• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Is supporting Secure Boot now possible?

Scheduled Pinned Locked Moved
General
7
29
10.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ?
    A Former User
    last edited by A Former User Feb 19, 2017, 10:17 PM Feb 20, 2017, 4:14 AM

    My understanding is that the 64-bit version of CentOS 7 does support UEFI with Secure Boot enabled, so is this now a possibility?

    I know Secure Boot shouldn’t be a big deal, but it’s a bit of a pain in the ass if you’re imaging an entire lab and need to touch the firmware settings on each machine.

    1 Reply Last reply Reply Quote 0
    • T
      Tom Elliott
      last edited by Feb 20, 2017, 4:16 AM

      I haven’t tested if leaving secure boot enabled works. I suspect it doesn’t as the signature assigned to the boot files would be changed for each host. Of course, if all hosts are using the same signature defined, then it should enable this portion to work untouched.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by Feb 20, 2017, 4:19 AM

        Just curious: why does the signature assigned to the boot files change for each host? I may not even be fully understanding what that means, though.

        T 1 Reply Last reply Feb 20, 2017, 4:30 AM Reply Quote 0
        • T
          Tom Elliott @A Former User
          last edited by Feb 20, 2017, 4:30 AM

          @loosus456 https://docs.fedoraproject.org/en-US/Fedora/18/html/UEFI_Secure_Boot_Guide/chap-UEFI_Secure_Boot_Guide-What_is_Secure_Boot.html

          I know you probably are aware of what Secure boot is, but rather have me try to describe/define it I think this will help other’s understanding. Theoretically, hosts of the same make/model/motherboard, should not have different signatures.

          The reason secure boot can be problematic, however, is it doesn’t allow removal of the bootloader (which is stored on hdd) as directed by the NVRAM. Seeing as how fog operates, we delete the bootloader information from the disk and reapply via the imaging process. In the case of upload, however, secure boot “might” be possible. Just Deploy’s would run into issues I would think. I’m not an expert though so I could just be whistling dixie.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

          ? 1 Reply Last reply Feb 20, 2017, 4:33 AM Reply Quote 0
          • ?
            A Former User @Tom Elliott
            last edited by Feb 20, 2017, 4:33 AM

            @Tom-Elliott I guess the thing I don’t understand is why does WinPE always work, regardless of the model/manufacturer/etc.? Could FOG work similarly?

            T 1 Reply Last reply Feb 20, 2017, 4:36 AM Reply Quote 0
            • T
              Tom Elliott @A Former User
              last edited by Feb 20, 2017, 4:36 AM

              To be honest? I don’t know that it doesn’t work that way. I just know what others on the forums have seen/heard/done.

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

              ? L 2 Replies Last reply Feb 20, 2017, 4:41 AM Reply Quote 0
              • T
                Tom Elliott
                last edited by Tom Elliott Feb 19, 2017, 10:40 PM Feb 20, 2017, 4:38 AM

                Thinking a little more, I think this is because of how the boot file of WinPE is working? Like it’s presenting the machine with the boot code the Secure boot is looking for. As for how FOG works: we boot to ipxe and boot using a more direct approach. (I could probably say the same for any PXEBoot process though?). The files just aren’t signed to enable booting, and so the machine does not allow it to boot.

                Essentially, the imaging process itself should have no issues capturing/deploying the image with secure boot enabled, it’s the process to get to the point of capturing/deploying the image that has the problem with it.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User @Tom Elliott
                  last edited by Feb 20, 2017, 4:41 AM

                  @Tom-Elliott Gotcha. All I can really say is that I’ve never, ever seen a post-Windows 8+ WinPE image not boot on any computer. I mean, if you think about it, WinPE has to run on every possible Secure Boot device because WinPE is what sets up Windows to begin with; if a device doesn’t support WinPE Secure Boot, it doesn’t support Windows 8/10 Secure Boot.

                  So for FOG, when it most immediately boots, is it not a straight (nimble) Linux distribution (like CentOS) that’s booting? Does iPXE happen first?

                  W 1 Reply Last reply Feb 20, 2017, 3:30 PM Reply Quote 0
                  • W
                    Wayne Workman @A Former User
                    last edited by Wayne Workman Feb 20, 2017, 9:32 AM Feb 20, 2017, 3:30 PM

                    @loosus456 Another option that I’ve done - which is a lot more work but free, in some firmwares you can upload a copy of the boot file you want SecureBoot to accept ( like ipxe.efi ) and the firmware does something with this file, maybe hashes it and stores the hash, not sure.

                    But, if you do that for all the computers you want to image, then that very specific version of ipxe will work through SecureBoot. You just have to use that exact one - or update all your computers again with the new version.

                    I’ve done this before, it does work. If you have maybe 10 computers you image with FOG in total (like small office) this could work. In larger environments 20+ it’s not worth the effort, just pay the money.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                    Daily Clean Installation Results:
                    https://fogtesting.fogproject.us/
                    FOG Reporting:
                    https://fog-external-reporting-results.fogproject.us/

                    1 Reply Last reply Reply Quote 0
                    • ?
                      A Former User
                      last edited by Feb 21, 2017, 1:40 AM

                      Curious: how much money would it cost for FOG to sign in a post-1.X version?

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User
                        last edited by Feb 22, 2017, 12:58 AM

                        @Joe-Schmitt I think I understand. I was going to say that if only a few hundred bucks was in the way of making this happen, I was just going to pay it and be done.

