[ipxe-devel] iPXE on uefi and secure boot enabled boxes

[Charak, Vikas]

Hi Michael,

I agree with your explanation and my experiments sort of lead to this conclusion also. I just wanted to make sure that I am not missing anything in iPXE.
This is my first experiment with iPXE 

Have a great day.
--Vik


On 6/22/17, 8:36 PM, "Michael Brown" <mcb30 at ipxe.org> wrote:

    On 22/06/17 22:20, Charak, Vikas wrote:
    >  1. Does iPXE allows you to run ONLY signed EFI binaries, when UEFI and
    >     secure boot is enabled ? At least that’s what my findings show.
    
    iPXE defers to the UEFI platform's LoadImage() and StartImage() 
    mechanisms for UEFI binaries.  When secure boot is enabled, these will 
    typically accept only UEFI binaries that have a valid secure boot signature.
    
    There are two entirely independent security mechanisms at work in your 
    setup:
    
    - The UEFI secure boot policy, implemented by the UEFI platform 
    independently of iPXE.  This policy affects iPXE's ability to execute 
    UEFI binaries (but not iPXE scripts).
    
    - The iPXE code signing policy (set via the "imgtrust" command).  This 
    policy affects iPXE's ability to execute any image (including scripts).
    
    Since you have enabled _both_ UEFI secure boot and iPXE's own code 
    signing checks, you will find that:
    
    - iPXE scripts must be validated via the "imgverify" command.
    
    - UEFI binaries must be validated via the "imgverify" command and must 
    also have a valid secure boot embedded signature.
    
    Michael
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7177 bytes
Desc: not available
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20170623/97acee52/attachment.p7s>