• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    FOG compatibility with Secure Boot on?

    Scheduled Pinned Locked Moved
    General
    7
    15
    7.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      Yeet @EduardoTSeoane
      last edited by

      @eduardotseoane Would you be able to explain what you did in detail?

      I’d like to stay with FOG as well, but if I can’t get it to work with Secure Boot I’ll have to move to a different product completely

      EduardoTSeoaneE 1 Reply Last reply Reply Quote 0
      • Y
        Yeet @Sebastian Roth
        last edited by

        @sebastian-roth I haven’t been able to find a solution in the forums. When will FOG support secure boot? We need this to happen, or we will have to stop using FOG altogether.

        1 Reply Last reply Reply Quote 1
        • S
          Sebastian Roth Moderator
          last edited by

          @yeet said in FOG compatibility with Secure Boot on?:

          When will FOG support secure boot?

          As soon as someone is dare enough to get into it. I am definitely not the one. FOG is open source and anyone can work on it.

          While I have not looked into this in detail it seems like there are several different ways of getting this to work - here are some pointers for you:
          https://forums.fogproject.org/post/121630
          https://forums.fogproject.org/post/128841

          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

          F 1 Reply Last reply Reply Quote 0
          • EduardoTSeoaneE
            EduardoTSeoane @Yeet
            last edited by

            @yeet you must enroll the hash file from de UEFI interface; mok manager is capable to trust on 2 ways,

            1º.- MOK can trust on files by hash when you enroll the file by de firmware interface, if you want you can send me the motherboard/pc manual and i can see if i can help to explain how you can do it.
            2º.- I know, but i dont know how by the moment, that an efi application can be signed by a developer, (selfsigned or not), and the ca or ca intermediate can be added to the certificate database of efi firmware, to validate the file and that can be used…
            3º.- I’m not sure, I’m studing about, but i think that you can do all from mok manager on uefi shell, or with some efi aplication designed for that.

            I’m sure that all this is possible, but I’m searching information about how can be do it…
            some references that I’m reading are:

            https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
            https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF
            https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance
            https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
            https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html-single/UEFI_Secure_Boot_Guide/index.html
            https://www.qualcomm.com/media/documents/files/secure-boot-and-image-authentication-technical-overview-v1-0.pdf

            Lee RowlettL 1 Reply Last reply Reply Quote 0
            • EduardoTSeoaneE
              EduardoTSeoane @Yeet
              last edited by

              @yeet
              Take a look at this post

              https://forums.fogproject.org/topic/13832/secureboot-issues

              1 Reply Last reply Reply Quote 0
              • Lee RowlettL
                Lee Rowlett Developer @EduardoTSeoane
                last edited by Lee Rowlett

                @eduardotseoane

                unfortunately i do not have time to write up in detail step by step instructions but this is how i’ve done it:

                follow this brilliant guide:
                https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html

                including “Securing Multiple Computers” section, once you’ve generated the “LockDown.efi”

                copy LockDown.efi to ipxe folder on fog server (i’ve renamed mine to EnrollKeys.efi) then add the option to PXE Menu.

                207a0466-0ce9-4f86-8e33-f38ef3ddf460-image.png

                then sign your init, bzimage and any other bzimage version you may use with your new cert you’ve generated above - something like this:

                cd /var/www/html/fog/service/ipxe
                mv bzImage bzImage-unsigned
                sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage bzImage-unsigned
                mv bzImage32 bzImage32-unsigned
                sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage32 bzImage32-unsigned
                mv bzImage41713m bzImage41713m-unsigned
                sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage41713m bzImage41713m-unsigned
                

                just remember to re-sign any init/bzimage when upgrading kernel/fog.

                so the process is when you get a new machine put secureboot into user/setup mode then boot to pxe and run “Enroll Keys” option on pxe menu which will set secureboot keys accordingly, the beauty of this is you will also only need to do this once on a machine and then you will have secureboot on working with fog, when you come to reimage that same machine secureboot will already be setup.

                the only caveat i would say is i don’t know what the behaviour is going to be when the Microsoft UEFI CA expires in 2026 - as you’re now effectively managing your own secureboot keys - you will need to update and manage the CAs in the db. this would normally be managed by microsoft updates/OEMs i assume.

                1 Reply Last reply Reply Quote 0
                • F
                  Florent
                  last edited by Florent

                  We have find a workaround who works at now.
                  For Dell or HP in BIOS need to active Secure Boot in “Audit Mode” or “Client Keys”.
                  This is not secure but allow to use FOG Pxe and Windows 11.
                  Hope stay like this in the future 🤞

                  Florent
                  Bretagne, FRANCE

                  EduardoTSeoaneE 1 Reply Last reply Reply Quote 0
                  • EduardoTSeoaneE
                    EduardoTSeoane @Florent
                    last edited by

                    @florent All the uefi systems need to be in custom/setup/user mode to add keys or file hashes, the hint is to implement an adequate security level…

                    1 Reply Last reply Reply Quote 0
                    • F
                      Florent @Sebastian Roth
                      last edited by

                      @sebastian-roth
                      Maybe a future solution for FOG project ?
                      iPXE secure boot : https://2pintsoftware.com/pricing/

                      Florent
                      Bretagne, FRANCE

                      1 Reply Last reply Reply Quote 0
                      • jfernandzJ
                        jfernandz
                        last edited by jfernandz

                        Well, first of all … I’m sorry for getting up this old post.

                        Secondly … I’ve been reading some posts on this forum … and I’ve found this one which I think it’s very interesting to be linked in here (not sure if you’ve linked it yet, but I’d say I can’t see the link anywhere).

                        After researching a little bit more about this topic … I’ve found this project … which not sure if it could be interesting also. What do you think? Could this make easier the process described in @george1421’s tutorial?

                        Thank you guys, and so sorry again because I’ve created a new topic instead replying in here 😞 maybe some mod can remove it 😄

                        1 Reply Last reply Reply Quote 0
                        • 1 / 1
                        • First post
                          Last post

                        156

                        Online

                        12.1k

                        Users

                        17.3k

                        Topics

                        155.3k

                        Posts
                        Copyright © 2012-2024 FOG Project