG=script,scsi,iscsi,image<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>(Also IMAGE_TRUST_CMD was enabled)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>4.I also signed ipxe.efi and enrolled that Cert in UEFI firmware.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>5. Re started machine . From UEFI firmware shell, executed ipxe.efi . <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Machine’s UEFI firmware verified signatures of iPXE and ran it successfully. All good so far.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Now iPXE presents me a iPXE command prompt (because of my embedded chain.ipxe (#!ipxe dhcp shell). )<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>To test iPXE signature verification process , I down loaded a debian efi test file “bootnetx64.efi” and placed it on my local http server.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Now, I tried booting from it <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Ipxe> chain <a href="http://%3c%3e/bootnetx64.efi">http://<server>/bootnetx64.efi</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Failed with message “Invalid magic number”. As expected , which is good.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Then I signed “bootnetx64.efi” with “signing.crt”, and created bootnetx64.efi.signed ( with embedded signatures), <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Ipxe> chain <a href="http://%3c%3e/bootnetx64.efi.signed">http://<server>/bootnetx64.efi.signed</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Worked fine!!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Now, here are my questions:<o:p></o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l3 level1 lfo4'><span style='font-size:11.0pt'>Does iPXE allows you to run ONLY signed EFI binaries, when UEFI and secure boot is enabled ? At least that’s what my findings show.<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l3 level1 lfo4'><span style='font-size:11.0pt'>When I created a file boot.ipxe with following script:<o:p></o:p></span></li></ol><p class=MsoNormal style='margin-left:.25in'><span style='font-size:11.0pt'>#!ipxe<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.25in'><span style='font-size:11.0pt'>imgtrust --permanent<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.25in'><span style='font-size:11.0pt'>initrd initrd.img<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.25in'><span style='font-size:11.0pt'>kernel vmlinuz initrd=initrd.img<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.25in'><span style='font-size:11.0pt'>imgverify vmlinuz http://<server>/vmlinuz.sig<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.25in'><span style='font-size:11.0pt'>boot vmlinuz<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoListParagraph style='margin-left:.25in'><span style='font-size:11.0pt'>and tried following <o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'>ipxe>chain <a href="http://%3cserver%3e/boot.ipxe">http://<server>/boot.ipxe</a>,<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'>I get error :<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'>EFIIMAGE 0x7745d7c8 could not load: Error 0x7f048183<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'>IMAGE boot.secure is not EFI: Error 0x7f048183<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'>IMAGE boot.secure is script<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'>IMAGE boot.secure unregistered<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'>All these are probably valid errors, since boot.ipxe is not UEFI file and also not signed. <o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'>In this case, you will not be able to run iPXE script files . Is that the case?<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,</p><p class=MsoNormal>Vik<o:p></o:p></p></div></body></html>