Secure Boot Hurdles

  1. 4 weeks ago


    Dec 20 Administrator

    Hello everyone,

    I wanted to get some feedback on some different secure boot possibilities. As it stands now, CloneDeploy supports secure boot with the Windows Imaging Environment with PXE, USB, and ISO. The Linux Imaging Environment only supports secure boot with USB and ISO. My question is, does anyone care to have secure boot with PXE for the Linux Imaging Environment, or does everyone just turn it off anyway?

    Currently, major linux distros have a signed shim and grub2 bootloader that does work with normal pxe operations. Unfortunately they do not implement proxy offers and cannot work with CloneDeploy proxy dhcp.

    I have compiled these with fixes needed to work with CloneDeploy Proxy dhcp, but obviously they are not signed and will not work with secure boot. In order to get these signed, requires a business and a financial commitment. I have attempted to order a signing certificate but since I am not a business, I cannot. Here are the current options:

    1.) I need a volunteer with a business that can order this certificate for me.

    2.) I need to create my own business. Doing so would go against my mission, but I don't see many other choices. I would be forced to create a free and paid option for CloneDeploy. The paid option would include signed binaries for Secure Boot and possibly supportive services.

    3.) Leave everything alone, and just disabled secure boot on the pc's. I feel that eventually this option won't exist. Eventually all computers will require secure boot and you won't be able to disable it. Thus, ending CloneDeploy.

    Any thoughts?

  2. I agree with you on option 3; Secure boot is definitely not going away. Even though it goes against your original idea for CD, I think #2 is the most viable option though I could see support becoming a burden.

  3. 3 weeks ago

    I'm still fine with option 3. We've been disabling Secure Boot on our machines for some time now, not that big of a deal. If the issue arises where signed binaries are mandatory then so be it. By then you will have enough people (if not already) invested in your product to make the leap to a paid version.

  4. I always disable secure boot on new computers, option 3 works just fine for me.


or Sign Up to reply!