• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Secureboot issues

Scheduled Pinned Locked Moved Solved
FOG Problems
10
19
5.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    george1421 Moderator @Sebastian Roth
    last edited by george1421 Oct 15, 2019, 5:41 AM Oct 15, 2019, 11:38 AM

    @Sebastian-Roth said in Secureboot issues:

    @bgbgbgbg There is money und time involved to make this work. Check out the information on the iPXE website:
    https://ipxe.org/appnote/etoken

    The best part of that article I found was the footnote “Microsoft is special”

    Not only does iPXE need to be signed, but the FOG Project would have to go through the same process MS boot image signing for each FOS Linux kernel that was released. This would most assuredly impact the “free-ness” and responsiveness to changing hardware demands for FOG imaging.

    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

    D 1 Reply Last reply Oct 15, 2019, 12:38 PM Reply Quote 0
    • D
      Deimos @george1421
      last edited by Oct 15, 2019, 12:38 PM

      @george1421

      I hope Microsoft has to be friendly and kind-hearted, because they want to continue to sell their licenses. If you can not easily deploy - much like we do in schools and universities - you will switch to Linux, especially with such simple systems with data storage and LibreOffice and Internet access, for example. Microsoft certainly wants to prevent that.

      Ask MS and say that you need it for free. FOG Project is no longer a small by-product.

      1 Reply Last reply Reply Quote 0
      • S
        Sebastian Roth Moderator
        last edited by Oct 16, 2019, 9:34 PM

        @Deimos said in Secureboot issues:

        Ask MS and say that you need it for free. FOG Project is no longer a small by-product.

        Do you have good contact with someone working in the right position at Microsoft? If so then you may ask her/him… I am not going to spend any time or money on this unless I see people from the FOG community pushing this.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        1 Reply Last reply Reply Quote 0
        • A
          astrugatch
          last edited by Oct 17, 2019, 11:56 AM

          @Sebastian-Roth

          It would be nice to have, but definitely not make or break for our environment. We already have to touch so many things in BIOS to set our machines up the way we want them that turning off secure boot is just one of many. I don’t really see the value. I know its sold to protect from rootkits, but it feels more like vendor lock-in to Windows.

          D 1 Reply Last reply Oct 17, 2019, 5:43 PM Reply Quote 0
          • D
            Deimos @astrugatch
            last edited by Oct 17, 2019, 5:43 PM

            @astrugatch
            Please do not forget that after deactivating also the reactivation means further steps. And that with 500 devices within a week!

            A 1 Reply Last reply Oct 17, 2019, 5:55 PM Reply Quote 0
            • A
              astrugatch @Deimos
              last edited by Oct 17, 2019, 5:55 PM

              @Deimos

              Isn’t that what command and configure is for (if you’re a dell shop at least)?

              G 1 Reply Last reply Oct 17, 2019, 6:21 PM Reply Quote 0
              • G
                george1421 Moderator @astrugatch
                last edited by Oct 17, 2019, 6:21 PM

                @astrugatch said in Secureboot issues:

                Isn’t that what command and configure is for (if you’re a dell shop at least)?

                Yes, we use command and configure (CCTK) to set default bios settings. I started looking into building cctk into FOS Linux so those bios settings could be made via a post install script. I think that project fell off the table a while ago.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                A 1 Reply Last reply Oct 17, 2019, 6:24 PM Reply Quote 0
                • A
                  astrugatch @george1421
                  last edited by Oct 17, 2019, 6:24 PM

                  @george1421

                  I would be very interested in that. Do you have a GIT for that, that I could look at?

                  G 1 Reply Last reply Oct 17, 2019, 6:26 PM Reply Quote 0
                  • G
                    george1421 Moderator @astrugatch
                    last edited by Oct 17, 2019, 6:26 PM

                    @astrugatch It never made it to the repo. It was a skunkworks project I was working on. I just went and grabbed the centos version of cctk https://downloads.dell.com/FOLDER05519675M/1/command-configure-4.2.0-553.el7.x86_64.tar.gz to see if I could rebuild the test environment.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                    1 Reply Last reply Reply Quote 0
                    • L
                      Lee Rowlett Developer
                      last edited by Lee Rowlett Oct 17, 2019, 2:27 PM Oct 17, 2019, 8:24 PM

                      Hi all, i have secureboot working with ipxe (FOG) using a self-signed certificate and you do however need to enroll the keys but i have added an .efi program that you can run to automate all this from the pxe boot menu to ease this process.

