booting an unsigned EFI binary from a signed iPXE binary

[manasan3010]

After secure-booting a signed iPXE binary (using custom PK key); when I try to execute an unsigned binary using boot, the ipxe is calling the UEFI's LoadImage which causes an EFI_SECURITY_VIOLATION

I wanna break the chain-of-trust. Is there a custom PE loader that I can use to bypass the signature check and directly jump to the entrypoint?

[NiKiZe]

That is intentional, iPXE, by design, avoids to do trust.

You might be able to use a shim, but the whole point with secure boot is that you should not break the trust.

[manasan3010]

Is there a flag that I can use to build an iPXE, which bypasses the signature check and directly execute the unsigned binary without calling LoadImage?

[NiKiZe]

There is no signature checks in iPXE, its in your firmware. If you don't want to check secure boot, then disable secure boot!

You are asking to somehow execute EFI code without checking signatures of the binary, the best I can think of that does that is the shim, which has it's own signature checks, which you might be able to disable.

[manasan3010]

Thanks for the clarification!

small doubt, what prevents iPXE from reading an unsigned binary into memory, manually perform relocation, and jump to the entry point instead of using LoadImage?

[NiKiZe]

It would make it unelegible for secure boot signing.
I must say that I find the topic to be on the verge of obsurd. It doesn't really deserve an answer.
Doing this won't happen, even discussing this and give the information that has been given is almost advice on how to circumvent security implementations.

But regardless, if you could have a iPXE binary with the bug you are requesting, then you might as well use some other loader, either directly or as an intermediate step.