[ipxe-devel] iPXE on uefi and secure boot enabled boxes

Christian Nilsson nikize at gmail.com
Thu Jun 22 21:28:46 UTC 2017


On Thu, Jun 22, 2017 at 11:20 PM, Charak, Vikas <vicharak at verisign.com> wrote:
> Hello,
>
> I have been recently experimenting iPXE  on  “UEFI and SECURE”  boot enabled
> boxes.
>
> Here is what I did and my findings:
>
> 1.I generated CA certs.
>
> 2. Generated a signing cert and signed with my CA , which will be used to
> sign binaries which iPXE will trust.
>
> 3.Created ipxe.efi and embedded required certs as follows:
>
>
>
> make bin-x86_64-efi/ipxe.efi  EMBED=chain.ipxe TRUST=ca.crt
> CERT=signing.crt DEBUG=script,scsi,iscsi,image
>
here TRUST=ca.crt  CERT=signing.crt is mainly used for https transfers
and certificate validation and is not related to secure boot.


> (Also IMAGE_TRUST_CMD   was enabled)
>
>
>
> 4.I also signed ipxe.efi and enrolled that Cert in UEFI firmware.
>
> 5. Re started machine . From UEFI firmware shell, executed ipxe.efi .
>
> Machine’s UEFI firmware verified signatures of iPXE and ran it successfully.
> All good so far.
>
> Now iPXE presents me a iPXE command prompt (because of my embedded
> chain.ipxe (#!ipxe dhcp shell). )
>
> To test iPXE signature verification process , I down loaded a debian efi
> test file “bootnetx64.efi”  and placed it on my local http server.
>
> Now, I tried booting from it
>
> Ipxe> chain http://<server>/bootnetx64.efi
>
> Failed with message “Invalid magic number”. As expected , which is good.
>
>
>
> Then I signed “bootnetx64.efi” with “signing.crt”, and created
> bootnetx64.efi.signed  ( with embedded signatures),
>
> Ipxe> chain http://<server>/bootnetx64.efi.signed
>
> Worked fine!!
>
>
>
> Now, here are my questions:
>
> Does iPXE allows you to run ONLY signed EFI binaries, when UEFI and secure
> boot is enabled ? At least that’s what my findings show.
> When I created a file boot.ipxe with following script:
>
> #!ipxe
>
> imgtrust --permanent
>
> initrd initrd.img
>
> kernel vmlinuz initrd=initrd.img
>
> imgverify vmlinuz http://<server>/vmlinuz.sig
>
> boot  vmlinuz
>
>
>
> and tried following
>
> ipxe>chain http://<server>/boot.ipxe,
>
>
>
> I get error :
>
> EFIIMAGE 0x7745d7c8 could not load: Error 0x7f048183
>
> IMAGE boot.secure is not EFI: Error 0x7f048183
>
> IMAGE boot.secure is script
>
> IMAGE boot.secure unregistered
>
>
>
> All these are probably valid errors, since boot.ipxe is not UEFI file and
> also not signed.
>
> In this case, you will not be able to run iPXE script files . Is that the
> case?
>
>

I think you also get links to ipxe.org for those errors that could
explain what each of them mean?
I don't think ipxe scripts is ever validated (unless you explicitly
verify the dl), and the secure boot part is (for now) done simply by
calling the firmwares EFI loading rutines. iPXE itself don't do any
validation before booting - that is all up to the firmware. (there
have been requests to modify this behavior, don't know if any changes
is planed tho)

/Christian

>
>
>
>
>
> Regards,
>
> Vik
>
>
> _______________________________________________
> ipxe-devel mailing list
> ipxe-devel at lists.ipxe.org
> https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
>



More information about the ipxe-devel mailing list