PXE 和 UEFI 安全启动

tag-icon tag-icon grub2 uefi secure-boot pxe tftp
PXE 和 UEFI 安全启动

我正在尝试在启用 SecureBoot 的情况下进行 PXE 启动。我的 PXE 确实在启用 UEFI 的情况下启动,但是当启用 SecureBoot 时,我收到错误“启动失败。EFI 网络。安全启动验证失败。”

PXE 启动

tftp 根目录中的 bootx64.efi 看起来具有适当的签名证书。

root@hostname:/var/lib/tftpboot# sbverify --list bootx64.efi
warning: data remaining[830784 vs 955656]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

我还尝试按照此处的说明使用自己的密钥对 bootx64.efi 进行签名。

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

我也尝试过使用具有这些证书的 shim-signed 包中的 grubnetx64.efi.dualsigned。

root@hostname:/var/lib/tftpboot# sbverify --list bootx64.efi
warning: data remaining[836848 vs 962400]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
 - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2022 v1)
   issuer:  /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
signature 2
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

当尝试启动到 PXE 时,客户端仅从 TFTP 服务器请求 bootx64.efi,这意味着它无法开始加载应该加载的映像,无法下载 grubx64.efi,也无法进入 grub 菜单。

TCP转储

如果我关闭安全启动,它会正确下载我的 grub/grub.cfg 文件并加载 PXE 映像。

我希望它能与 SecureBoot 配合使用,这样我们在尝试加载 PXE 时就不必将其关闭。我找到的有关如何使 SecureBoot 工作的大多数说明都是针对使其在单台机器上工作的,这些说明很难适应在网络启动环境中使用。如果您能提供任何帮助,我将不胜感激。

相关内容