                      i’ve been testing it for the last 12 months or so to see if there is any gotchas but none yet and over 80% of our estate have secureboot with ipxe working (7K devices) - only lenovo x1 carbons have been problematic but this appears to be due to poor bios and/or secureboot implementation.

                      this does mean you have to manage the certificates yourself going forward too as you are essentially taking ownership and provisioning the devices and applying your own PK which means you have to trust 3rd party CAs however the plus side there is no cost involved. i also don’t have assurances how to remotely distribute a renewed certificate when it expires but expiration is 10 years and there is going to be some work needed when microsoft CA expires in 2026.

                      on first attempt, i hadn’t included microsoft CA so windows os failed to load with untrusted error from secureboot… i loved the irony… i dont trust microsoft either 🙂

                      if anyone is interested i can write up instructions however you have to remember technically this is outside of FOG remit, so support on FOG forums will be extremely limited and unfortunately with 2 jobs i have very little time to spare either.

                      K A F E 4 Replies Last reply Jan 28, 2021, 7:32 PM Reply Quote 7
                      • K
                        kansukee @Lee Rowlett
                        last edited by Jan 28, 2021, 7:32 PM

                        @lee-rowlett I am very interested; anyone else wants to see a writeup?

                        1 Reply Last reply Reply Quote 0
                        • A
                          AlBrough @Lee Rowlett
                          last edited by May 4, 2021, 4:25 AM

                          @lee-rowlett I would be very interested to see how this could be achieved. I have 1000 Lenovo devices and I would prefer to not have secure boot reconfigured on all machines…

                          1 Reply Last reply Reply Quote 0
                          • F
                            Florent @Lee Rowlett
                            last edited by Oct 4, 2021, 7:32 AM

                            @lee-rowlett Hi, Where is your “howto” ?

                            Florent
                            Bretagne, FRANCE

                            1 Reply Last reply Reply Quote 0
                            • E
                              EduardoTSeoane @Lee Rowlett
                              last edited by Oct 4, 2021, 8:15 AM

                              @lee-rowlett very interested, maybe i can do something if you can send me the information…

                              1 Reply Last reply Reply Quote 0
                              • L
                                Lee Rowlett Developer
                                last edited by Lee Rowlett Oct 4, 2021, 2:24 AM Oct 4, 2021, 8:21 AM

                                unfortunately i do not have time to write up in detail step by step instructions but this is how i’ve done it:

                                follow this brilliant guide:
                                https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html

                                including “Securing Multiple Computers” section, once you’ve generated the “LockDown.efi”

                                copy LockDown.efi to ipxe folder on fog server (i’ve renamed mine to EnrollKeys.efi) then add the option to PXE Menu.

                                09edbb2e-b0bd-43c5-b433-ff9533914337-image.png

                                then sign your init, bzimage and any other bzimage version you may use with your new cert you’ve generated above - something like this:

                                cd /var/www/html/fog/service/ipxe
                                mv bzImage bzImage-unsigned
                                sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage bzImage-unsigned
                                mv bzImage32 bzImage32-unsigned
                                sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage32 bzImage32-unsigned
                                mv bzImage41713m bzImage41713m-unsigned
                                sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage41713m bzImage41713m-unsigned
                                

                                just remember to re-sign any init/bzimage when upgrading kernel/fog.

                                so the process is when you get a new machine put secureboot into user/setup mode then boot to pxe and run “Enroll Keys” option on pxe menu which will set secureboot keys accordingly, the beauty of this is you will also only need to do this once on a machine and then you will have secureboot on working with fog, when you come to reimage that same machine secureboot will already be setup.

                                the only caveat i would say is i don’t know what the behaviour is going to be when the Microsoft UEFI CA expires in 2026 - as you’re now effectively managing your own secureboot keys - you will need to update and manage the CAs in the db. this would normally be managed by microsoft updates/OEMs i assume.

                                E 1 Reply Last reply Oct 4, 2021, 8:25 AM Reply Quote 2
                                • E
                                  EduardoTSeoane @Lee Rowlett
                                  last edited by Oct 4, 2021, 8:25 AM

                                  @lee-rowlett said in Secureboot issues:

                                  LockDown.efi

                                  a lot of thanks, that help me a lot…

                                  1 Reply Last reply Reply Quote 0
                                  • 1 / 1
                                  • First post
                                    Last post

                                  156

                                  Online

                                  12.0k

                                  Users

                                  17.3k

                                  Topics

                                  155.2k

                                  Posts
                                  Copyright © 2012-2024 FOG Project