• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

FOG compatibility with Secure Boot on?

Scheduled Pinned Locked Moved
General
7
15
6.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    Florent @george1421
    last edited by Sep 13, 2021, 7:50 AM

    @george1421
    This worry me about this news for Windows 11.
    Is it the end of FOG to deploy Windows in the next year. I hope not

    Florent
    Bretagne, FRANCE

    1 Reply Last reply Reply Quote 0
    • E
      EduardoTSeoane @Yeet
      last edited by EduardoTSeoane Sep 14, 2021, 6:01 AM Sep 14, 2021, 12:00 PM

      @yeet @george1421 @Sebastian-Roth

      Need to test it again, there are a lot of time that I test it, but the uefi firmware takes de capabilty to add trusted files, so, i you add the efi files to that database you can boot the pc from that file and continue using fog

      the most of the problem is to update the .efi files

      take this as example, when i can i try it again to certify it

      https://itsfoss.com/no-bootable-device-found-ubuntu/

      Y 1 Reply Last reply Oct 1, 2021, 3:03 PM Reply Quote 0
      • Y
        Yeet @EduardoTSeoane
        last edited by Oct 1, 2021, 3:03 PM

        @eduardotseoane Would you be able to explain what you did in detail?

        I’d like to stay with FOG as well, but if I can’t get it to work with Secure Boot I’ll have to move to a different product completely

        E 1 Reply Last reply Oct 4, 2021, 8:04 AM Reply Quote 0
        • Y
          Yeet @Sebastian Roth
          last edited by Oct 1, 2021, 4:08 PM

          @sebastian-roth I haven’t been able to find a solution in the forums. When will FOG support secure boot? We need this to happen, or we will have to stop using FOG altogether.

          1 Reply Last reply Reply Quote 1
          • S
            Sebastian Roth Moderator
            last edited by Oct 1, 2021, 6:28 PM

            @yeet said in FOG compatibility with Secure Boot on?:

            When will FOG support secure boot?

            As soon as someone is dare enough to get into it. I am definitely not the one. FOG is open source and anyone can work on it.

            While I have not looked into this in detail it seems like there are several different ways of getting this to work - here are some pointers for you:
            https://forums.fogproject.org/post/121630
            https://forums.fogproject.org/post/128841

            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

            F 1 Reply Last reply Feb 17, 2022, 9:39 AM Reply Quote 0
            • E
              EduardoTSeoane @Yeet
              last edited by Oct 4, 2021, 8:04 AM

              @yeet you must enroll the hash file from de UEFI interface; mok manager is capable to trust on 2 ways,

              1º.- MOK can trust on files by hash when you enroll the file by de firmware interface, if you want you can send me the motherboard/pc manual and i can see if i can help to explain how you can do it.
              2º.- I know, but i dont know how by the moment, that an efi application can be signed by a developer, (selfsigned or not), and the ca or ca intermediate can be added to the certificate database of efi firmware, to validate the file and that can be used…
              3º.- I’m not sure, I’m studing about, but i think that you can do all from mok manager on uefi shell, or with some efi aplication designed for that.

              I’m sure that all this is possible, but I’m searching information about how can be do it…
              some references that I’m reading are:

              https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
              https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF
              https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance
              https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
              https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html-single/UEFI_Secure_Boot_Guide/index.html
              https://www.qualcomm.com/media/documents/files/secure-boot-and-image-authentication-technical-overview-v1-0.pdf

              L 1 Reply Last reply Oct 4, 2021, 8:18 AM Reply Quote 0
              • E
                EduardoTSeoane @Yeet
                last edited by Oct 4, 2021, 8:17 AM

                @yeet
                Take a look at this post

                https://forums.fogproject.org/topic/13832/secureboot-issues

                1 Reply Last reply Reply Quote 0
                • L
                  Lee Rowlett Developer @EduardoTSeoane
                  last edited by Lee Rowlett Oct 4, 2021, 2:26 AM Oct 4, 2021, 8:18 AM

                  @eduardotseoane

                  unfortunately i do not have time to write up in detail step by step instructions but this is how i’ve done it:

                  follow this brilliant guide:
                  https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html

                  including “Securing Multiple Computers” section, once you’ve generated the “LockDown.efi”

                  copy LockDown.efi to ipxe folder on fog server (i’ve renamed mine to EnrollKeys.efi) then add the option to PXE Menu.

