UEFI Secure Boot

UEFI Secure Boot is an option that is enabled by default on most UEFI systems. It is a security policy that is designed to allow only signed code to run at boot time.

It is important to note that UEFI Secure Boot is primarily a form of pay-to-play security theatre. Unless you are prepared to manage your own keys (which is a laborious and often largely manual task), then there are no meaningful restrictions on the code that can be signed, or on who can perform the signing. The only real requirement is to be prepared to spend upwards of US$50,000 on gaining access to the code signing ecosystem. Enabling UEFI Secure Boot does not prevent malicious code from running on your system, but does prevent you from building and running your own code on your system.

Enabling UEFI Secure Boot will also add significant complexity to your system, and is likely to make it substantially less robust and less reliable.

The only real advantage to leaving UEFI Secure Boot enabled is that it saves you the time that it would take to manually go in to the UEFI BIOS setup to disable the Secure Boot option.

You can, if you want to, use iPXE with UEFI Secure Boot enabled.

You can use the built-in UEFI network stack to load iPXE over the network via TFTP or HTTP. Download the latest signed release of iPXE from https://github.com/ipxe/ipxe/releases/latest/download/ipxeboot.tar.gz and unpack this archive to a directory on your TFTP or HTTP server.

You will get a directory structure such as:

  ipxeboot
         |-- arm64-sb
         |           |-- ipxe.efi
         |           |-- ipxe-shim.efi
         |           |-- shimaa64.efi
         |           |-- snponly.efi
         |           |-- snponly-shim.efi 
         |-- x86_64-sb
         |           |-- ipxe.efi
         |           |-- ipxe-shim.efi
         |           |-- shimx64.efi
         |           |-- snponly.efi
         |           |-- snponly-shim.efi
         |-- ....

You will need to configure your DHCP server to hand out the path to the shim for the iPXE binary that you want to run. For example, if you are using ISC dhcpd and you want to run ipxe.efi, then you will need to configure your DHCP server to hand out the path to ipxe-shim.efi:

  next-server 192.168.0.1;
  filename "/ipxeboot/x86_64-sb/ipxe-shim.efi";

The Secure Boot shim (e.g. ipxe-shim.efi or snponly-shim.efi) will automatically load the iPXE binary with the corresponding name (e.g. ipxe.efi or snponly.efi).

You can control the rest of the boot process by placing an iPXE script with the filename autoexec.ipxe in the same directory. For example:

  #!ipxe
  echo Hello Secure Boot world from ${cwuri}
  show efi/SecureBoot
  shell

Note that you can only choose between the precompiled ipxe.efi and snponly.efi binaries. The ipxe.efi binary is missing support for several features that are forbidden in a UEFI Secure Boot build. You cannot build your own version of iPXE with the precise features that you need, because UEFI Secure Boot is specifically designed to stop you from doing that.

You can use the prebuilt ISO and USB images to load iPXE from a local CD-ROM or USB key. Download the relevant image from https://github.com/ipxe/ipxe/releases/latest and write it to your CD-ROM or USB key in the usual way.

With the USB image, you can control the rest of the boot process by editing the iPXE script named autoexec.ipxe in the root directory.

Note that you can only use the precompiled ISO and USB images. They are missing support for several features that are forbidden in a UEFI Secure Boot build. You cannot build your own version of iPXE with the precise features that you need, because UEFI Secure Boot is specifically designed to stop you from doing that.

With UEFI Secure Boot enabled, you can use iPXE to boot into Microsoft Windows using wimboot in the usual way. Windows and wimboot are both already signed for UEFI Secure Boot, and you do not need to make any changes to your existing iPXE scripts.

With UEFI Secure Boot enabled, you can use iPXE to boot into a Linux distribution as long as that Linux distribution has a signed UEFI shim. You will need to modify your iPXE script to add the shim command. For example, to boot into Fedora:

  #!ipxe
  
  set mirror https://fedora.mirrorservice.org/fedora/linux/releases/43
  set repo ${mirror}/Everything/x86_64/os
  
  kernel ${repo}/images/pxeboot/vmlinuz inst.repo=${repo}
  initrd ${repo}/images/pxeboot/initrd.img
  shim ${repo}/EFI/BOOT/BOOTX64.EFI
  boot

The shim command will silently do nothing if UEFI Secure Boot is disabled, or if you are running on a non-UEFI platform. You can therefore safely leave it in your script at all times, and iPXE will use the shim only if it needs to do so.