• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Is supporting Secure Boot now possible?

    Scheduled Pinned Locked Moved
    General
    7
    29
    10.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Curious: how much money would it cost for FOG to sign in a post-1.X version?

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        @Joe-Schmitt I think I understand. I was going to say that if only a few hundred bucks was in the way of making this happen, I was just going to pay it and be done.

        1 Reply Last reply Reply Quote 0
        • S
          Sebastian Roth Moderator
          last edited by

          I know this is fairly old but as I’ve just seen some rumor on this topic in the iPXE devel mailing list I thought I might post that here as a reference for people searching our forums: http://lists.ipxe.org/pipermail/ipxe-devel/2017-December/005921.html

          Michael Brown’s answer:

          Microsoft is prepared to sign iPXE provided that various subsystems with known flaws are excluded. You can exclude the relevant subsystems using instructions as per

          http://git.ipxe.org/ipxe.git/commitdiff/7428ab7

          I have previously obtained signed iPXE builds from Microsoft. The process of obtaining a signed build from Microsoft is tedious and very manual; this is the only reason that we do not have regular signed releases.

          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

          Wayne WorkmanW 1 Reply Last reply Reply Quote 0
          • Wayne WorkmanW
            Wayne Workman @Sebastian Roth
            last edited by

            @sebastian-roth said in Is supporting Secure Boot now possible?:

            The process of obtaining a signed build from Microsoft is tedious and very manual

            That part bothers me. How did Microsoft come to have a monopoly on this? Isn’t there anyone else that can sign it? What root certs are installed into the bios besides Microsoft’s? Surely they are not the only ones?!?

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
            Daily Clean Installation Results:
            https://fogtesting.fogproject.us/
            FOG Reporting:
            https://fog-external-reporting-results.fogproject.us/

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by

              Would each and every version of iPXE have to be signed by Microsoft? Or would it be a one-time event?

              I don’t really understand the part about excluding certain directories. How, if at all, would that affect users of iPXE? Or would that be something that would affect only iPXE developers?

              Wayne WorkmanW george1421G 2 Replies Last reply Reply Quote 0
              • Wayne WorkmanW
                Wayne Workman @A Former User
                last edited by

                @loosus456 said in Is supporting Secure Boot now possible?:

                Would each and every version of iPXE have to be signed by Microsoft?

                Yes, any version you want Secure Boot to accept must be signed. The idea we’ve kicked around before is only doing this every so often to minimize costs.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                Daily Clean Installation Results:
                https://fogtesting.fogproject.us/
                FOG Reporting:
                https://fog-external-reporting-results.fogproject.us/

                1 Reply Last reply Reply Quote 1
                • george1421G
                  george1421 Moderator @A Former User
                  last edited by

                  @loosus456 said in Is supporting Secure Boot now possible?:

                  Would each and every version of iPXE have to be signed by Microsoft?

                  Yes, every boot kernel you want to run on a computer that has secure boot enabled must have a valid signed key. This includes iPXE as well as FOS (Fog’s target system Operaing System)

                  1 Reply Last reply Reply Quote 1
                  • ?
                    A Former User
                    last edited by

                    Does iPXE change every FOG release? Or do FOG releases often share the same IPXE version?

                    1 Reply Last reply Reply Quote 0
                    • S
                      Sebastian Roth Moderator
                      last edited by

                      @loosus456 said in Is supporting Secure Boot now possible?:

                      Does iPXE change every FOG release? Or do FOG releases often share the same IPXE version?

                      We follow up with the latest iPXE versions so yes, the version changes on every release and even between releases in beta/RC code branch - if you follow that.

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      Wayne WorkmanW 1 Reply Last reply Reply Quote 1
                      • Wayne WorkmanW
                        Wayne Workman @Sebastian Roth
                        last edited by

                        @sebastian-roth said in Is supporting Secure Boot now possible?:

                        We follow up with the latest iPXE versions so yes, the version changes on every release and even between releases in beta/RC code branch - if you follow that.

                        In other words, the FOG Team is ON TOP OF IT! 😄

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                        Daily Clean Installation Results:
                        https://fogtesting.fogproject.us/
                        FOG Reporting:
                        https://fog-external-reporting-results.fogproject.us/

                        1 Reply Last reply Reply Quote 0
                        • Lee RowlettL
                          Lee Rowlett Developer
                          last edited by

                          i’ve been tasked at getting fog secure boot complaint due to it now being a requirement by internal audit rolls eyes…

                          microsoft so far have been as useful as a chocolate teapot. no one appears to know the process and their solution is use MDT or SCCM. If i have to hear “why aren’t you using SCCM one more time…” lol

                          initial cost is not a concern its already been pre-signed off but the process needs to be as minimal as possible i.e. dont need to keep going back to microsoft to get versions resigned and have the ability to sign them ourselves…

                          anyone else done this in a enterprise environment or am i going to be the guinea pig lol

                          any of the other devs got any more insight?

