iPXE Security Assurance Review
The iPXE Anywhere software suite, manufactured by 2Pint, uses the open source network boot loader iPXE. In order for 2Pint to offer Secure Boot as a feature to this product suite, 2Pint had asked Microsoft to sign an image of iPXE. This review covers a code audit of the iPXE source that is to be included as part of the signed image, as well as a partial review of the iPXE Anywhere product suite.[UPDATED]: Microsoft UEFI Signing Requirements
To strengthen the Secure Boot ecosystem and streamline signing turnaround, Microsoft is introducing enhanced UEFI signing requirements for all third-party submissions requesting signatures with Microsoft UEFI CAs (2011 and 2023) or the new Option ROM CA. These updates emphasize security assurance and interoperability across UEFI-enabled devices. Key changes include: Mandatory security audits: Annual independent reviews via the OCP SAFE program, with immediate audits for vulnerabilities or major code changes. Subsystem-based packaging: EFI Applications and Option ROMs must be submitted separately for proper certificate alignment; mixed packaging will be rejected. Stricter code eligibility: Only production-quality binaries, free of GPLv3 licensing, free of known vulnerabilities, and free of malware-prone components will be signed. Enhanced security posture: Requirements for NX compatibility, memory safety, and SBOM inclusion in PE sections are now enforced. Special handling for SHIM and iPXE: SHIM submissions require review board approval or SAFE audits; iPXE submissions must meet additional security criteria.NX Exception for SHIM Community
Due to the complexity of the Linux boot process, the number of active releases from different distributions with compatibility challenges, and the support and serviceability timelines of in-market products, a limited exception to the NX signing requirements has been granted. This limited exception is granted for shims serving in-market products. This exception will be reviewed regularly, and once component versions are identified that meet the compatibility requirements, new shim signing requests for products targeting the identified components will no longer be exempt. Additionally, when shim functionality is developed to provide compatibility for older, non-compliant boot components, new shim signings will no longer be exempt. Please reach out to: uefisign@microsoft.com with any questions on this policy.