                        1 Reply Last reply Reply Quote 0
                        • S
                          Sebastian Roth Moderator
                          last edited by Dec 11, 2017, 8:59 PM

                          I know this is fairly old but as I’ve just seen some rumor on this topic in the iPXE devel mailing list I thought I might post that here as a reference for people searching our forums: http://lists.ipxe.org/pipermail/ipxe-devel/2017-December/005921.html

                          Michael Brown’s answer:

                          Microsoft is prepared to sign iPXE provided that various subsystems with known flaws are excluded. You can exclude the relevant subsystems using instructions as per

                          http://git.ipxe.org/ipxe.git/commitdiff/7428ab7

                          I have previously obtained signed iPXE builds from Microsoft. The process of obtaining a signed build from Microsoft is tedious and very manual; this is the only reason that we do not have regular signed releases.

                          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                          W 1 Reply Last reply Dec 12, 2017, 6:17 PM Reply Quote 0
                          • W
                            Wayne Workman @Sebastian Roth
                            last edited by Dec 12, 2017, 6:17 PM

                            @sebastian-roth said in Is supporting Secure Boot now possible?:

                            The process of obtaining a signed build from Microsoft is tedious and very manual

                            That part bothers me. How did Microsoft come to have a monopoly on this? Isn’t there anyone else that can sign it? What root certs are installed into the bios besides Microsoft’s? Surely they are not the only ones?!?

                            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                            Daily Clean Installation Results:
                            https://fogtesting.fogproject.us/
                            FOG Reporting:
                            https://fog-external-reporting-results.fogproject.us/

                            1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User
                              last edited by Dec 12, 2017, 7:52 PM

                              Would each and every version of iPXE have to be signed by Microsoft? Or would it be a one-time event?

                              I don’t really understand the part about excluding certain directories. How, if at all, would that affect users of iPXE? Or would that be something that would affect only iPXE developers?

                              W george1421G 2 Replies Last reply Dec 12, 2017, 7:56 PM Reply Quote 0
                              • W
                                Wayne Workman @A Former User
                                last edited by Dec 12, 2017, 7:56 PM

                                @loosus456 said in Is supporting Secure Boot now possible?:

                                Would each and every version of iPXE have to be signed by Microsoft?

                                Yes, any version you want Secure Boot to accept must be signed. The idea we’ve kicked around before is only doing this every so often to minimize costs.

                                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                Daily Clean Installation Results:
                                https://fogtesting.fogproject.us/
                                FOG Reporting:
                                https://fog-external-reporting-results.fogproject.us/

                                1 Reply Last reply Reply Quote 1
                                • george1421G
                                  george1421 Moderator @A Former User
                                  last edited by Dec 12, 2017, 7:56 PM

                                  @loosus456 said in Is supporting Secure Boot now possible?:

                                  Would each and every version of iPXE have to be signed by Microsoft?

                                  Yes, every boot kernel you want to run on a computer that has secure boot enabled must have a valid signed key. This includes iPXE as well as FOS (Fog’s target system Operaing System)

                                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                  1 Reply Last reply Reply Quote 1
                                  • ?
                                    A Former User
                                    last edited by Dec 12, 2017, 10:01 PM

                                    Does iPXE change every FOG release? Or do FOG releases often share the same IPXE version?

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Sebastian Roth Moderator
                                      last edited by Dec 13, 2017, 6:10 AM

                                      @loosus456 said in Is supporting Secure Boot now possible?:

                                      Does iPXE change every FOG release? Or do FOG releases often share the same IPXE version?

                                      We follow up with the latest iPXE versions so yes, the version changes on every release and even between releases in beta/RC code branch - if you follow that.

                                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                      W 1 Reply Last reply Dec 13, 2017, 1:58 PM Reply Quote 1
                                      • W
                                        Wayne Workman @Sebastian Roth
                                        last edited by Dec 13, 2017, 1:58 PM

                                        @sebastian-roth said in Is supporting Secure Boot now possible?:

                                        We follow up with the latest iPXE versions so yes, the version changes on every release and even between releases in beta/RC code branch - if you follow that.

                                        In other words, the FOG Team is ON TOP OF IT! 😄

                                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                        Daily Clean Installation Results:
                                        https://fogtesting.fogproject.us/
                                        FOG Reporting:
                                        https://fog-external-reporting-results.fogproject.us/

                                        1 Reply Last reply Reply Quote 0
                                        • L
                                          Lee Rowlett Developer
                                          last edited by Jan 24, 2018, 11:54 AM

                                          i’ve been tasked at getting fog secure boot complaint due to it now being a requirement by internal audit rolls eyes…

                                          microsoft so far have been as useful as a chocolate teapot. no one appears to know the process and their solution is use MDT or SCCM. If i have to hear “why aren’t you using SCCM one more time…” lol

                                          initial cost is not a concern its already been pre-signed off but the process needs to be as minimal as possible i.e. dont need to keep going back to microsoft to get versions resigned and have the ability to sign them ourselves…

                                          anyone else done this in a enterprise environment or am i going to be the guinea pig lol

                                          any of the other devs got any more insight?

                                          george1421G 1 Reply Last reply Jan 24, 2018, 1:00 PM Reply Quote 0
                                          • 1
                                          • 2
                                          • 1 / 2
                                          • First post
                                            Last post

                                          151

                                          Online

                                          12.0k

                                          Users

                                          17.3k

                                          Topics

                                          155.2k

                                          Posts
                                          Copyright © 2012-2024 FOG Project