• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    FoG with UEFI or Secure Boot?

    Scheduled Pinned Locked Moved Solved
    FOG Problems
    6
    16
    8.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Tom ElliottT
      Tom Elliott
      last edited by

      From a purely technical standpoint, it’s actually fully possible to use FOG while maintaining machine’s with Secure boot, but it requires a lot of “customization” that our generic code base most likely would not easily be able to support (as it’s respective of each organization.)

      @Lee-Rowlett Has done something like this, and while I’ve been kind of distant with minor chip-in’s here and there (Sorry Lee) I do still try to keep up with things so as to provide good and accurate information.

      That said, if Lee’s willing to share his process, I’m sure you could have a setup where you wouldn’t require disabling Secure boot. Of course, I do think to get the setup initially done, you would need to set the machines up without secure boot, run the process, then go ahead and re-enable secure boot and frolic in the joy that is secure boot and FOG.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      J 1 Reply Last reply Reply Quote 0
      • J
        jcabuco @Tom Elliott
        last edited by

        @Tom-Elliott Thanks Tom.

        I was initially confused as my requirement is to be able to utilize Bitlocker more so than Secure Boot. I was under the false impression that Secure Boot was required in order to enable Bitlocker.

        Now that I know all that it requires is UEFI, then I can focus on getting my fog installation to work with UEFI.

        1 Reply Last reply Reply Quote 0
        • george1421G
          george1421 Moderator @jcabuco
          last edited by george1421

          @jcabuco I have my fog server setup so that you can leave secure boot on and uefi pxe boot. Its been a while since I set it up. You will need to use some ubuntu boot kernels to launch ipxe in a secure boot safe environment. You do this using a secure boot shim and a singed version of grub pxe boot. just realize that having secure boot pxe boot enabled will not give you the ability to clone a bitlocker protected disk. The disk must be unprotected for cloning and then you can enable bitlocker in your setupcomplete.cmd batch file once WinSetup/OOBE is finished.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

          J 1 Reply Last reply Reply Quote 0
          • J
            jcabuco @george1421
            last edited by

            @george1421 thanks for the reply.

            So I was reading the following article here: https://wiki.fogproject.org/wiki/index.php/BIOS_and_UEFI_Co-Existence Cuz it looks like all I need is to be able to PXE while keeping the computer in UEFI. Secure boot no longer needed since I can enable bitlocker without secureboot.

            So now that I understand that the requirement is UEFI…I’ve run into a new issue…

            I’m using Server 2008 in my environment. The above mentioned article says no one has got it working…

            Has anyone gotten it working or am I screwed?

            george1421G 1 Reply Last reply Reply Quote 0
            • george1421G
              george1421 Moderator @jcabuco
              last edited by

              @jcabuco If you want to change your configuration a bit (since 2008 dhcp server is limited) you can install dnsmasq on your FOG server. I have a tutorial for that. https://forums.fogproject.org/topic/12796/installing-dnsmasq-on-your-fog-server

              Remove dhcp options 66 and 67 (or leave them since dnsmasq will override the settings) from your 2008 dhcp server. Setup dnsmasq on your fog server and ensure the dnsmasq service is running. DNSMasq with my configuration file will only supply dhcp boot information and nothing more, the rest of the dhcp info comes from your main dhcp server. If you have vlans and you are running a dnsmasq server, you will need to enter the fog server’s IP address as the very last entry in your vlan routers dhcp-relay/dhcp-helper service and that’s it.

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

              J 1 Reply Last reply Reply Quote 0
              • S
                Sebastian Roth Moderator
                last edited by

                @jcabuco said in FoG with UEFI or Secure Boot?:

                Secure boot no longer needed since I can enable bitlocker without secureboot.

                Just so you don’t wonder later on. Bitlocker enabled disks will produce very large image files as FOG is not able to read the actual data from the (encrypted) filesystem but needs to take a so called raw copy sector by sector.

                In fact we added a check for Bitlocked partitions some months ago (see here) as we had many requests about huge raw image files in the forums back in that time.

                Right now FOG will fail out if it finds a bitlocked partition. Maybe we should change that to just a warning. Please let me know if you want me to change that!

                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                J 1 Reply Last reply Reply Quote 0
                • J
                  jcabuco @george1421
                  last edited by

                  @george1421 Thanks. So I actually got PXE to work with UEFI on by changing DHCP Option 67 to ipxe.efi

                  So my guess is that I should be able to image a PC and enable bitlocker now that I can keep UEFI on. I’m not too familiar with these things so I’ll give it a shot. Just gotta build a new image with a correct answer file to utilize UEFI, i think…

                  1 Reply Last reply Reply Quote 0
                  • J
                    jcabuco @Sebastian Roth
                    last edited by

                    @Sebastian-Roth I’m actually looking to enable bitlocker after FoG has laid down an image so I don’t think I should run into the problem you’re referring to?

                    1 Reply Last reply Reply Quote 0
                    • J
                      jcabuco
                      last edited by

                      Follow up question…

                      Here’s what I’m doing, let me know if it won’t work…

                      I changed my DHCP to undionly.kpxe so that my Virtual Box VM can PXE boot. I use that boot to have FoG Capture an image from my VM.

                      I then go back to my DHCP and change it to ipxe.efi. From there, since my image is already captured, I should be able to deploy an image to a PC on UEFI correct?

                      1 Reply Last reply Reply Quote 0
                      • S
                        Sebastian Roth Moderator
                        last edited by

                        @jcabuco Yeah, in gernal that’s right. But switching forth and back is not very convenient. You might want to look into setting up dnsmasq as ProxyDHCP as George suggested at some point.

                        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                        1 Reply Last reply Reply Quote 0
                        • 1 / 1
                        • First post
                          Last post

                        267

                        Online

                        12.0k

                        Users

                        17.3k

                        Topics

                        155.2k

                        Posts
                        Copyright © 2012-2024 FOG Project