[ipxe-devel] secure boot of ipxe.usb possible?

Gene Cumm gene.cumm at gmail.com
Fri Dec 20 01:44:07 UTC 2013


On Thu, Dec 19, 2013 at 12:28 AM, Andrew Bobulsky <rulerof at gmail.com> wrote:
> On Wed, Dec 18, 2013 at 5:17 PM, Oliver Rath <rath at mglug.de> wrote:

>> as far i know, it is possible to boot some linux in secure boot with a
>> signed bootloader.
>>
>> Is this possible with ipxe from usb, too?

> Isn't ipxe.usb just a disk image that loads ipxe.lkrn from syslinux?
> That would make sense to me, as I believe that ipxe.iso does the same
> with isolinux.
>
> So I'd venture the guess... any UEFI bootloader that will load an lkrn
> image and is cross-signed by Microsoft should do the trick.  I recall
> reading that syslinux was to be one such bootloader... but light
> googling didn't yield much info for me :P

No, there is no copy (to my knowledge) of Syslinux that's signed.  To
my knowledge, GRUB, however, has an early stage loader that's signed
and enough to allow a full GRUB EFI environment.

To satisfy this you'll need:

1a) A EFI firmware that will look at your USB storage and autoload the
appropriate file (ie /EFI/BOOT/BOOTx64.EFI for EFI-x64) OR
1b) A EFI firmware/environment that allows you to execute arbitrary
filenames from USB.
2) Such file is signed
3a) Such file is iPXE in the appropriate EFI format/architecture (ie
bin-x86_64-efi/ipxe.efi ) OR
3b) Such file is a boot loader that can load an iPXE that's in the
appropriate format/architecture for EFI booting.

Note that any BIOS handlers (ie INT 15h e820h for the memory map) will
NOT be available unless you can somehow hook the CSM (Compatibility
Support Module) which may mean ipxe.lkrn won't work (if it attempts to
access any of the BIOS handlers which I'm pretty sure it does).


Why do you want to boot from secure mode?  Why do you want to boot in
EFI mode from USB rather than drop ipxe.efi into your EFI boot volume
or perform a EFI network boot?

-- 
-Gene



More information about the ipxe-devel mailing list