Is supporting Secure Boot now possible?
My understanding is that the 64-bit version of CentOS 7 does support UEFI with Secure Boot enabled, so is this now a possibility?
I know Secure Boot shouldn’t be a big deal, but it’s a bit of a pain in the ass if you’re imaging an entire lab and need to touch the firmware settings on each machine.
I know this is fairly old but as I’ve just seen some rumor on this topic in the iPXE devel mailing list I thought I might post that here as a reference for people searching our forums: http://lists.ipxe.org/pipermail/ipxe-devel/2017-December/005921.html
Michael Brown’s answer:
Microsoft is prepared to sign iPXE provided that various subsystems with known flaws are excluded. You can exclude the relevant subsystems using instructions as per
I have previously obtained signed iPXE builds from Microsoft. The process of obtaining a signed build from Microsoft is tedious and very manual; this is the only reason that we do not have regular signed releases.
@Joe-Schmitt I think I understand. I was going to say that if only a few hundred bucks was in the way of making this happen, I was just going to pay it and be done.
@loosus456 secure boot compliance would probably be a paid feature of 2.X. That is, your company requests a secure boot license key and we invoice you for it (since it requires use of our infrastructure and overhead costs to maintain it). Then you simply give the FOG 2.X server a license key and it will take care of the rest for you.
The thing to note here, is that we aren’t like CentOS or a standard linux distribution. The FOG 2.X binaries your machines boot are custom built to your environment (injected keys, so on), so FOG binaries are unique to your environment, and thus we cannot simply sign them all for free due to security concerns and infrastructure costs.
Curious: how much money would it cost for FOG to sign in a post-1.X version?
@loosus456 Another option that I’ve done - which is a lot more work but free, in some firmwares you can upload a copy of the boot file you want SecureBoot to accept ( like
ipxe.efi) and the firmware does something with this file, maybe hashes it and stores the hash, not sure.
But, if you do that for all the computers you want to image, then that very specific version of ipxe will work through SecureBoot. You just have to use that exact one - or update all your computers again with the new version.
I’ve done this before, it does work. If you have maybe 10 computers you image with FOG in total (like small office) this could work. In larger environments 20+ it’s not worth the effort, just pay the money.
@loosus456 just to clarify some things here. FOG can be secure boot compatible (it has nothing to do with with our imaging process). Infact, I’ve done some work on this matter a year or so ago that would make FOG secure boot compliant. However, it would cost us a bit of money for Microsoft to sign off on our shim (basically with secure boot you have two options: have something signed by your PC manufacturer, or signed by MS). The shim is a simple re-direct file, that is, your machine boots it (since its signed by MS), and then it boots anything signed by our
FOG Projectcertificate. Even then though, there are some logistics issues with this setup that we are not going to deal with in 1.X.
With that said, if you desire secure boot, we may be able to help get your environment secure boot compliant, and possibly make it a guide for others. However, you would be responsible for paying the microsoft signing fee (a couple/few hundred dollars), and then you could secure boot anything signed by your company. This would remove the logistics issues we face, as you are only signing for your own company.
WinPE always works because, well, it’s made by Microsoft, and has a shim-style setup signed by Microsoft.
@Tom-Elliott Gotcha. All I can really say is that I’ve never, ever seen a post-Windows 8+ WinPE image not boot on any computer. I mean, if you think about it, WinPE has to run on every possible Secure Boot device because WinPE is what sets up Windows to begin with; if a device doesn’t support WinPE Secure Boot, it doesn’t support Windows 8/10 Secure Boot.
So for FOG, when it most immediately boots, is it not a straight (nimble) Linux distribution (like CentOS) that’s booting? Does iPXE happen first?
Thinking a little more, I think this is because of how the boot file of WinPE is working? Like it’s presenting the machine with the boot code the Secure boot is looking for. As for how FOG works: we boot to ipxe and boot using a more direct approach. (I could probably say the same for any PXEBoot process though?). The files just aren’t signed to enable booting, and so the machine does not allow it to boot.
Essentially, the imaging process itself should have no issues capturing/deploying the image with secure boot enabled, it’s the process to get to the point of capturing/deploying the image that has the problem with it.
To be honest? I don’t know that it doesn’t work that way. I just know what others on the forums have seen/heard/done.
@Tom-Elliott I guess the thing I don’t understand is why does WinPE always work, regardless of the model/manufacturer/etc.? Could FOG work similarly?
I know you probably are aware of what Secure boot is, but rather have me try to describe/define it I think this will help other’s understanding. Theoretically, hosts of the same make/model/motherboard, should not have different signatures.
The reason secure boot can be problematic, however, is it doesn’t allow removal of the bootloader (which is stored on hdd) as directed by the NVRAM. Seeing as how fog operates, we delete the bootloader information from the disk and reapply via the imaging process. In the case of upload, however, secure boot “might” be possible. Just Deploy’s would run into issues I would think. I’m not an expert though so I could just be whistling dixie.
Just curious: why does the signature assigned to the boot files change for each host? I may not even be fully understanding what that means, though.
I haven’t tested if leaving secure boot enabled works. I suspect it doesn’t as the signature assigned to the boot files would be changed for each host. Of course, if all hosts are using the same signature defined, then it should enable this portion to work untouched.