• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

FOG compatibility with Secure Boot on?

Scheduled Pinned Locked Moved
General
7
15
6.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y
    Yeet
    last edited by Sep 10, 2021, 7:26 PM

    I haven’t seen anything regarding this, so I figured I’d ask. Will FOG ever work with Secure Boot on? I’ve been reading that Windows 11 will require secure boot, and that causes some issues. If FOG won’t support Secure Boot enabled, I may have to look at a different deployment solution. I would love to stay with FOG as it works for what I need.

    If there is a way to make it work with secure boot enabled that I’m not aware of, please feel free to share what I need to do.

    G E 3 Replies Last reply Sep 11, 2021, 2:04 AM Reply Quote 0
    • G
      george1421 Moderator @Yeet
      last edited by Sep 11, 2021, 2:04 AM

      @yeet While I can’t speak for the developers, but there are no plans that I know of to support secure booting.

      With that said while its not complicated to support secure booting, there is some expense involved. Both iPXE and FOS Linux kernels would need to be signed with a microsoft certificate or a matching signed certificate would need to be loaded into the target computer uefi firmware. Many linux distros have a shim boot loader that is signed by microsoft then their shim will only boot their kernel that matches their internal signed certificate. Its kind of complicated to explain, but the point is, its a bit more complicated to support secure booting, than just saying we support secure booting. There is also a cost involved with getting your OS certified as “safe for booting”. For a FOSS application that may be a high bar to get over.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

      F 1 Reply Last reply Sep 13, 2021, 7:50 AM Reply Quote 0
      • S
        Sebastian Roth Moderator
        last edited by Sep 12, 2021, 5:39 AM

        @Yeet Currently FOG does not support secure boot as George said already. Though this has been discussed here a few times and I think one user even has worked out his own solution. Search the forums.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        Y 1 Reply Last reply Oct 1, 2021, 4:08 PM Reply Quote 0
        • F
          Florent @george1421
          last edited by Sep 13, 2021, 7:50 AM

          @george1421
          This worry me about this news for Windows 11.
          Is it the end of FOG to deploy Windows in the next year. I hope not

          Florent
          Bretagne, FRANCE

          1 Reply Last reply Reply Quote 0
          • E
            EduardoTSeoane @Yeet
            last edited by EduardoTSeoane Sep 14, 2021, 6:01 AM Sep 14, 2021, 12:00 PM

            @yeet @george1421 @Sebastian-Roth

            Need to test it again, there are a lot of time that I test it, but the uefi firmware takes de capabilty to add trusted files, so, i you add the efi files to that database you can boot the pc from that file and continue using fog

            the most of the problem is to update the .efi files

            take this as example, when i can i try it again to certify it

            https://itsfoss.com/no-bootable-device-found-ubuntu/

            Y 1 Reply Last reply Oct 1, 2021, 3:03 PM Reply Quote 0
            • Y
              Yeet @EduardoTSeoane
              last edited by Oct 1, 2021, 3:03 PM

              @eduardotseoane Would you be able to explain what you did in detail?

              I’d like to stay with FOG as well, but if I can’t get it to work with Secure Boot I’ll have to move to a different product completely

              E 1 Reply Last reply Oct 4, 2021, 8:04 AM Reply Quote 0
              • Y
                Yeet @Sebastian Roth
                last edited by Oct 1, 2021, 4:08 PM

                @sebastian-roth I haven’t been able to find a solution in the forums. When will FOG support secure boot? We need this to happen, or we will have to stop using FOG altogether.

                1 Reply Last reply Reply Quote 1
                • S
                  Sebastian Roth Moderator
                  last edited by Oct 1, 2021, 6:28 PM

                  @yeet said in FOG compatibility with Secure Boot on?:

                  When will FOG support secure boot?

                  As soon as someone is dare enough to get into it. I am definitely not the one. FOG is open source and anyone can work on it.

                  While I have not looked into this in detail it seems like there are several different ways of getting this to work - here are some pointers for you:
                  https://forums.fogproject.org/post/121630
                  https://forums.fogproject.org/post/128841

                  Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                  Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                  F 1 Reply Last reply Feb 17, 2022, 9:39 AM Reply Quote 0
                  • E
                    EduardoTSeoane @Yeet
                    last edited by Oct 4, 2021, 8:04 AM

                    @yeet you must enroll the hash file from de UEFI interface; mok manager is capable to trust on 2 ways,

                    1º.- MOK can trust on files by hash when you enroll the file by de firmware interface, if you want you can send me the motherboard/pc manual and i can see if i can help to explain how you can do it.
                    2º.- I know, but i dont know how by the moment, that an efi application can be signed by a developer, (selfsigned or not), and the ca or ca intermediate can be added to the certificate database of efi firmware, to validate the file and that can be used…
                    3º.- I’m not sure, I’m studing about, but i think that you can do all from mok manager on uefi shell, or with some efi aplication designed for that.

