• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Windows 11/Future for Us

    Scheduled Pinned Locked Moved
    General
    8
    18
    6.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • fry_pF
      fry_p Moderator
      last edited by

      Hi All,
      This is more of a general question about the future of FOG and possible FOG alternatives if the project is unable to support Secure Boot/Windows 11. I hate to post this here, but I don’t know anyone else on the internet who are bigger experts in imaging. I know in general this being an open source volunteer driven project, it is a big ask to support the big challenges Microsoft is throwing in the way of the project.

      I wanted to ask if anyone has any experience with any other solutions, please let me know. My organization would like to look at alternatives though we would be quite devastated if we had to move away from FOG since it has been our saving grace for 10+ years. If this is inappropriate to post here, I will gladly take this down.

      Thanks!

      Like open source community computing? Why not do it for a good cause?
      Use your computer/server for humanitarian projects when it is idle!
      https://join.worldcommunitygrid.org?recruiterId=1026912

      george1421G Lee RowlettL fry_pF 3 Replies Last reply Reply Quote 0
      • george1421G
        george1421 Moderator @fry_p
        last edited by

        @fry_p Really when it comes to secure boot FOG has 2 options.

        1. Pay to get a signing certificate from microsoft and then the fog developers will have to sign the FOG kernel and all of the iPXE boot loaders. This will take someone to run this project and money to pay M$ for the signing certificate. That would force the FOG project into some type of subscription model to continue to support that service.

        2. Add your own certificates to the cert store in the uefi firmware. That will require the creating a FOG PKI infrastructure and then updating the certificate store on each computer (once) to match the signing certificate for FOG as well as keep the other certificates so that the microsoft stuff still continues to work.

        Myself personally I started looking into option 2 but then found something else shinny to chase and the project got tabled.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        fry_pF R 2 Replies Last reply Reply Quote 2
        • fry_pF
          fry_p Moderator @george1421
          last edited by

          @george1421 Really wacky question for you…Can you boot into something like Smart Deploy (they have a SmartPE environment they use) from FOG? I don’t know if you have the answer, but I would definitely prefer using FOG to boot into this rather than WDS.

          Like open source community computing? Why not do it for a good cause?
          Use your computer/server for humanitarian projects when it is idle!
          https://join.worldcommunitygrid.org?recruiterId=1026912

          george1421G 1 Reply Last reply Reply Quote 0
          • george1421G
            george1421 Moderator @fry_p
            last edited by

            @fry_p Without secure boot probably yes if Smartdeploy is winpe based. The problem will still be ipxe is not signed so will not boot in secure boot mode.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            1 Reply Last reply Reply Quote 0
            • Lee RowlettL
              Lee Rowlett Developer @fry_p
              last edited by

              @fry_p for assurance, FOG still works with windows 11 and it also works on hardware devices that are NOT supported by Microsoft, your image will still deploy, complete and be functional on these devices albeit out of support from a Microsoft perspective but if secure boot becomes compulsory for all your devices then yes, you have to consider the challenges in managing your own secureboot PKI for FOG but Windows 11 should not be a reason to consider an alternative.

              1 Reply Last reply Reply Quote 2
              • R
                richiestuff @george1421
                last edited by

                @george1421

                You have a 3rd option here,
                does not involving paying MS money - the same way most Linux distris solve that.

                Get an EV certificate from the certificate vendor of your choice and build you own flavor of the SHIM,
                this gets to the OSS SHIM approval board, once they greenlight the build process you did - MS will go and sign your SHIM,
                you sign GRUB & Kernel with your EV certificate - job done.

                SHIM review board and lots of infos on the process can be found here:

                https://github.com/rhboot/shim-review

                or the variant 4 - which is not super sexy but cheap & cheerful:
                Just use a signed SHIM/GRUB/Kernel from a current signed distri of your choice - e.g. taking the Debian LTS Kernel as well as the signed SHIM/Grub from Debian - and you can also happily boot with Secureboot on.

                Richie

                george1421G 1 Reply Last reply Reply Quote 2
                • george1421G
                  george1421 Moderator @richiestuff
                  last edited by

                  @richiestuff I also looked into this issue. I was able to work up a workflow were you can use a custom self signed certificate. https://forums.fogproject.org/topic/15888/imaging-with-fog-and-secure-boot-poc

                  I looked quickly at the shim approach, but the issue is we need to sign ipxe binaries too.

                  Clonezilla took the approach to use stock ubuntu or debian kernels so they could use their signed stuff. Nothing wrong with that and could be an approach for FOG, except of course for iPXE.

                  Thank you for providing an additional path for secure booting. I wasn’t aware of that approach, well done.

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                  1 Reply Last reply Reply Quote 0
                  • S
                    Sebastian Roth Moderator
                    last edited by

                    @richiestuff said in Windows 11/Future for Us:

                    SHIM review board and lots of infos on the process can be found here:
                    https://github.com/rhboot/shim-review

                    Nice! Didn’t know about this yet.

                    Though looking through the question template I fear we might not be considered to get our shim signed:

                    • Who is the primary contact for security updates, etc.? Name, Position, Email address, PGP key fingerprint (Key should be signed by the other security contacts, pushed to a keyserver like keyserver.ubuntu.com, and preferably have signatures that are reasonably well known in the Linux community.)
                    • Who is the secondary contact for security updates…
                    • … MANY questions about technical details which do not apply to iPXE I guess …

                    And there is another hurdle:

                    Note that we really only have experience with using GRUB2 on Linux, so asking us to endorse anything else for signing is going to require some convincing on your part.

                    Looking at others going through this process is kind of fun but I am not sure we (as a community) can handle this.

