[ipxe-devel] iPXE on uefi and secure boot enabled boxes

Charak, Vikas vicharak at verisign.com
Wed Jun 28 14:50:49 UTC 2017


Hello,
Here is what my little experiment shows:
1. With Linux (CentOS)
Linux (CentOS) has feature of building a EFI binary.  So I built one. Signed it with the private part of the key whose Public part is enrolled in UEFI Firmware.
Built ipxe.efi and also signed it with same private key as above. Now with UEFI and Secure boot enabled, I ran ipxe.efi from UEFI shell and ended at ipxe shell. All good.
Now I ran 
ipxe> chain http://<server>/vmlinuz.efi.signed
ipxe transferred control over to the underline EFI firmware, signatures of vmlinuz.efi.signed are verified and  vmlinuz is executed. Nice!

2. With FreeBSD (10.x)
FreeBSD does not have feature to build a EFI binary. So, I followed a different path. Why not use iPXE’s signature verification process.
Before doing anything with signing, I made sure that ipxe can boot  my freebsd.iso file . So, I disabled secure boot and also disabled ipxe’s signature verification feature and ran following
Ipxe> sanboot http://<server>/freebsd.iso.
Ipxe executed .ISO file and FreeBSD menu is shown. All ok here. 
Now I enabled Secure boot and  iPXE’s signature verification feature. Created freebsd.iso.sig file containing  signature of freebsd.iso
Ran following
Ipxe> imgverify  http://<server>/freebsd.iso http://<server>/freebsd.iso.sig
Ipxe>imgstat 
freebsd.iso [TRUSTED]
       Now I see that freebsd has been trusted but all efforts to run it fails. Some examples below:
       Ipxe> chain freebsd.iso iso raw
       Could not boot: Exec format error

       Ipxe> imgload freebsd.iso
       Could not boot: Exec format error

So instead of trying a iso, I created a simple ipxe script menu.ipxe and created its signatures menu.ipxe.sig
Ipxe> imgverify  http://<server>/menu.ipxe http://<server>/menu.ipxe.sig
ipxe> imgstat
menu.ipxe [script] [TRUSTED]

ipxe> chain menu.ipxe 
This runs fine. Menu shows up.

Now I understand that ISO and .IPXE scripts are two different things but the process of Signature verification is same. This could be also be how ISO are treated in ipxe . 
Any help is appreciated. This is really good experiment which can show capabilities of IPXE. Also please let me know if I should post it somewhere else. 

Regards,
Vik





On 6/23/17, 9:31 AM, "ipxe-devel-bounces at ipxe.org on behalf of Charak, Vikas" <ipxe-devel-bounces at ipxe.org on behalf of vicharak at verisign.com> wrote:

    Hi Michael,
    
    I agree with your explanation and my experiments sort of lead to this conclusion also. I just wanted to make sure that I am not missing anything in iPXE.
    This is my first experiment with iPXE 
    
    Have a great day.
    --Vik
    
    
    On 6/22/17, 8:36 PM, "Michael Brown" <mcb30 at ipxe.org> wrote:
    
        On 22/06/17 22:20, Charak, Vikas wrote:
        >  1. Does iPXE allows you to run ONLY signed EFI binaries, when UEFI and
        >     secure boot is enabled ? At least that’s what my findings show.
        
        iPXE defers to the UEFI platform's LoadImage() and StartImage() 
        mechanisms for UEFI binaries.  When secure boot is enabled, these will 
        typically accept only UEFI binaries that have a valid secure boot signature.
        
        There are two entirely independent security mechanisms at work in your 
        setup:
        
        - The UEFI secure boot policy, implemented by the UEFI platform 
        independently of iPXE.  This policy affects iPXE's ability to execute 
        UEFI binaries (but not iPXE scripts).
        
        - The iPXE code signing policy (set via the "imgtrust" command).  This 
        policy affects iPXE's ability to execute any image (including scripts).
        
        Since you have enabled _both_ UEFI secure boot and iPXE's own code 
        signing checks, you will find that:
        
        - iPXE scripts must be validated via the "imgverify" command.
        
        - UEFI binaries must be validated via the "imgverify" command and must 
        also have a valid secure boot embedded signature.
        
        Michael
        
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7177 bytes
Desc: not available
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20170628/56df3b24/attachment.p7s>


More information about the ipxe-devel mailing list