[ipxe-devel] ipxe and uefi secure boot
Tamas Baumgartner-Kis
tbk-ipxe at yals.de
Fri Sep 28 17:47:46 UTC 2018
Hi,
thanks for the really quick answer and sorry for my late response.
After you asked me to verify that the kernel is loaded from the efi_shell
I recognized, that the kernel was signed with the wrong key.
So I signed the kernel with the correct key and everything works as it should.
Thanks a lot!
Tamas
On 27/09/18 at 11:02am, Christian Nilsson wrote:
>On Thu, 27 Sep 2018 at 09:06, Tamas Baumgartner-Kis <tbk-ipxe at yals.de>
>wrote:
>
>> Hi,
>>
>> I'm wondering how ipxe handles image loading with uefi secure boot enabled.
>>
>> I have my own uefi secure boot keys (so no microsoft keys).
>>
>> When I sign ipxe with my own key everything is ok and I'm able to boot
>> ipxe
>> over the network and uefi secure boot isn't complaining.
>>
>> If I boot from ipxe a uefi_shell.efi signed with my key the shell is
>> loading fine
>> and again uefi secure boot is satisfied.
>>
>> But if I boot a kernel signed with my key ipxe stops to execute the kernel
>> with following error:
>>
>> Could not boot image: Exec format error (http://ipxe.org/2e008081)
>>
>> Kind regards
>> Tamas Baumgartner-Kis
>>
>>
>>
>This will be a simplified quick explanation. Sourcecode for details ;)
>iPXE loads the binary and then calls the firmware LoadImage - meaning that
>it is up to the firmware LoadImage function to validate the signature, and
>return error to iPXE if the signature is not valid.
>iPXE itself does not have any code to check the signature, and by using the
>firmware to check it, it isn't needed.
>In this case it seems that the image is not valid according to Firmware
>functions?
>Could you validate that the kernel loads fine from the efi_shell, or
>without having iPXE in between?
>
>/Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20180928/a57a635f/attachment.sig>
More information about the ipxe-devel
mailing list