[ipxe-devel] ipxe and uefi secure boot

Tamas Baumgartner-Kis tbk-ipxe at yals.de
Fri Sep 28 17:47:46 UTC 2018


thanks for the really quick answer and sorry for my late response.

After you asked me to verify that the kernel is loaded from the efi_shell
I recognized, that the kernel was signed with the wrong key.

So I signed the kernel with the correct key and everything works as it should.

Thanks a lot!

On 27/09/18 at 11:02am, Christian Nilsson wrote:
>On Thu, 27 Sep 2018 at 09:06, Tamas Baumgartner-Kis <tbk-ipxe at yals.de>
>> Hi,
>> I'm wondering how ipxe handles image loading with uefi secure boot enabled.
>> I have my own uefi secure boot keys (so no microsoft keys).
>> When I sign ipxe with my own key everything is ok and I'm able to boot
>> ipxe
>> over the network and uefi secure boot isn't complaining.
>> If I boot from ipxe a uefi_shell.efi signed with my key the shell is
>> loading fine
>> and again uefi secure boot is satisfied.
>> But if I boot a kernel signed with my key ipxe stops to execute the kernel
>> with following error:
>> Could not boot image: Exec format error (http://ipxe.org/2e008081)
>> Kind regards
>>    Tamas Baumgartner-Kis
>This will be a simplified quick explanation. Sourcecode for details ;)
>iPXE loads the binary and then calls the firmware LoadImage - meaning that
>it is up to the firmware LoadImage function to validate the signature, and
>return error to iPXE if the signature is not valid.
>iPXE itself does not have any code to check the signature, and by using the
>firmware to check it, it isn't needed.
>In this case it seems that the image is not valid according to Firmware
>Could you validate that the kernel loads fine from the efi_shell, or
>without having iPXE in between?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20180928/a57a635f/attachment.sig>

More information about the ipxe-devel mailing list