[ipxe-devel] autoexec.ipxe and UEFI secure boot ?

Michael Brown mcb30 at ipxe.org
Tue Apr 20 15:25:40 UTC 2021


On 04/04/2021 16:42, Etienne Champetier wrote:
> Since https://github.com/ipxe/ipxe/commit/a3f1e8fb6707811e6eb90e339d7ebe813fd89a63,
> iPXE load autoexec.ipxe from filesystem allowing pretty much the same
> use case as embedding configuration without the need to recompile iPXE
> binary.
> 
> Now I'm wondering would it allow say RedHat to provide signed iPXE
> binary (ipxe.efi)
> and anyone to create a secure boot enabled iso with ipxe.efi and their
> autoexec.ipxe or is this feature considered not safe to be signed ?

Yes, that would be possible.  iPXE scripts are deemed to be 
configuration data: they cannot be used to make arbitrary changes to 
system memory or to execute arbitrary unsigned code and so do not 
themselves require Secure Boot signing.

Michael



More information about the ipxe-devel mailing list