On 11/12/17 00:44, Ian Bobbitt wrote:
It's unlikely that iPXE can, or will ever be able to, have a valid
Secure Boot signature. iPXE is licensed GPL v2 (or later) [1].
Microsoft, who are in charge of Secure Boot signatures, will not sign
software subject to GPL v3 [2], because doing so would obligate them to
publicly disclose their signing keys [3]. Other Open Source projects
that do have Secure Boot signed loaders use a shim [4] with another
license (e.g. GPL v2 only, or a BSD variant) that is compatible with
signed code.
Microsoft is prepared to sign iPXE provided that various subsystems with
known flaws are excluded. You can exclude the relevant subsystems using
instructions as per
http://git.ipxe.org/ipxe.git/commitdiff/7428ab7
I have previously obtained signed iPXE builds from Microsoft. The
process of obtaining a signed build from Microsoft is tedious and very
manual; this is the only reason that we do not have regular signed releases.
Michael
_______________________________________________
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel