Breaking News @2Pint Software: Secure Boot for Windows now has a Flirtatious Fling with Linux, Dancing into a Sizzling Tango!

Hold on to your hats my techie world, brace yourself for a tech-tastic love affair that is making waves in the dating scene. You know us as Microsoft Windows aficionados, but guess what? We’re about to rock the world of Linux like a chilli pepper taco in a salsa showdown!

Here’s the scoop

Imagine cats and dogs cohabitating peacefully – that is Secure Boot not only for Windows but also for Linux. It’s a hybrid world and we are all about spreading love and inclusivity!

1. Boot faster, party harder: We’ve work closely with the iPXE community and utilize the awesome iPXE network boot loader for all our boot requests, adding a sprinkle of automation wizardry, making OS builds speedier than a caffeinated cheetah. It’s like a network speed demon on roller skates!
2. WAN traffic, be gone: Our tech is all about cutting WAN traffic, thanks to the latest caching and peer-to-peer wizardry. Your network should be wrapped in a warm fluffy blanket because in our eyes, it’s “My PRECIOUS!!!”
3. Shim*-tastic magic: We’ve got some shim-tastic tricks up our sleeves! Our process supports using an iPXE special shim command as a helpful sidekick for executing an EFI image. When a shim has been specified via a shim, the shim image and the command line will be prepended with the name of the selected EFI image. The selected EFI image will be accessible to the shim via the virtual filesystem as a hidden file.
   *A shim is a simple software package that is designed to work as a first-stage bootloader on UEFI systems. It was developed by a group of Linux developers to make Secure Boot work with Free Software. Read more about Linux shims over at Debian: SecureBoot - Debian Wiki
4. Grub be gone: Working as close with the iPXE community as 2Pint Software does, we have managed to trim the fat and reduced the Secure Boot attack surface. Say good-bye to the need for a third party second-stage loader binaries like GRUB, all to make calling the “shim lock protocol” entry point smoother than a salsa dip!

So what does all of this mean really? Well let me tell you, when a tradional PXE boot is set to load Linux on a Secure Boot enabled machine, it will call the regular distro shim channel process. This process has a downside that the Linux kernel will download a fair chunk of data (80-150 MB) over TFTP. Although that might play well in well connetected scenarios, it sure doesn't work well when booting over WAN’s or in metropolitan style networks such as corporate or university campuses.

The same issue above applies for booting Linux via iPXE, until now. The way the iPXE shim command works, is that it will do some magic to remove the need for any TFTP part of the download. The reason multiple downloads actually happen is that if a Linux shim finds the EFI_PXE_BASE_CODE_PROTOCOL on the loaded image's device then it will attempt to download files afresh instead of using the files already downloaded by iPXE. iPXE deals with this automagically, so all the extra downloads now goes away, it’s shim-tastic magic!

The following picture shows the duplicate download, the iPXE provided files downloaded via http(s) are then re-downloaded via TFTP as the shim is loaded.

In our process (shown below), the http(s) downloaded files are used, and there is no extra download.

So there you have it, Secure Boot from 2Pint Software is now your go to dance partner for Linux over https with peer-to-peer. Stay tuned because the next leap will be Fast Ransomware recovery from the Cloud! There are indeed exciting adventures ahead!

With Tech Love & Laughter, dancing off:

Michelle Hammarskjöld