[ipxe-devel] iPXE on uefi and secure boot enabled boxes
Michael Brown
mcb30 at ipxe.org
Fri Jun 23 00:36:36 UTC 2017
On 22/06/17 22:20, Charak, Vikas wrote:
> 1. Does iPXE allows you to run ONLY signed EFI binaries, when UEFI and
> secure boot is enabled ? At least that’s what my findings show.
iPXE defers to the UEFI platform's LoadImage() and StartImage()
mechanisms for UEFI binaries. When secure boot is enabled, these will
typically accept only UEFI binaries that have a valid secure boot signature.
There are two entirely independent security mechanisms at work in your
setup:
- The UEFI secure boot policy, implemented by the UEFI platform
independently of iPXE. This policy affects iPXE's ability to execute
UEFI binaries (but not iPXE scripts).
- The iPXE code signing policy (set via the "imgtrust" command). This
policy affects iPXE's ability to execute any image (including scripts).
Since you have enabled _both_ UEFI secure boot and iPXE's own code
signing checks, you will find that:
- iPXE scripts must be validated via the "imgverify" command.
- UEFI binaries must be validated via the "imgverify" command and must
also have a valid secure boot embedded signature.
Michael
More information about the ipxe-devel
mailing list