                          george1421G 1 Reply Last reply Reply Quote 0
                          • Lee RowlettL
                            Lee Rowlett Developer
                            last edited by

                            This post is deleted!
                            1 Reply Last reply Reply Quote 0
                            • george1421G
                              george1421 Moderator @Lee Rowlett
                              last edited by george1421

                              @lee-rowlett I’ve been toying with the issue, just now my mind went blank where I was able to pxe boot linux in secure boot. It did work and it worked well with a grub based environment. The concept that I worked out was to use the ubuntu signed shim with grub to boot into FOS with secure boot on. I did this over the christmas holiday and for the life of me I can’t remember the setup.

                              This is where I got the files from: https://launchpad.net/ubuntu/+source/shim-signed

                              Also I had this one book marked for pxe booting.
                              https://www.downtowndougbrown.com/2017/03/hosting-ubuntu-16-04-desktop-live-install-iso-on-a-pxe-netboot-server-bios-and-uefi-simultaneously/

                              Understand this process requires both iPXE to be signed as well as the kernel FOS (or if a shim is used, the shim signed). If we could come up with a way to use these shims then FOS would not need to be signed by MS.

                              Lee RowlettL 1 Reply Last reply Reply Quote 0
                              • J
                                jdd49
                                last edited by

                                I wanted to share my experience with trying to get something signed for Secure Boot with my imaging program. It basically comes down to that it’s very difficult for open source projects to get something signed.

                                First of all you need to get your bootloader signed by Microsoft, no way around it. Second it requires an EV code signing certificate. These are expensive and you can only get them if you are a legitimate business. You must use a shim, otherwise every change to a kernel or bootloader would require resigning them from Microsoft which is not feasible. Also, shim does not currently support Proxy DHCP servers. The basic workflow is this:

                                Compile the shim with a self signed CA baked in, then you can sign your kernels and bootloaders against the CA without the needing resign the shim with MS for every change.

                                Submit the shim and your EV certificate to Microsoft

                                They will reach out to the shim maintainers who will ask you a bunch of questions about how you will use the shim. If you tell them you are going to use it with iPXE they probably won’t approve it. You need to tell them you are using Grub. If they catch you signing anything other than what you say, they will blacklist your shim.

                                If everything checks out then they’ll send you the precious signed shim.

                                I personally scrapped the idea of trying to get a signed shim because of the business requirement. Too much extra cost, not to mention the hassle of doing taxes with a business that doesn’t actually make any money.

                                The future looks dim because of secure boot

                                Lee RowlettL 1 Reply Last reply Reply Quote 2
                                • Lee RowlettL
                                  Lee Rowlett Developer @george1421
                                  last edited by

                                  @george1421 i can get it to boot to grub now but cannot get it to chainload into FOS

                                  george1421G 1 Reply Last reply Reply Quote 0
                                  • Lee RowlettL
                                    Lee Rowlett Developer @jdd49
                                    last edited by

                                    @jdd49 it sure does 😞 microsoft monopolizing the process?..NEVER!!!

                                    1 Reply Last reply Reply Quote 0
                                    • george1421G
                                      george1421 Moderator @Lee Rowlett
                                      last edited by george1421

                                      This post is deleted!
                                      1 Reply Last reply Reply Quote 0
                                      • Lee RowlettL
                                        Lee Rowlett Developer @Tom Elliott
                                        last edited by

                                        @george1421 nice one george! i guess at the moment it is a toss up of functionality over “security” - nice work! i’m sure @tom-elliott could give a better insight on the ipxe parameters…

                                        george1421G 1 Reply Last reply Reply Quote 0
                                        • george1421G
                                          george1421 Moderator @Lee Rowlett
                                          last edited by

                                          @lee-rowlett Just thinking out loud here, but if FOS handled the iPXE menu internally with its own ncurses menus, there would be no need to iPXE. We could use this concept to boot right into FOS and let FOS manage what to do next. I know something similar is planned for “FOG too” but that product is a ways off still.

                                          1 Reply Last reply Reply Quote 1
                                          • Tom ElliottT
                                            Tom Elliott
                                            last edited by

                                            I am locking this thread as the information we need to work out should first be done on the backend between the developers and few testers so we know what is feasible and have a more defined control set.

                                            While I understand there may be many people interested in this, we have not done it and don’t want to put systems in a bad state where you can potentially lose your data due to failure to be able to boot to any OS anymore.

                                            We will open a new thread once we have solidified a plan of action and tested feasibility.

                                            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                            1 Reply Last reply Reply Quote 3
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post

                                            194

                                            Online

                                            12.0k

                                            Users

                                            17.3k

                                            Topics

                                            155.2k

                                            Posts
                                            Copyright © 2012-2024 FOG Project