[ipxe-devel] iPXE support for UEFI Secure Boot
Michael Brown
mcb30 at ipxe.org
Mon Dec 11 16:56:50 UTC 2017
On 11/12/17 00:44, Ian Bobbitt wrote:
> It's unlikely that iPXE can, or will ever be able to, have a valid
> Secure Boot signature. iPXE is licensed GPL v2 (or later) [1].
> Microsoft, who are in charge of Secure Boot signatures, will not sign
> software subject to GPL v3 [2], because doing so would obligate them to
> publicly disclose their signing keys [3]. Other Open Source projects
> that do have Secure Boot signed loaders use a shim [4] with another
> license (e.g. GPL v2 only, or a BSD variant) that is compatible with
> signed code.
Microsoft is prepared to sign iPXE provided that various subsystems with
known flaws are excluded. You can exclude the relevant subsystems using
instructions as per
http://git.ipxe.org/ipxe.git/commitdiff/7428ab7
I have previously obtained signed iPXE builds from Microsoft. The
process of obtaining a signed build from Microsoft is tedious and very
manual; this is the only reason that we do not have regular signed releases.
Michael
More information about the ipxe-devel
mailing list