[ipxe-devel] iPXE on uefi and secure boot enabled boxes

Michael Brown mcb30 at ipxe.org
Wed Jun 28 15:08:03 UTC 2017

On 28/06/17 15:50, Charak, Vikas wrote:
> Now I understand that ISO and .IPXE scripts are two different things but the process of Signature verification is same. This could be also be how ISO are treated in ipxe .
> Any help is appreciated. This is really good experiment which can show capabilities of IPXE. Also please let me know if I should post it somewhere else.

You can't use "chain" to boot an ISO image, because the ISO image itself 
is not an executable program.

SAN booting and chaining are different processes.  SAN booting will 
create an EFI block device mapped to the specified SAN URI.  This block 
device will (probably) contain a filesystem, which will contain a UEFI 
executable such as \EFI\Boot\BootX64.efi, and this executable is what 
actually gets executed.

Using "imgverify" has no effect on SAN booting, since you never attempt 
to directly execute the SAN device (since it is not an executable file).

The UEFI platform's Secure Boot policy will still apply to the 
BootX64.efi file located within the filesystem within the SAN booted ISO 
image.  If the FreeBSD ISO contains a BootX64.efi that is not accepted 
by your platform's security policy, then it will not be able to boot. 
This is independent of iPXE; you would see the same effect if you were 
to burn the ISO to a DVD-ROM and attempt to boot locally.


More information about the ipxe-devel mailing list