[GH-ISSUE #1745] Secure Boot Support Possibilities #590

New issue

Open

opened 2026-02-27 14:52:19 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 14:52:19 +03:00

Owner

Originally created by @LiberaVeritas on GitHub (Feb 5, 2026).
Original GitHub issue: https://github.com/netbootxyz/netboot.xyz/issues/1745

Is your feature request related to a problem? Please describe.
Allow booting on systems with secure boot enabled

Describe the solution you'd like
I think there are a few possibilities for getting this to work.

Generate a key pair and add signing to the CI/CD process, so that all bootloader releases get signed. Make the public key available, which users can then enrol in db or as an MOK. This would only work for users who have the capability to enrol keys, or at least an MOK. Of course, they could also just sign it themselves in this case.
The official iPXE project had their shim recently get signed by Microsoft. This could maybe be integrated for use with netboot.xyz
https://github.com/rhboot/shim-review/issues/319#issuecomment-3521239969
Broadcom has an iPXE binary signed by Microsoft https://knowledge.broadcom.com/external/article/280113/updated-64bit-ipxeefi-ipxe-v1211-binarie.html. This could be used to load the netboot.xyz ipxe menu. I believe the binary is hardcoded to look for the menu file at http://{next-server}:4433/Altiris/iPXE/GetPxeScript.aspx

Originally created by @LiberaVeritas on GitHub (Feb 5, 2026). Original GitHub issue: https://github.com/netbootxyz/netboot.xyz/issues/1745 **Is your feature request related to a problem? Please describe.** Allow booting on systems with secure boot enabled **Describe the solution you'd like** I think there are a few possibilities for getting this to work. 1. Generate a key pair and add signing to the CI/CD process, so that all bootloader releases get signed. Make the public key available, which users can then enrol in db or as an MOK. This would only work for users who have the capability to enrol keys, or at least an MOK. Of course, they could also just sign it themselves in this case. 2. The official iPXE project had their shim recently get signed by Microsoft. This could maybe be integrated for use with netboot.xyz https://github.com/rhboot/shim-review/issues/319#issuecomment-3521239969 3. Broadcom has an iPXE binary signed by Microsoft https://knowledge.broadcom.com/external/article/280113/updated-64bit-ipxeefi-ipxe-v1211-binarie.html. This could be used to load the netboot.xyz ipxe menu. I believe the binary is hardcoded to look for the menu file at http://{next-server}:4433/Altiris/iPXE/GetPxeScript.aspx