From 613348d11262f23eec2a2527beaea167d711a271 Mon Sep 17 00:00:00 2001
From: Julia Kreger <juliaashleykreger@gmail.com>
Date: Wed, 5 Jun 2024 11:24:15 -0700
Subject: [PATCH] docs: add some additional context around iPXE and secure boot

Change-Id: Ifecd92b80472b3e28307ddbdbaeeb08ec0950c54
---
 doc/source/install/configure-pxe.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/source/install/configure-pxe.rst b/doc/source/install/configure-pxe.rst
index 294c316fb4..9ea3f84f2a 100644
--- a/doc/source/install/configure-pxe.rst
+++ b/doc/source/install/configure-pxe.rst
@@ -140,6 +140,9 @@ In order to deploy instances with PXE on bare metal nodes which support
 UEFI, perform these additional steps on the ironic conductor node to configure
 the PXE UEFI environment.
 
+.. NOTE:: Most commercial Linux distributions have signed shim and grub
+   binaries, which are required for Secure Boot.
+
 #. Install Grub2 and shim packages:
 
    Ubuntu (18.04LTS and later)::
@@ -260,6 +263,12 @@ on the Bare Metal service node(s) where ``ironic-conductor`` is running.
       work, you can download a prebuilt one from http://boot.ipxe.org or build
       one image from source, see http://ipxe.org/download for more information.
 
+.. note::
+   The Ironic project is unaware of any vendor signed iPXE binaries to enable
+   use of iPXE with Secure Boot, unless you have implemented your own Secure
+   Boot key signing and support for the Machine Owner Key settings on
+   individual baremetal nodes.
+
 #. Copy the iPXE boot image (``undionly.kpxe`` for **BIOS** and
    ``ipxe.efi`` for **UEFI**) to ``/tftpboot``. The binary might
    be found at: