UEFI with Safe Boot turned on.... Help!



  • Hello everyone,

    Setup: FOG 1.5.4
    CentOS 7
    Clonezilla Live: 20180329-artful

    I want to make it easier to image PC’s. Right now I have to go into every machine to turn off “Safe Boot” and then using the servers IP address and “ipxe.efi” via option 66 and 67 on our DHCP server I can get an associated host to image from FOG.

    If a host is not pre-associated with FOG we can still get to the FOG menu:

    0_1530901206342_19b2c0cd-a35d-4f49-8567-e44a5fc46d62-image.png

    I would like to not have to turn off secure boot every time.

    So far the only working solution which allows booting with all security turned on is Clonezilla.

    Here’s where things seem to get tricky for me. I know FOG doesn’t natively support UEFI and Safe Boot but there is a Clonezilla PXE Boot option I want to try.

    Website: https://clonezilla.org/livepxe.php

    I’ve followed the steps listed here and in another site:

    https://community.spiceworks.com/topic/352773-fog-and-uefi

    They say to copy the necessary files (initrd.img, filesystem.squashfs, vmlinuz) from the “Live” folder from the Clonezilla Live image. For ease I put them in the tftp root.

    tftp folder:

    0_1530902289282_9a51cd71-79e9-4f09-a0bb-727496734de6-image.png

    Both mention configuring the pxelinux.cfg menu “default” which I’ve done using http and tftp destinations:

    0_1530901891608_40eeb0c5-e8af-472f-874c-1a1990616bc6-image.png

    0_1530902029270_91f7bd9d-4f71-4e40-8776-3639aa15ec4e-image.png

    They say to reboot and watch the clients go but it never happens. They mention the ability to select Clonezilla from a menu but I have no idea what menu. The only menu I’ve ever seen is the one shown above which has never mentioned Clonezilla.

    If I try to run the process with Safe Boot on I always get an error from the PC:

    0_1530903402046_06f6cb6b-4e75-4897-8f22-24d5c578a6a9-image.png

    I can’t seem to get anywhere with it.

    Is there a secondary menu I’m missing that isn’t loading via FOG?

    I have also got the DHCP setup as depicted here:

    https://wiki.fogproject.org/wiki/index.php?title=BIOS_and_UEFI_Co-Existence

    on Server 2016:

    Any help would be greatly appreciated.

    Thanks.


  • Moderator

    The issue is that both iPXE (ipxe.efi) and the FOS linux kernel (bzImage) are not signed. So secure booting is not supported natively by the FOG Project.

    In contrast Ubuntu has a signed shim and grub kernel they use to jump start into the ubuntu linux kernel. If someone was a little skilled they could probably make iPXE and FOS boot using a similar shim.


 

351
Online

41.8k
Users

12.3k
Topics

116.0k
Posts