[ipxe-devel] iPXE on uefi and secure boot enabled boxes
Charak, Vikas
vicharak at verisign.com
Wed Jun 28 14:50:49 UTC 2017
Hello,
Here is what my little experiment shows:
1. With Linux (CentOS)
Linux (CentOS) has feature of building a EFI binary. So I built one. Signed it with the private part of the key whose Public part is enrolled in UEFI Firmware.
Built ipxe.efi and also signed it with same private key as above. Now with UEFI and Secure boot enabled, I ran ipxe.efi from UEFI shell and ended at ipxe shell. All good.
Now I ran
ipxe> chain http://<server>/vmlinuz.efi.signed
ipxe transferred control over to the underline EFI firmware, signatures of vmlinuz.efi.signed are verified and vmlinuz is executed. Nice!
2. With FreeBSD (10.x)
FreeBSD does not have feature to build a EFI binary. So, I followed a different path. Why not use iPXE’s signature verification process.
Before doing anything with signing, I made sure that ipxe can boot my freebsd.iso file . So, I disabled secure boot and also disabled ipxe’s signature verification feature and ran following
Ipxe> sanboot http://<server>/freebsd.iso.
Ipxe executed .ISO file and FreeBSD menu is shown. All ok here.
Now I enabled Secure boot and iPXE’s signature verification feature. Created freebsd.iso.sig file containing signature of freebsd.iso
Ran following
Ipxe> imgverify http://<server>/freebsd.iso http://<server>/freebsd.iso.sig
Ipxe>imgstat
freebsd.iso [TRUSTED]
Now I see that freebsd has been trusted but all efforts to run it fails. Some examples below:
Ipxe> chain freebsd.iso iso raw
Could not boot: Exec format error
Ipxe> imgload freebsd.iso
Could not boot: Exec format error
So instead of trying a iso, I created a simple ipxe script menu.ipxe and created its signatures menu.ipxe.sig
Ipxe> imgverify http://<server>/menu.ipxe http://<server>/menu.ipxe.sig
ipxe> imgstat
menu.ipxe [script] [TRUSTED]
ipxe> chain menu.ipxe
This runs fine. Menu shows up.
Now I understand that ISO and .IPXE scripts are two different things but the process of Signature verification is same. This could be also be how ISO are treated in ipxe .
Any help is appreciated. This is really good experiment which can show capabilities of IPXE. Also please let me know if I should post it somewhere else.
Regards,
Vik
On 6/23/17, 9:31 AM, "ipxe-devel-bounces at ipxe.org on behalf of Charak, Vikas" <ipxe-devel-bounces at ipxe.org on behalf of vicharak at verisign.com> wrote:
Hi Michael,
I agree with your explanation and my experiments sort of lead to this conclusion also. I just wanted to make sure that I am not missing anything in iPXE.
This is my first experiment with iPXE
Have a great day.
--Vik
On 6/22/17, 8:36 PM, "Michael Brown" <mcb30 at ipxe.org> wrote:
On 22/06/17 22:20, Charak, Vikas wrote:
> 1. Does iPXE allows you to run ONLY signed EFI binaries, when UEFI and
> secure boot is enabled ? At least that’s what my findings show.
iPXE defers to the UEFI platform's LoadImage() and StartImage()
mechanisms for UEFI binaries. When secure boot is enabled, these will
typically accept only UEFI binaries that have a valid secure boot signature.
There are two entirely independent security mechanisms at work in your
setup:
- The UEFI secure boot policy, implemented by the UEFI platform
independently of iPXE. This policy affects iPXE's ability to execute
UEFI binaries (but not iPXE scripts).
- The iPXE code signing policy (set via the "imgtrust" command). This
policy affects iPXE's ability to execute any image (including scripts).
Since you have enabled _both_ UEFI secure boot and iPXE's own code
signing checks, you will find that:
- iPXE scripts must be validated via the "imgverify" command.
- UEFI binaries must be validated via the "imgverify" command and must
also have a valid secure boot embedded signature.
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7177 bytes
Desc: not available
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20170628/56df3b24/attachment.p7s>
More information about the ipxe-devel
mailing list