[ipxe-devel] iPXE on uefi and secure boot enabled boxes
Michael Brown
mcb30 at ipxe.org
Wed Jun 28 15:08:03 UTC 2017
On 28/06/17 15:50, Charak, Vikas wrote:
> Now I understand that ISO and .IPXE scripts are two different things but the process of Signature verification is same. This could be also be how ISO are treated in ipxe .
> Any help is appreciated. This is really good experiment which can show capabilities of IPXE. Also please let me know if I should post it somewhere else.
You can't use "chain" to boot an ISO image, because the ISO image itself
is not an executable program.
SAN booting and chaining are different processes. SAN booting will
create an EFI block device mapped to the specified SAN URI. This block
device will (probably) contain a filesystem, which will contain a UEFI
executable such as \EFI\Boot\BootX64.efi, and this executable is what
actually gets executed.
Using "imgverify" has no effect on SAN booting, since you never attempt
to directly execute the SAN device (since it is not an executable file).
The UEFI platform's Secure Boot policy will still apply to the
BootX64.efi file located within the filesystem within the SAN booted ISO
image. If the FreeBSD ISO contains a BootX64.efi that is not accepted
by your platform's security policy, then it will not be able to boot.
This is independent of iPXE; you would see the same effect if you were
to burn the ISO to a DVD-ROM and attempt to boot locally.
Michael
More information about the ipxe-devel
mailing list