• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    FOG compatibility with Secure Boot on?

    Scheduled Pinned Locked Moved
    General
    7
    15
    6.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Florent @george1421
      last edited by

      @george1421
      This worry me about this news for Windows 11.
      Is it the end of FOG to deploy Windows in the next year. I hope not

      Florent
      Bretagne, FRANCE

      1 Reply Last reply Reply Quote 0
      • EduardoTSeoaneE
        EduardoTSeoane @Yeet
        last edited by EduardoTSeoane

        @yeet @george1421 @Sebastian-Roth

        Need to test it again, there are a lot of time that I test it, but the uefi firmware takes de capabilty to add trusted files, so, i you add the efi files to that database you can boot the pc from that file and continue using fog

        the most of the problem is to update the .efi files

        take this as example, when i can i try it again to certify it

        https://itsfoss.com/no-bootable-device-found-ubuntu/

        Y 1 Reply Last reply Reply Quote 0
        • Y
          Yeet @EduardoTSeoane
          last edited by

          @eduardotseoane Would you be able to explain what you did in detail?

          I’d like to stay with FOG as well, but if I can’t get it to work with Secure Boot I’ll have to move to a different product completely

          EduardoTSeoaneE 1 Reply Last reply Reply Quote 0
          • Y
            Yeet @Sebastian Roth
            last edited by

            @sebastian-roth I haven’t been able to find a solution in the forums. When will FOG support secure boot? We need this to happen, or we will have to stop using FOG altogether.

            1 Reply Last reply Reply Quote 1
            • S
              Sebastian Roth Moderator
              last edited by

              @yeet said in FOG compatibility with Secure Boot on?:

              When will FOG support secure boot?

              As soon as someone is dare enough to get into it. I am definitely not the one. FOG is open source and anyone can work on it.

              While I have not looked into this in detail it seems like there are several different ways of getting this to work - here are some pointers for you:
              https://forums.fogproject.org/post/121630
              https://forums.fogproject.org/post/128841

              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

              F 1 Reply Last reply Reply Quote 0
              • EduardoTSeoaneE
                EduardoTSeoane @Yeet
                last edited by

                @yeet you must enroll the hash file from de UEFI interface; mok manager is capable to trust on 2 ways,

                1º.- MOK can trust on files by hash when you enroll the file by de firmware interface, if you want you can send me the motherboard/pc manual and i can see if i can help to explain how you can do it.
                2º.- I know, but i dont know how by the moment, that an efi application can be signed by a developer, (selfsigned or not), and the ca or ca intermediate can be added to the certificate database of efi firmware, to validate the file and that can be used…
                3º.- I’m not sure, I’m studing about, but i think that you can do all from mok manager on uefi shell, or with some efi aplication designed for that.

                I’m sure that all this is possible, but I’m searching information about how can be do it…
                some references that I’m reading are:

                https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
                https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF
                https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance
                https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
                https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html-single/UEFI_Secure_Boot_Guide/index.html
                https://www.qualcomm.com/media/documents/files/secure-boot-and-image-authentication-technical-overview-v1-0.pdf

                Lee RowlettL 1 Reply Last reply Reply Quote 0
                • EduardoTSeoaneE
                  EduardoTSeoane @Yeet
                  last edited by

                  @yeet
                  Take a look at this post

                  https://forums.fogproject.org/topic/13832/secureboot-issues

                  1 Reply Last reply Reply Quote 0
                  • Lee RowlettL
                    Lee Rowlett Developer @EduardoTSeoane
                    last edited by Lee Rowlett

                    @eduardotseoane

                    unfortunately i do not have time to write up in detail step by step instructions but this is how i’ve done it:

                    follow this brilliant guide:
                    https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html

                    including “Securing Multiple Computers” section, once you’ve generated the “LockDown.efi”

                    copy LockDown.efi to ipxe folder on fog server (i’ve renamed mine to EnrollKeys.efi) then add the option to PXE Menu.

                    207a0466-0ce9-4f86-8e33-f38ef3ddf460-image.png

                    then sign your init, bzimage and any other bzimage version you may use with your new cert you’ve generated above - something like this:

                    cd /var/www/html/fog/service/ipxe
                    mv bzImage bzImage-unsigned
                    sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage bzImage-unsigned
                    mv bzImage32 bzImage32-unsigned
                    sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage32 bzImage32-unsigned
                    mv bzImage41713m bzImage41713m-unsigned
                    sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage41713m bzImage41713m-unsigned
                    

                    just remember to re-sign any init/bzimage when upgrading kernel/fog.

                    so the process is when you get a new machine put secureboot into user/setup mode then boot to pxe and run “Enroll Keys” option on pxe menu which will set secureboot keys accordingly, the beauty of this is you will also only need to do this once on a machine and then you will have secureboot on working with fog, when you come to reimage that same machine secureboot will already be setup.

                    the only caveat i would say is i don’t know what the behaviour is going to be when the Microsoft UEFI CA expires in 2026 - as you’re now effectively managing your own secureboot keys - you will need to update and manage the CAs in the db. this would normally be managed by microsoft updates/OEMs i assume.

                    1 Reply Last reply Reply Quote 0
                    • F
                      Florent
                      last edited by Florent

                      We have find a workaround who works at now.
                      For Dell or HP in BIOS need to active Secure Boot in “Audit Mode” or “Client Keys”.
                      This is not secure but allow to use FOG Pxe and Windows 11.
                      Hope stay like this in the future 🤞

                      Florent
                      Bretagne, FRANCE

                      EduardoTSeoaneE 1 Reply Last reply Reply Quote 0
                      • EduardoTSeoaneE
                        EduardoTSeoane @Florent
                        last edited by

                        @florent All the uefi systems need to be in custom/setup/user mode to add keys or file hashes, the hint is to implement an adequate security level…

                        1 Reply Last reply Reply Quote 0
                        • F
                          Florent @Sebastian Roth
                          last edited by

                          @sebastian-roth
                          Maybe a future solution for FOG project ?
                          iPXE secure boot : https://2pintsoftware.com/pricing/

                          Florent
                          Bretagne, FRANCE

                          1 Reply Last reply Reply Quote 0
                          • jfernandzJ
                            jfernandz
                            last edited by jfernandz

                            Well, first of all … I’m sorry for getting up this old post.

                            Secondly … I’ve been reading some posts on this forum … and I’ve found this one which I think it’s very interesting to be linked in here (not sure if you’ve linked it yet, but I’d say I can’t see the link anywhere).

                            After researching a little bit more about this topic … I’ve found this project … which not sure if it could be interesting also. What do you think? Could this make easier the process described in @george1421’s tutorial?

                            Thank you guys, and so sorry again because I’ve created a new topic instead replying in here 😞 maybe some mod can remove it 😄

                            1 Reply Last reply Reply Quote 0
                            • 1 / 1
                            • First post
                              Last post

                            232

                            Online

                            12.0k

                            Users

                            17.3k

                            Topics

                            155.2k

                            Posts
                            Copyright © 2012-2024 FOG Project