                  207a0466-0ce9-4f86-8e33-f38ef3ddf460-image.png

                  then sign your init, bzimage and any other bzimage version you may use with your new cert you’ve generated above - something like this:

                  cd /var/www/html/fog/service/ipxe
                  mv bzImage bzImage-unsigned
                  sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage bzImage-unsigned
                  mv bzImage32 bzImage32-unsigned
                  sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage32 bzImage32-unsigned
                  mv bzImage41713m bzImage41713m-unsigned
                  sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage41713m bzImage41713m-unsigned
                  

                  just remember to re-sign any init/bzimage when upgrading kernel/fog.

                  so the process is when you get a new machine put secureboot into user/setup mode then boot to pxe and run “Enroll Keys” option on pxe menu which will set secureboot keys accordingly, the beauty of this is you will also only need to do this once on a machine and then you will have secureboot on working with fog, when you come to reimage that same machine secureboot will already be setup.

                  the only caveat i would say is i don’t know what the behaviour is going to be when the Microsoft UEFI CA expires in 2026 - as you’re now effectively managing your own secureboot keys - you will need to update and manage the CAs in the db. this would normally be managed by microsoft updates/OEMs i assume.

                  1 Reply Last reply Reply Quote 0
                  • F
                    Florent
                    last edited by Florent Oct 5, 2021, 6:24 AM Oct 5, 2021, 12:24 PM

                    We have find a workaround who works at now.
                    For Dell or HP in BIOS need to active Secure Boot in “Audit Mode” or “Client Keys”.
                    This is not secure but allow to use FOG Pxe and Windows 11.
                    Hope stay like this in the future 🤞

                    Florent
                    Bretagne, FRANCE

                    E 1 Reply Last reply Oct 6, 2021, 11:04 AM Reply Quote 0
                    • E
                      EduardoTSeoane @Florent
                      last edited by Oct 6, 2021, 11:04 AM

                      @florent All the uefi systems need to be in custom/setup/user mode to add keys or file hashes, the hint is to implement an adequate security level…

                      1 Reply Last reply Reply Quote 0
                      • F
                        Florent @Sebastian Roth
                        last edited by Feb 17, 2022, 9:39 AM

                        @sebastian-roth
                        Maybe a future solution for FOG project ?
                        iPXE secure boot : https://2pintsoftware.com/pricing/

                        Florent
                        Bretagne, FRANCE

                        1 Reply Last reply Reply Quote 0
                        • jfernandzJ
                          jfernandz
                          last edited by jfernandz Dec 12, 2023, 5:56 PM Dec 12, 2023, 11:54 PM

                          Well, first of all … I’m sorry for getting up this old post.

                          Secondly … I’ve been reading some posts on this forum … and I’ve found this one which I think it’s very interesting to be linked in here (not sure if you’ve linked it yet, but I’d say I can’t see the link anywhere).

                          After researching a little bit more about this topic … I’ve found this project … which not sure if it could be interesting also. What do you think? Could this make easier the process described in @george1421’s tutorial?

                          Thank you guys, and so sorry again because I’ve created a new topic instead replying in here 😞 maybe some mod can remove it 😄

                          1 Reply Last reply Reply Quote 0
                          • 1 / 1
                          • First post
                            Last post

                          157

                          Online

                          12.0k

                          Users

                          17.3k

                          Topics

                          155.2k

                          Posts
                          Copyright © 2012-2024 FOG Project