                    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                    1 Reply Last reply Reply Quote 0
                    • Wayne WorkmanW
                      Wayne Workman
                      last edited by

                      Reading through this thread, I’d say we need a champion to help the FOG Project with the money and process. Here is where any for-profit company reading this should consider helping with two things.

                      • Donate some man-hours for a person to work with the FOG devs on this
                      • Donate the money to cover the cost.

                      Personally, I think it should be Microsoft who helps. If FOG is unable to easily deploy Windows 11 due to secureboot related difficulties, School Districts will have further reason to just buy Chromebooks instead of Windows PCs.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                      Daily Clean Installation Results:
                      https://fogtesting.fogproject.us/
                      FOG Reporting:
                      https://fog-external-reporting-results.fogproject.us/

                      1 Reply Last reply Reply Quote 1
                      • fry_pF
                        fry_p Moderator @fry_p
                        last edited by

                        Just as an update to this post…We proceeded with moving away from FOG for the time being. We now use a paid solution. It was not a decision we made lightly and ultimately was due to ease of secure booting and bitlocker as well as a more streamlined way to push apps and scripts. It’s really not fair to compare these products because of the volunteer driven, open source free nature of FOG vs. a company who can pay the money easily for certs.

                        However, I want FOG to find a champion like @Wayne-Workman said. I have been with two school districts who relied on FOG for many years. I know other districts who could not function without FOG right now as well. I still want to help where I can in the Forums though I have been inactive recently, I plan to change that. Just out of curiosity, how much would it cost to have Microsoft to sign the certs?

                        Like open source community computing? Why not do it for a good cause?
                        Use your computer/server for humanitarian projects when it is idle!
                        https://join.worldcommunitygrid.org?recruiterId=1026912

                        Wayne WorkmanW 1 Reply Last reply Reply Quote 0
                        • Wayne WorkmanW
                          Wayne Workman @fry_p
                          last edited by

                          @fry_p said in Windows 11/Future for Us:

                          Just out of curiosity, how much would it cost to have Microsoft to sign the certs?

                          Microsoft should consider doing this for FOG as a donation.

                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                          Daily Clean Installation Results:
                          https://fogtesting.fogproject.us/
                          FOG Reporting:
                          https://fog-external-reporting-results.fogproject.us/

                          1 Reply Last reply Reply Quote 1
                          • S
                            Sebastian Roth Moderator
                            last edited by

                            @fry_p said in Windows 11/Future for Us:

                            I still want to help where I can in the Forums though I have been inactive recently, I plan to change that.

                            Sounds great! You are more than welcome to engage.

                            Just out of curiosity, how much would it cost to have Microsoft to sign the certs?

                            I have no idea.

                            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                            fry_pF 1 Reply Last reply Reply Quote 0
                            • fry_pF
                              fry_p Moderator @Sebastian Roth
                              last edited by

                              @sebastian-roth Is this what we would have to do for the signing? This does seem over the top, but then again, I could be looking at the wrong thing.

                              Like open source community computing? Why not do it for a good cause?
                              Use your computer/server for humanitarian projects when it is idle!
                              https://join.worldcommunitygrid.org?recruiterId=1026912

                              1 Reply Last reply Reply Quote 0
                              • S
                                Sebastian Roth Moderator
                                last edited by

                                @fry_p I am not sure but sounds reasonable. Here is the fun part of the document:

                                1. Code submitted for UEFI signing must not be subject to GPLv3 or any license that purports to give someone the right to demand authorization keys to be able to install modified forms of the code on a device. Code that is subject to such a license that has already been signed might have that signature revoked. For example, GRUB 2 is licensed under GPLv3 and will not be signed.

                                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                1 Reply Last reply Reply Quote 1
                                • Wayne WorkmanW
                                  Wayne Workman
                                  last edited by

                                  It’s got a special section just for iPXE.

                                  If your submission contains iPXE functionality, then additional security steps are required. Previously, Microsoft has completed an in depth security review of 2Pint’s iPXE branch. In order for new submissions with iPXE to be signed, they must complete the following steps:
                                  
                                      Pull and merge from 2Pint's commit: http://git.ipxe.org/ipxe.git/commitdiff/7428ab7  
                                      Get a security review from a verified vendor. Refer vendor to the iPXE Security Assurance Review blog post. Emphasis of the review should be on:
                                          NFS functionality being removed
                                          Wireless functionality being removed
                                          Non-UEFI loaders are not included
                                          Ensuring all known reported security problems are fixed (identified in the iPXE Security Assurance Review blog post).
                                      Share the specific commits that are made to the project, allowing Microsoft to ensure the expected changes are made.
                                  

                                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                  Daily Clean Installation Results:
                                  https://fogtesting.fogproject.us/
                                  FOG Reporting:
                                  https://fog-external-reporting-results.fogproject.us/

                                  1 Reply Last reply Reply Quote 1
                                  • fry_pF
                                    fry_p Moderator
                                    last edited by

                                    I saw both of those requirements. This doesn’t look promising. I guess now it is less about the price and more about the ridiculous hoops to jump through. Also the GPLv3 thing is killer for us.

                                    Like open source community computing? Why not do it for a good cause?
                                    Use your computer/server for humanitarian projects when it is idle!
                                    https://join.worldcommunitygrid.org?recruiterId=1026912

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      putrzop
                                      last edited by

                                      Get an EV certificate from the certificate vendor of your choice and build you own flavor of the SHIM,

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        putrzop
                                        last edited by

                                        Microsoft should consider doing this for FOG as a donation.. .

                                        1 Reply Last reply Reply Quote 0
                                        • 1 / 1
                                        • First post
                                          Last post

                                        190

                                        Online

                                        12.0k

                                        Users

                                        17.3k

                                        Topics

                                        155.2k

                                        Posts
                                        Copyright © 2012-2024 FOG Project