Re: [ipxe-devel] autoexec.ipxe and UEFI secure boot ?

2021-04-20 Thread Michael Brown

On 04/04/2021 16:42, Etienne Champetier wrote:

Since 
https://github.com/ipxe/ipxe/commit/a3f1e8fb6707811e6eb90e339d7ebe813fd89a63,
iPXE load autoexec.ipxe from filesystem allowing pretty much the same
use case as embedding configuration without the need to recompile iPXE
binary.

Now I'm wondering would it allow say RedHat to provide signed iPXE
binary (ipxe.efi)
and anyone to create a secure boot enabled iso with ipxe.efi and their
autoexec.ipxe or is this feature considered not safe to be signed ?


Yes, that would be possible.  iPXE scripts are deemed to be 
configuration data: they cannot be used to make arbitrary changes to 
system memory or to execute arbitrary unsigned code and so do not 
themselves require Secure Boot signing.


Michael
___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] autoexec.ipxe and UEFI secure boot ?

2021-04-13 Thread Test Message Can Be Ignored
On Sun, Apr 04, 2021 at 11:42:09AM -0400, Etienne Champetier wrote:
> Hi all,
> 
> Since 
> https://github.com/ipxe/ipxe/commit/a3f1e8fb6707811e6eb90e339d7ebe813fd89a63,
> iPXE load autoexec.ipxe from filesystem allowing pretty much the same
> use case as embedding configuration without the need to recompile iPXE
> binary.
> 
> Now I'm wondering would it allow say RedHat to provide signed iPXE
> binary (ipxe.efi)
> and anyone to create a secure boot enabled iso with ipxe.efi and their
> autoexec.ipxe or is this feature considered not safe to be signed ?


https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines
___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel