Re: [ipxe-devel] autoexec.ipxe and UEFI secure boot ?
On 04/04/2021 16:42, Etienne Champetier wrote: Since https://github.com/ipxe/ipxe/commit/a3f1e8fb6707811e6eb90e339d7ebe813fd89a63, iPXE load autoexec.ipxe from filesystem allowing pretty much the same use case as embedding configuration without the need to recompile iPXE binary. Now I'm wondering would it allow say RedHat to provide signed iPXE binary (ipxe.efi) and anyone to create a secure boot enabled iso with ipxe.efi and their autoexec.ipxe or is this feature considered not safe to be signed ? Yes, that would be possible. iPXE scripts are deemed to be configuration data: they cannot be used to make arbitrary changes to system memory or to execute arbitrary unsigned code and so do not themselves require Secure Boot signing. Michael ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] autoexec.ipxe and UEFI secure boot ?
On Sun, Apr 04, 2021 at 11:42:09AM -0400, Etienne Champetier wrote: > Hi all, > > Since > https://github.com/ipxe/ipxe/commit/a3f1e8fb6707811e6eb90e339d7ebe813fd89a63, > iPXE load autoexec.ipxe from filesystem allowing pretty much the same > use case as embedding configuration without the need to recompile iPXE > binary. > > Now I'm wondering would it allow say RedHat to provide signed iPXE > binary (ipxe.efi) > and anyone to create a secure boot enabled iso with ipxe.efi and their > autoexec.ipxe or is this feature considered not safe to be signed ? https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel