On 04/04/2021 16:42, Etienne Champetier wrote:
Since
https://github.com/ipxe/ipxe/commit/a3f1e8fb6707811e6eb90e339d7ebe813fd89a63,
iPXE load autoexec.ipxe from filesystem allowing pretty much the same
use case as embedding configuration without the need to recompile iPXE
binary.
Now I'm wondering would it allow say RedHat to provide signed iPXE
binary (ipxe.efi)
and anyone to create a secure boot enabled iso with ipxe.efi and their
autoexec.ipxe or is this feature considered not safe to be signed ?
Yes, that would be possible. iPXE scripts are deemed to be
configuration data: they cannot be used to make arbitrary changes to
system memory or to execute arbitrary unsigned code and so do not
themselves require Secure Boot signing.
Michael
_______________________________________________
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel
