• Moderator

    Hi All,
    This is more of a general question about the future of FOG and possible FOG alternatives if the project is unable to support Secure Boot/Windows 11. I hate to post this here, but I don’t know anyone else on the internet who are bigger experts in imaging. I know in general this being an open source volunteer driven project, it is a big ask to support the big challenges Microsoft is throwing in the way of the project.

    I wanted to ask if anyone has any experience with any other solutions, please let me know. My organization would like to look at alternatives though we would be quite devastated if we had to move away from FOG since it has been our saving grace for 10+ years. If this is inappropriate to post here, I will gladly take this down.

    Thanks!


  • Reading through this thread, I’d say we need a champion to help the FOG Project with the money and process. Here is where any for-profit company reading this should consider helping with two things.

    • Donate some man-hours for a person to work with the FOG devs on this
    • Donate the money to cover the cost.

    Personally, I think it should be Microsoft who helps. If FOG is unable to easily deploy Windows 11 due to secureboot related difficulties, School Districts will have further reason to just buy Chromebooks instead of Windows PCs.

  • Moderator

    @richiestuff said in Windows 11/Future for Us:

    SHIM review board and lots of infos on the process can be found here:
    https://github.com/rhboot/shim-review

    Nice! Didn’t know about this yet.

    Though looking through the question template I fear we might not be considered to get our shim signed:

    • Who is the primary contact for security updates, etc.? Name, Position, Email address, PGP key fingerprint (Key should be signed by the other security contacts, pushed to a keyserver like keyserver.ubuntu.com, and preferably have signatures that are reasonably well known in the Linux community.)
    • Who is the secondary contact for security updates…
    • … MANY questions about technical details which do not apply to iPXE I guess …

    And there is another hurdle:

    Note that we really only have experience with using GRUB2 on Linux, so asking us to endorse anything else for signing is going to require some convincing on your part.

    Looking at others going through this process is kind of fun but I am not sure we (as a community) can handle this.

  • Moderator

    @richiestuff I also looked into this issue. I was able to work up a workflow were you can use a custom self signed certificate. https://forums.fogproject.org/topic/15888/imaging-with-fog-and-secure-boot-poc

    I looked quickly at the shim approach, but the issue is we need to sign ipxe binaries too.

    Clonezilla took the approach to use stock ubuntu or debian kernels so they could use their signed stuff. Nothing wrong with that and could be an approach for FOG, except of course for iPXE.

    Thank you for providing an additional path for secure booting. I wasn’t aware of that approach, well done.


  • @george1421

    You have a 3rd option here,
    does not involving paying MS money - the same way most Linux distris solve that.

    Get an EV certificate from the certificate vendor of your choice and build you own flavor of the SHIM,
    this gets to the OSS SHIM approval board, once they greenlight the build process you did - MS will go and sign your SHIM,
    you sign GRUB & Kernel with your EV certificate - job done.

    SHIM review board and lots of infos on the process can be found here:

    https://github.com/rhboot/shim-review

    or the variant 4 - which is not super sexy but cheap & cheerful:
    Just use a signed SHIM/GRUB/Kernel from a current signed distri of your choice - e.g. taking the Debian LTS Kernel as well as the signed SHIM/Grub from Debian - and you can also happily boot with Secureboot on.

    Richie

  • Developer

    @fry_p for assurance, FOG still works with windows 11 and it also works on hardware devices that are NOT supported by Microsoft, your image will still deploy, complete and be functional on these devices albeit out of support from a Microsoft perspective but if secure boot becomes compulsory for all your devices then yes, you have to consider the challenges in managing your own secureboot PKI for FOG but Windows 11 should not be a reason to consider an alternative.

  • Moderator

    @fry_p Without secure boot probably yes if Smartdeploy is winpe based. The problem will still be ipxe is not signed so will not boot in secure boot mode.

  • Moderator

    @george1421 Really wacky question for you…Can you boot into something like Smart Deploy (they have a SmartPE environment they use) from FOG? I don’t know if you have the answer, but I would definitely prefer using FOG to boot into this rather than WDS.

  • Moderator

    @fry_p Really when it comes to secure boot FOG has 2 options.

    1. Pay to get a signing certificate from microsoft and then the fog developers will have to sign the FOG kernel and all of the iPXE boot loaders. This will take someone to run this project and money to pay M$ for the signing certificate. That would force the FOG project into some type of subscription model to continue to support that service.

    2. Add your own certificates to the cert store in the uefi firmware. That will require the creating a FOG PKI infrastructure and then updating the certificate store on each computer (once) to match the signing certificate for FOG as well as keep the other certificates so that the microsoft stuff still continues to work.

    Myself personally I started looking into option 2 but then found something else shinny to chase and the project got tabled.

321
Online

9.1k
Users

15.7k
Topics

145.9k
Posts