                    I’m sure that all this is possible, but I’m searching information about how can be do it…
                    some references that I’m reading are:

                    https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
                    https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF
                    https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance
                    https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
                    https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html-single/UEFI_Secure_Boot_Guide/index.html
                    https://www.qualcomm.com/media/documents/files/secure-boot-and-image-authentication-technical-overview-v1-0.pdf

                    L 1 Reply Last reply Oct 4, 2021, 8:18 AM Reply Quote 0
                    • E
                      EduardoTSeoane @Yeet
                      last edited by Oct 4, 2021, 8:17 AM

                      @yeet
                      Take a look at this post

                      https://forums.fogproject.org/topic/13832/secureboot-issues

                      1 Reply Last reply Reply Quote 0
                      • L
                        Lee Rowlett Developer @EduardoTSeoane
                        last edited by Lee Rowlett Oct 4, 2021, 2:26 AM Oct 4, 2021, 8:18 AM

                        @eduardotseoane

                        unfortunately i do not have time to write up in detail step by step instructions but this is how i’ve done it:

                        follow this brilliant guide:
                        https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html

                        including “Securing Multiple Computers” section, once you’ve generated the “LockDown.efi”

                        copy LockDown.efi to ipxe folder on fog server (i’ve renamed mine to EnrollKeys.efi) then add the option to PXE Menu.

                        207a0466-0ce9-4f86-8e33-f38ef3ddf460-image.png

                        then sign your init, bzimage and any other bzimage version you may use with your new cert you’ve generated above - something like this:

                        cd /var/www/html/fog/service/ipxe
                        mv bzImage bzImage-unsigned
                        sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage bzImage-unsigned
                        mv bzImage32 bzImage32-unsigned
                        sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage32 bzImage32-unsigned
                        mv bzImage41713m bzImage41713m-unsigned
                        sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output bzImage41713m bzImage41713m-unsigned
                        

                        just remember to re-sign any init/bzimage when upgrading kernel/fog.

                        so the process is when you get a new machine put secureboot into user/setup mode then boot to pxe and run “Enroll Keys” option on pxe menu which will set secureboot keys accordingly, the beauty of this is you will also only need to do this once on a machine and then you will have secureboot on working with fog, when you come to reimage that same machine secureboot will already be setup.

                        the only caveat i would say is i don’t know what the behaviour is going to be when the Microsoft UEFI CA expires in 2026 - as you’re now effectively managing your own secureboot keys - you will need to update and manage the CAs in the db. this would normally be managed by microsoft updates/OEMs i assume.

                        1 Reply Last reply Reply Quote 0
                        • F
                          Florent
                          last edited by Florent Oct 5, 2021, 6:24 AM Oct 5, 2021, 12:24 PM

                          We have find a workaround who works at now.
                          For Dell or HP in BIOS need to active Secure Boot in “Audit Mode” or “Client Keys”.
                          This is not secure but allow to use FOG Pxe and Windows 11.
                          Hope stay like this in the future 🤞

                          Florent
                          Bretagne, FRANCE

                          E 1 Reply Last reply Oct 6, 2021, 11:04 AM Reply Quote 0
                          • E
                            EduardoTSeoane @Florent
                            last edited by Oct 6, 2021, 11:04 AM

                            @florent All the uefi systems need to be in custom/setup/user mode to add keys or file hashes, the hint is to implement an adequate security level…

                            1 Reply Last reply Reply Quote 0
                            • F
                              Florent @Sebastian Roth
                              last edited by Feb 17, 2022, 9:39 AM

                              @sebastian-roth
                              Maybe a future solution for FOG project ?
                              iPXE secure boot : https://2pintsoftware.com/pricing/

                              Florent
                              Bretagne, FRANCE

                              1 Reply Last reply Reply Quote 0
                              • jfernandzJ
                                jfernandz
                                last edited by jfernandz Dec 12, 2023, 5:56 PM Dec 12, 2023, 11:54 PM

                                Well, first of all … I’m sorry for getting up this old post.

                                Secondly … I’ve been reading some posts on this forum … and I’ve found this one which I think it’s very interesting to be linked in here (not sure if you’ve linked it yet, but I’d say I can’t see the link anywhere).

                                After researching a little bit more about this topic … I’ve found this project … which not sure if it could be interesting also. What do you think? Could this make easier the process described in @george1421’s tutorial?

                                Thank you guys, and so sorry again because I’ve created a new topic instead replying in here 😞 maybe some mod can remove it 😄

                                1 Reply Last reply Reply Quote 0
                                • 1 / 1
                                • First post
                                  Last post

                                145

                                Online

                                12.0k

                                Users

                                17.3k

                                Topics

                                155.2k

                                Posts
                                Copyright © 2012-2024 FOG Project