[ipxe-devel] autoexec.ipxe and UEFI secure boot ?
Michael Brown
mcb30 at ipxe.org
Tue Apr 20 15:25:40 UTC 2021
On 04/04/2021 16:42, Etienne Champetier wrote:
> Since https://github.com/ipxe/ipxe/commit/a3f1e8fb6707811e6eb90e339d7ebe813fd89a63,
> iPXE load autoexec.ipxe from filesystem allowing pretty much the same
> use case as embedding configuration without the need to recompile iPXE
> binary.
>
> Now I'm wondering would it allow say RedHat to provide signed iPXE
> binary (ipxe.efi)
> and anyone to create a secure boot enabled iso with ipxe.efi and their
> autoexec.ipxe or is this feature considered not safe to be signed ?
Yes, that would be possible. iPXE scripts are deemed to be
configuration data: they cannot be used to make arbitrary changes to
system memory or to execute arbitrary unsigned code and so do not
themselves require Secure Boot signing.
Michael
More information about the ipxe-devel
mailing list