[ipxe-devel] iPXE support for UEFI Secure Boot

Ian Bobbitt ian at icb.im
Mon Dec 11 00:44:42 UTC 2017

On Fri, Dec 8, 2017 at 2:35 AM, Prasanth Yogaraj -X (pyogaraj - MINDTREE
LIMITED at Cisco) <pyogaraj at cisco.com> wrote:

> Hi Team,
>    I am trying iPXE boot in UEFI Secure boot in Cisco C240-M4 server, when
> I tried to boot into iPXE binaries the system is throwing secure boot
> violation Error as iPXE.efi is not a signed one. please provide us the
> procedure for signing the iPXE binary and also confirm us the support of
> iPXE in UEFI secure boot Mode.
It's unlikely that iPXE can, or will ever be able to, have a valid Secure
Boot signature. iPXE is licensed GPL v2 (or later) [1]. Microsoft, who are
in charge of Secure Boot signatures, will not sign software subject to GPL
v3 [2], because doing so would obligate them to publicly disclose their
signing keys [3]. Other Open Source projects that do have Secure Boot
signed loaders use a shim [4] with another license (e.g. GPL v2 only, or a
BSD variant) that is compatible with signed code.

If you want to use iPXE with Secure Boot, you'll need to use "Custom" or
"User" mode and install your own key that you use to sign your own build of
iPXE. ArchLinux wiki article on the subject [5] looks like it should get
you where you need if you go down this path, for both injecting your own
key into your Signature Database, and signing your boot loader. I haven't
used this, and have no idea if it will actually work with iPXE or with your

[1] http://ipxe.org/licensing
[3] https://www.gnu.org/licenses/gpl-3.0.en.html
[4] https://github.com/rhboot/shim
[5] https://wiki.archlinux.org/index.php/Secure_Boot#Using_your_own_keys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20171210/b47ce617/attachment.htm>

More information about the ipxe-devel mailing list