FoG with UEFI or Secure Boot?
-
From a purely technical standpoint, it’s actually fully possible to use FOG while maintaining machine’s with Secure boot, but it requires a lot of “customization” that our generic code base most likely would not easily be able to support (as it’s respective of each organization.)
@Lee-Rowlett Has done something like this, and while I’ve been kind of distant with minor chip-in’s here and there (Sorry Lee) I do still try to keep up with things so as to provide good and accurate information.
That said, if Lee’s willing to share his process, I’m sure you could have a setup where you wouldn’t require disabling Secure boot. Of course, I do think to get the setup initially done, you would need to set the machines up without secure boot, run the process, then go ahead and re-enable secure boot and frolic in the joy that is secure boot and FOG.
-
@Tom-Elliott Thanks Tom.
I was initially confused as my requirement is to be able to utilize Bitlocker more so than Secure Boot. I was under the false impression that Secure Boot was required in order to enable Bitlocker.
Now that I know all that it requires is UEFI, then I can focus on getting my fog installation to work with UEFI.
-
@jcabuco I have my fog server setup so that you can leave secure boot on and uefi pxe boot. Its been a while since I set it up. You will need to use some ubuntu boot kernels to launch ipxe in a secure boot safe environment. You do this using a secure boot shim and a singed version of grub pxe boot. just realize that having secure boot pxe boot enabled will not give you the ability to clone a bitlocker protected disk. The disk must be unprotected for cloning and then you can enable bitlocker in your setupcomplete.cmd batch file once WinSetup/OOBE is finished.
-
@george1421 thanks for the reply.
So I was reading the following article here: https://wiki.fogproject.org/wiki/index.php/BIOS_and_UEFI_Co-Existence Cuz it looks like all I need is to be able to PXE while keeping the computer in UEFI. Secure boot no longer needed since I can enable bitlocker without secureboot.
So now that I understand that the requirement is UEFI…I’ve run into a new issue…
I’m using Server 2008 in my environment. The above mentioned article says no one has got it working…
Has anyone gotten it working or am I screwed?
-
@jcabuco If you want to change your configuration a bit (since 2008 dhcp server is limited) you can install dnsmasq on your FOG server. I have a tutorial for that. https://forums.fogproject.org/topic/12796/installing-dnsmasq-on-your-fog-server
Remove dhcp options 66 and 67 (or leave them since dnsmasq will override the settings) from your 2008 dhcp server. Setup dnsmasq on your fog server and ensure the dnsmasq service is running. DNSMasq with my configuration file will only supply dhcp boot information and nothing more, the rest of the dhcp info comes from your main dhcp server. If you have vlans and you are running a dnsmasq server, you will need to enter the fog server’s IP address as the very last entry in your vlan routers dhcp-relay/dhcp-helper service and that’s it.
-
@jcabuco said in FoG with UEFI or Secure Boot?:
Secure boot no longer needed since I can enable bitlocker without secureboot.
Just so you don’t wonder later on. Bitlocker enabled disks will produce very large image files as FOG is not able to read the actual data from the (encrypted) filesystem but needs to take a so called raw copy sector by sector.
In fact we added a check for Bitlocked partitions some months ago (see here) as we had many requests about huge raw image files in the forums back in that time.
Right now FOG will fail out if it finds a bitlocked partition. Maybe we should change that to just a warning. Please let me know if you want me to change that!
-
@george1421 Thanks. So I actually got PXE to work with UEFI on by changing DHCP Option 67 to ipxe.efi
So my guess is that I should be able to image a PC and enable bitlocker now that I can keep UEFI on. I’m not too familiar with these things so I’ll give it a shot. Just gotta build a new image with a correct answer file to utilize UEFI, i think…
-
@Sebastian-Roth I’m actually looking to enable bitlocker after FoG has laid down an image so I don’t think I should run into the problem you’re referring to?
-
Follow up question…
Here’s what I’m doing, let me know if it won’t work…
I changed my DHCP to undionly.kpxe so that my Virtual Box VM can PXE boot. I use that boot to have FoG Capture an image from my VM.
I then go back to my DHCP and change it to ipxe.efi. From there, since my image is already captured, I should be able to deploy an image to a PC on UEFI correct?
-
@jcabuco Yeah, in gernal that’s right. But switching forth and back is not very convenient. You might want to look into setting up dnsmasq as ProxyDHCP as George suggested at some point.
