[ipxe-devel] FYI: iPXE 16.1 shim signed
Geert Stappers
stappers at stappers.it
Wed Nov 12 20:47:19 UTC 2025
On Wed, Nov 12, 2025 at 02:35:15AM -0800, Michael Brown
in https://github.com/rhboot/shim-review/issues/319#issuecomment-3521239969 :
>
I'm very happy to report that this submission has been
signed by Microsoft. The signed binaries are available from
https://github.com/ipxe/shim/releases/tag/ipxe-16.1. Here's a
celebratory screenshot showing the signed shim being used to load
`snponly.efi` on a VM with Secure Boot enabled and only the standard
Microsoft certs installed:
>
<img width="1331" height="953" alt="Image"
src="https://github.com/user-attachments/assets/06abf3b2-f425-4630-a852-11ebe7843c6b"
/>
>
My huge thanks to everyone involved in making this happen, especially to
@steve-mcintyre and @aronowski for all the assistance with the review
process, and to @SochiOgbuanya for pushing through the signing policy
updates within Microsoft.
>
As per
https://github.com/rhboot/shim-review/issues/319#issuecomment-1460667603
("Other vendors should not be signing iPXE for use with their shim") and
https://techcommunity.microsoft.com/blog/hardware-dev-center/updated-uefi-signing-requirements/1062916,
my expectation is that no third-party vendors will be submitting an
iPXE shim for signing.
>
There will be some further internal iPXE work to design an audit
and release process for our signed iPXE binaries, and to establish
precisely which features will be included in the signed build. I hope
to get the first public signed iPXE binaries made generally available
in January. In the meantime, if anyone has an urgent commercial need
for using iPXE with Secure Boot enabled, please contact me directly
or via vendor-support at ipxe.org.
More information about the ipxe-devel
mailing list