FOG Exiting to Shim UEFI Key Management

novaholic

I am having an issue with my CentOS7 image. After deploying to a host I see the following:
The host boots into FOG
The menu timer counts down to 0
Then this screen is displayed:

After this timer reaches zero the computer reboots and starts the sequence over.

The CentOS image was created on a Hyper-V Gen2 VM with secure boot disabled. I used the following partition layout:

Standard Partition

• /boot - xfs 1024MiB
• /boot/efi - EFI 200MiB
• / - xfs 16.8GiB*
• swap - swap 2GiB

I see the same behavior on both a VM and a physical machine.

If I escape out of PXE before it gets a DHCP address or disable PXE booting, the OS will boot up without a problem.

I have ‘Exit to Hard Drive Type(EFI)’ set to REFIND_EFI in the global settings. I also tried setting it for the registered hosts but this did not change anything.

The obvious workaround is to put the drive to the top of the boot order but for my implementation I need PXE to remain at the top.

I have also created a Fedora29 image using all the same settings as this CentOS image and it is able to exit the FOG menu and boot the OS fine.

Thanks

george1421

I’m just thinking out loud at the moment… So it sounds like refind can’t see the uefi boot partition, where the uefi boot rom can see the uefi boot file.

Is that a standard uefi boot layout or something you created. Two thoughts come to mind

1. Refind doesn’t understand the xfs file system
2. It doesn’t find the uefi bootstrap image in /boot/efi partition.

I know the boot loaders will look for the file bootx64.efi in /boot/efi directory (assuming a 64 bit OS is used). If it doesn’t find it refind will search the first disk and then give up unless you tell it to search in more areas. Do you know if this file exists on in your test machine /boot/efi/bootx64.efi ?

novaholic

@george1421
I believe it is a standard boot layout. When installing the OS I selected ‘Standard Partion’ instead of using LVM. I then just left the defaults for /boot, /boot/efi, /, and swap

bootx64.efi is not at that location, I found it here: /boot/efi/EFI/BOOT/BOOTX64.EFI

I checked the Fedora system that is working correctly. BOOTX64.EFI is in the same location as on the CentOS machine.

george1421

@novaholic said in FOG Exiting to Shim UEFI Key Management:

/boot/efi/EFI/BOOT/BOOTX64.EFI

Well that’s a bit unexpected. You may have to update the refind.conf file in /var/www/html/fog/service/ipxe directory to search more places, specifically the path you cited above.

novaholic

@george1421
I added this block to refind.conf and rebooted the FOG server but it did not change the behavior.

menuentry CentOS {
    loader /boot/efi/EFI/BOOT/BOOTX64.EFI
    enabled
}

I copied the BOOTX64.EFI file to /boot/efi/ but that didn’t change anything either.

george1421

@novaholic That is not the right answer since the menu will not be displayed unless you turn it on. There should be an additional search path parameter where you can tell refind to search additional paths.

novaholic

@george1421
Gotcha, I removed the menu entry and added this line instead:

also_scan_dirs /boot/efi/EFI/BOOT

I verified that the change I made to the file was saved by navigating to: http://<FOG_IP>/fog/service/ipxe/refind.conf

The behavior is still the same, CentOS is still failing to exit the FOG menu properly.

george1421

@novaholic I guess I need to find time to build a centos vm to see the exact layout of the disks. I’ll create one with physical partitions and not LVM because that how you are doing it. There has to be something missing here…

novaholic

@george1421 Thank you, I appreciate it. Let me know if you need any other configuration information

novaholic

@george1421 I think I may have found a workaround, I’m not sure what ill-effects it may have yet.

While testing the CentOS image on a physical host I noticed it was able to boot fine using grubx64.efi
This file is located at /boot/efi/EFI/centos on my machine

In the refind.conf file I added two lines:

also_scan_dirs /boot/efi/EFI/centos
dont_scan_files mmx64.efi,MokManager.efi,shim.efi,shimx64-centos.efi,shimx64.efi

Basically these two lines say, also search the centos folder for boot files and ignore every .efi file listed above.

I’ll run with this configuration and update if I come across any issues.

george1421

@novaholic Sorry the afternoon is a bit hectic here. I have the VM built and see the configuration / files as you mentioned. You are on the right track with the search path setting in refind.conf. Hopefully I get some time free in a bit.

george1421

@george1421 ok I had about 5 minutes between stuff. When I register the centos image and exit to hard drive I get these from refind (note I may have menus on in my refind config because I like to mess with things).

As you noted selecting grubx64.efi boots into centos. I can also tell you the shimx64 is a secure boot shim to allow centos to boot on computers with secure boot enabled. In my case my VM doesn’t know anything about secure boot so grub is the right answer.

george1421

OK I have a working solution at least for centos uefi. I don’t know if it will break others… YMMV

scanfor internal,external,optical,manual
dont_scan_files shim.efi,MokManager.efi,shimx64-centos.efi,shimx64.efi,mmx64.efi

I didn’t need to change anything else from default. I didn’t see any other settings I fiddled with over time either.