Join Log in
Score:0
user305588 avatar Ubuntu

PXE and UEFI SecureBoot

in flag
user305588

I am trying to PXE boot with SecureBoot enabled. My PXE does boot with UEFI enabled, however when enabling SecureBoot I get the error “Boot failed. EFI Network. Failed Secure Boot Verification.”

PXEBoot

My bootx64.efi in the tftp root looks like it it has the appropriate signing certificates.

root@hostname:/var/lib/tftpboot# sbverify --list bootx64.efi
warning: data remaining[830784 vs 955656]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

I’ve also tried to sign the bootx64.efi with my own key following the instructions here.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

I’ve tried using the grubnetx64.efi.dualsigned from the shim-signed package as well which has these certificates.

root@hostname:/var/lib/tftpboot# sbverify --list bootx64.efi
warning: data remaining[836848 vs 962400]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
 - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2022 v1)
   issuer:  /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
signature 2
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

When trying to boot to PXE, the client only requests the bootx64.efi from the TFTP server, meaning it doesn’t get to start loading the image that it should, doesn’t download grubx64.efi, nor do I get to a grub menu.

TCPDump

If I turn of SecureBoot it correctly downloads my grub/grub.cfg file and will load the PXE images.

I’d like this to work with SecureBoot so that we don’t have to turn it off when trying to load the PXE. Most of the instructions that I found for how to get SecureBoot to work are intended for getting it to work on a single machine and the instructions are difficult to adapt to using in a netboot environment. Any help you could give would be appreciated.

330
0 + 6
pxe
David avatar
cn flag
David
A couple of things. 1. The link you give here is not for Ubuntu. 2. Secure boot should be off. Why do you want it on?
0
Reply
user305588 avatar
in flag
user305588
Documentation for this on specifically Ubuntu is sparse. This is for imaging computers, I would like SecureBoot to be on so we don't have to turn it off and then back on when imaging new computers.
0
Reply
David avatar
cn flag
David
If you search this site you will see many many questions and answers re secure boot.
0
Reply
user305588 avatar
in flag
user305588
As I mentioned, It is difficult to adapt the instructions to PXE as most of the posts I've found relate to setting up SecureBoot on a single system, and not in a PXE environment.
0
Reply
Andrew Lowther avatar
jp flag
Andrew Lowther
Where did `bootx64.efi` come from? For Jammy, you might want to try the `grubnetx64.efi.signed` file from http://archive.ubuntu.com/ubuntu/dists/jammy/main/uefi/grub2-amd64/current/ .
0
Reply
user305588 avatar
in flag
user305588
I got the bootx64.efi from the shim-signed package. I tried the shimx64.efi and shimx64.efi.dualsigned, the latter of which has these signatures. /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 I got the grubnetx64.efi.signed for the grubx64.efi from the ubuntu archive and it has this signature /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority In addition to the one I added I have the one you linked.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.