Secure Boot Support Possibilities

[LiberaVeritas]

Is your feature request related to a problem? Please describe.
Allow booting on systems with secure boot enabled

Describe the solution you'd like
I think there are a few possibilities for getting this to work.

1. Generate a key pair and add signing to the CI/CD process, so that all bootloader releases get signed. Make the public key available, which users can then enrol in db or as an MOK. This would only work for users who have the capability to enrol keys, or at least an MOK. Of course, they could also just sign it themselves in this case.
2. The official iPXE project had their shim recently get signed by Microsoft. This could maybe be integrated for use with netboot.xyz
   iPXE 16.1 shim (new submission) rhboot/shim-review#319 (comment)
3. Broadcom has an iPXE binary signed by Microsoft https://knowledge.broadcom.com/external/article/280113/updated-64bit-ipxeefi-ipxe-v1211-binarie.html. This could be used to load the netboot.xyz ipxe menu. I believe the binary is hardcoded to look for the menu file at http://{next-server}:4433/Altiris/iPXE/GetPxeScript.aspx

[NiKiZe]

Official signed iPXE binaries are coming, strongly suggest to use those builds, the question would be if there is anything used by netboot.xyz that is not enabled in the default builds?

This might have lead to ipxe/ipxe#1638

[mcb30]

Official signed binaries are now available in the iPXE v2.0.0 release.

[ewanlbc]

Ok sorry to ask this but what's the point of ipxe signed binaries precisely ? If I'm asking that that's because I'm trying to boot linux from Lan (shimx64.efi and ipxe.efi from here) to laptops with Secure Boot. I've actually succeeded to launch Ipxe 2.0.0 with SB enabled but if I'm chaining linux images after that (which are obviously not signed), it won't work. For now I'm able to launch trough DHCP a Debian netboot install but even with the IPXE official shimx64.efi, I have to point to another shimx64.efi (the debian one) in the autoexec.ipxe file to make it work. Or maybe I'm doing it wrong... I think I will have to wait a while before booting Linux images from network with SB enabled... Thanks anyway

[NiKiZe]

Ok sorry to ask this but what's the point of ipxe signed binaries precisely ? If I'm asking that that's because I'm trying to boot linux from Lan (shimx64.efi and ipxe.efi from here) to laptops with Secure Boot. I've actually succeeded to launch Ipxe 2.0.0 with SB enabled but if I'm chaining linux images after that (which are obviously not signed), it won't work. For now I'm able to launch trough DHCP a Debian netboot install but even with the IPXE official shimx64.efi, I have to point to another shimx64.efi (the debian one) in the autoexec.ipxe file to make it work. Or maybe I'm doing it wrong... I think I will have to wait a while before booting Linux images from network with SB enabled... Thanks anyway

You also posted this in ipxe/ipxe#1638 (comment)
And as stated there, as you know, you need to use the shim command.
Depending on the setup, even if you need the shim and kernel, (and also modules for that specific kernel) the contents of initrd etc can much more freely be modified.
So if there is a setup that is working with secure boot disabled, you just have to swap out some parts of that chain to secure boot signed alternatives to keep the same functionality.

The main reason to do this, is to support a solution on a global level, as stated on https://ipxe.org/secboot:

The only real advantage to leaving UEFI Secure Boot enabled is that it saves you the time that it would take to manually go in to the UEFI BIOS setup to disable the Secure Boot option.

[ewanlbc]

Ok sorry to ask this but what's the point of ipxe signed binaries precisely ? If I'm asking that that's because I'm trying to boot linux from Lan (shimx64.efi and ipxe.efi from here) to laptops with Secure Boot. I've actually succeeded to launch Ipxe 2.0.0 with SB enabled but if I'm chaining linux images after that (which are obviously not signed), it won't work. For now I'm able to launch trough DHCP a Debian netboot install but even with the IPXE official shimx64.efi, I have to point to another shimx64.efi (the debian one) in the autoexec.ipxe file to make it work. Or maybe I'm doing it wrong... I think I will have to wait a while before booting Linux images from network with SB enabled... Thanks anyway

You also posted this in ipxe/ipxe#1638 (comment) And as stated there, as you know, you need to use the shim command. Depending on the setup, even if you need the shim and kernel, (and also modules for that specific kernel) the contents of initrd etc can much more freely be modified. So if there is a setup that is working with secure boot disabled, you just have to swap out some parts of that chain to secure boot signed alternatives to keep the same functionality.

The main reason to do this, is to support a solution on a global level, as stated on https://ipxe.org/secboot:

The only real advantage to leaving UEFI Secure Boot enabled is that it saves you the time that it would take to manually go in to the UEFI BIOS setup to disable the Secure Boot option.

Ok thank you very much for your explanations, that is pretty clear indeed !