Is supporting Secure Boot now possible?
-
@sebastian-roth said in Is supporting Secure Boot now possible?:
We follow up with the latest iPXE versions so yes, the version changes on every release and even between releases in beta/RC code branch - if you follow that.
In other words, the FOG Team is ON TOP OF IT!
-
iâve been tasked at getting fog secure boot complaint due to it now being a requirement by internal audit rolls eyesâŠ
microsoft so far have been as useful as a chocolate teapot. no one appears to know the process and their solution is use MDT or SCCM. If i have to hear âwhy arenât you using SCCM one more timeâŠâ lol
initial cost is not a concern its already been pre-signed off but the process needs to be as minimal as possible i.e. dont need to keep going back to microsoft to get versions resigned and have the ability to sign them ourselvesâŠ
anyone else done this in a enterprise environment or am i going to be the guinea pig lol
any of the other devs got any more insight?
-
This post is deleted! -
@lee-rowlett Iâve been toying with the issue, just now my mind went blank where I was able to pxe boot linux in secure boot. It did work and it worked well with a grub based environment. The concept that I worked out was to use the ubuntu signed shim with grub to boot into FOS with secure boot on. I did this over the christmas holiday and for the life of me I canât remember the setup.
This is where I got the files from: https://launchpad.net/ubuntu/+source/shim-signed
Also I had this one book marked for pxe booting.
https://www.downtowndougbrown.com/2017/03/hosting-ubuntu-16-04-desktop-live-install-iso-on-a-pxe-netboot-server-bios-and-uefi-simultaneously/Understand this process requires both iPXE to be signed as well as the kernel FOS (or if a shim is used, the shim signed). If we could come up with a way to use these shims then FOS would not need to be signed by MS.
-
I wanted to share my experience with trying to get something signed for Secure Boot with my imaging program. It basically comes down to that itâs very difficult for open source projects to get something signed.
First of all you need to get your bootloader signed by Microsoft, no way around it. Second it requires an EV code signing certificate. These are expensive and you can only get them if you are a legitimate business. You must use a shim, otherwise every change to a kernel or bootloader would require resigning them from Microsoft which is not feasible. Also, shim does not currently support Proxy DHCP servers. The basic workflow is this:
Compile the shim with a self signed CA baked in, then you can sign your kernels and bootloaders against the CA without the needing resign the shim with MS for every change.
Submit the shim and your EV certificate to Microsoft
They will reach out to the shim maintainers who will ask you a bunch of questions about how you will use the shim. If you tell them you are going to use it with iPXE they probably wonât approve it. You need to tell them you are using Grub. If they catch you signing anything other than what you say, they will blacklist your shim.
If everything checks out then theyâll send you the precious signed shim.
I personally scrapped the idea of trying to get a signed shim because of the business requirement. Too much extra cost, not to mention the hassle of doing taxes with a business that doesnât actually make any money.
The future looks dim because of secure boot
-
@george1421 i can get it to boot to grub now but cannot get it to chainload into FOS
-
@jdd49 it sure does
microsoft monopolizing the process?..NEVER!!! -
This post is deleted! -
@george1421 nice one george! i guess at the moment it is a toss up of functionality over âsecurityâ - nice work! iâm sure @tom-elliott could give a better insight on the ipxe parametersâŠ
-
@lee-rowlett Just thinking out loud here, but if FOS handled the iPXE menu internally with its own ncurses menus, there would be no need to iPXE. We could use this concept to boot right into FOS and let FOS manage what to do next. I know something similar is planned for âFOG tooâ but that product is a ways off still.
-
I am locking this thread as the information we need to work out should first be done on the backend between the developers and few testers so we know what is feasible and have a more defined control set.
While I understand there may be many people interested in this, we have not done it and donât want to put systems in a bad state where you can potentially lose your data due to failure to be able to boot to any OS anymore.
We will open a new thread once we have solidified a plan of action and tested feasibility.
