Secureboot issues



  • Hello.

    Has anyone found an easy fix for PXE boot with secure boot on?


  • Developer

    Hi all, i have secureboot working with ipxe (FOG) using a self-signed certificate and you do however need to enroll the keys but i have added an .efi program that you can run to automate all this from the pxe boot menu to ease this process.

    i’ve been testing it for the last 12 months or so to see if there is any gotchas but none yet and over 80% of our estate have secureboot with ipxe working (7K devices) - only lenovo x1 carbons have been problematic but this appears to be due to poor bios and/or secureboot implementation.

    this does mean you have to manage the certificates yourself going forward too as you are essentially taking ownership and provisioning the devices and applying your own PK which means you have to trust 3rd party CAs however the plus side there is no cost involved. i also don’t have assurances how to remotely distribute a renewed certificate when it expires but expiration is 10 years and there is going to be some work needed when microsoft CA expires in 2026.

    on first attempt, i hadn’t included microsoft CA so windows os failed to load with untrusted error from secureboot… i loved the irony… i dont trust microsoft either :-)

    if anyone is interested i can write up instructions however you have to remember technically this is outside of FOG remit, so support on FOG forums will be extremely limited and unfortunately with 2 jobs i have very little time to spare either.


  • Developer

    Hi all, i have secureboot working with ipxe (FOG) using a self-signed certificate and you do however need to enroll the keys but i have added an .efi program that you can run to automate all this from the pxe boot menu to ease this process.

    i’ve been testing it for the last 12 months or so to see if there is any gotchas but none yet and over 80% of our estate have secureboot with ipxe working (7K devices) - only lenovo x1 carbons have been problematic but this appears to be due to poor bios and/or secureboot implementation.

    this does mean you have to manage the certificates yourself going forward too as you are essentially taking ownership and provisioning the devices and applying your own PK which means you have to trust 3rd party CAs however the plus side there is no cost involved. i also don’t have assurances how to remotely distribute a renewed certificate when it expires but expiration is 10 years and there is going to be some work needed when microsoft CA expires in 2026.

    on first attempt, i hadn’t included microsoft CA so windows os failed to load with untrusted error from secureboot… i loved the irony… i dont trust microsoft either :-)

    if anyone is interested i can write up instructions however you have to remember technically this is outside of FOG remit, so support on FOG forums will be extremely limited and unfortunately with 2 jobs i have very little time to spare either.


  • Moderator

    @astrugatch It never made it to the repo. It was a skunkworks project I was working on. I just went and grabbed the centos version of cctk https://downloads.dell.com/FOLDER05519675M/1/command-configure-4.2.0-553.el7.x86_64.tar.gz to see if I could rebuild the test environment.



  • @george1421

    I would be very interested in that. Do you have a GIT for that, that I could look at?


  • Moderator

    @astrugatch said in Secureboot issues:

    Isn’t that what command and configure is for (if you’re a dell shop at least)?

    Yes, we use command and configure (CCTK) to set default bios settings. I started looking into building cctk into FOS Linux so those bios settings could be made via a post install script. I think that project fell off the table a while ago.



  • @Deimos

    Isn’t that what command and configure is for (if you’re a dell shop at least)?



  • @astrugatch
    Please do not forget that after deactivating also the reactivation means further steps. And that with 500 devices within a week!



  • @Sebastian-Roth

    It would be nice to have, but definitely not make or break for our environment. We already have to touch so many things in BIOS to set our machines up the way we want them that turning off secure boot is just one of many. I don’t really see the value. I know its sold to protect from rootkits, but it feels more like vendor lock-in to Windows.


  • Senior Developer

    @Deimos said in Secureboot issues:

    Ask MS and say that you need it for free. FOG Project is no longer a small by-product.

    Do you have good contact with someone working in the right position at Microsoft? If so then you may ask her/him… I am not going to spend any time or money on this unless I see people from the FOG community pushing this.



  • @george1421

    I hope Microsoft has to be friendly and kind-hearted, because they want to continue to sell their licenses. If you can not easily deploy - much like we do in schools and universities - you will switch to Linux, especially with such simple systems with data storage and LibreOffice and Internet access, for example. Microsoft certainly wants to prevent that.

    Ask MS and say that you need it for free. FOG Project is no longer a small by-product.


  • Moderator

    @Sebastian-Roth said in Secureboot issues:

    @bgbgbgbg There is money und time involved to make this work. Check out the information on the iPXE website:
    https://ipxe.org/appnote/etoken

    The best part of that article I found was the footnote “Microsoft is special

    Not only does iPXE need to be signed, but the FOG Project would have to go through the same process MS boot image signing for each FOS Linux kernel that was released. This would most assuredly impact the “free-ness” and responsiveness to changing hardware demands for FOG imaging.


  • Senior Developer

    @bgbgbgbg There is money und time involved to make this work. Check out the information on the iPXE website:
    https://ipxe.org/appnote/etoken
    and
    http://forum.ipxe.org/showthread.php?tid=7533



  • If this is solved, I give the developers a beer.


Log in to reply
 

291
Online

7.1k
Users

14.3k
Topics

135.1k
Posts