[ipxe-devel] iPXE on uefi and secure boot enabled boxes

Charak, Vikas vicharak at verisign.com
Thu Jun 22 21:20:23 UTC 2017 

Hello,

I have been recently experimenting iPXE  on  “UEFI and SECURE”  boot enabled  boxes.

Here is what I did and my findings:

1.I generated CA certs.

2. Generated a signing cert and signed with my CA , which will be used to sign binaries which iPXE will trust.

3.Created ipxe.efi and embedded required certs as follows:

 

make bin-x86_64-efi/ipxe.efi  EMBED=chain.ipxe TRUST=ca.crt  CERT=signing.crt DEBUG=script,scsi,iscsi,image

(Also IMAGE_TRUST_CMD   was enabled)

 

4.I also signed ipxe.efi and enrolled that Cert in UEFI firmware.

5. Re started machine . From UEFI firmware shell, executed ipxe.efi . 

Machine’s UEFI firmware verified signatures of iPXE and ran it successfully. All good so far.

Now iPXE presents me a iPXE command prompt (because of my embedded chain.ipxe (#!ipxe dhcp shell). )

To test iPXE signature verification process , I down loaded a debian efi test file “bootnetx64.efi”  and placed it on my local http server.

Now, I tried booting from it 

Ipxe> chain http://<server>/bootnetx64.efi

Failed with message “Invalid magic number”. As expected , which is good.

 

Then I signed “bootnetx64.efi” with “signing.crt”, and created bootnetx64.efi.signed  ( with embedded signatures), 

Ipxe> chain http://<server>/bootnetx64.efi.signed

Worked fine!!

 

Now, here are my questions:
Does iPXE allows you to run ONLY signed EFI binaries, when UEFI and secure boot is enabled ? At least that’s what my findings show.
When I created a file boot.ipxe with following script:
#!ipxe

imgtrust --permanent

initrd initrd.img

kernel vmlinuz initrd=initrd.img

imgverify vmlinuz http://<server>/vmlinuz.sig

boot  vmlinuz

 

and tried following 

ipxe>chain http://<server>/boot.ipxe,

 

I get error :

EFIIMAGE 0x7745d7c8 could not load: Error 0x7f048183

IMAGE boot.secure is not EFI: Error 0x7f048183

IMAGE boot.secure is script

IMAGE boot.secure unregistered

 

All these are probably valid errors, since boot.ipxe is not UEFI file and also not signed. 

In this case, you will not be able to run iPXE script files . Is that the case?

 

 

 

Regards,

Vik

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20170622/d27340e0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7177 bytes
Desc: not available
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20170622/d27340e0/attachment.p7s>

More information about the ipxe-devel mailing list