SOLVED FoG with UEFI or Secure Boot?

  • Sorry if this has been asked before. I’ve tried googling and run into unclear answers. Does FoG have the ability PXE boot with Secure Boot turned on? I followed this walk through here:

    And it got me to the point where I can successfully deploy images, but I have to keep Secure Boot turned off in order for them to PXE.

  • Senior Developer

    @jcabuco Yeah, in gernal that’s right. But switching forth and back is not very convenient. You might want to look into setting up dnsmasq as ProxyDHCP as George suggested at some point.

  • Follow up question…

    Here’s what I’m doing, let me know if it won’t work…

    I changed my DHCP to undionly.kpxe so that my Virtual Box VM can PXE boot. I use that boot to have FoG Capture an image from my VM.

    I then go back to my DHCP and change it to ipxe.efi. From there, since my image is already captured, I should be able to deploy an image to a PC on UEFI correct?

  • @Sebastian-Roth I’m actually looking to enable bitlocker after FoG has laid down an image so I don’t think I should run into the problem you’re referring to?

  • @george1421 Thanks. So I actually got PXE to work with UEFI on by changing DHCP Option 67 to ipxe.efi

    So my guess is that I should be able to image a PC and enable bitlocker now that I can keep UEFI on. I’m not too familiar with these things so I’ll give it a shot. Just gotta build a new image with a correct answer file to utilize UEFI, i think…

  • Senior Developer

    @jcabuco said in FoG with UEFI or Secure Boot?:

    Secure boot no longer needed since I can enable bitlocker without secureboot.

    Just so you don’t wonder later on. Bitlocker enabled disks will produce very large image files as FOG is not able to read the actual data from the (encrypted) filesystem but needs to take a so called raw copy sector by sector.

    In fact we added a check for Bitlocked partitions some months ago (see here) as we had many requests about huge raw image files in the forums back in that time.

    Right now FOG will fail out if it finds a bitlocked partition. Maybe we should change that to just a warning. Please let me know if you want me to change that!

  • Moderator

    @jcabuco If you want to change your configuration a bit (since 2008 dhcp server is limited) you can install dnsmasq on your FOG server. I have a tutorial for that.

    Remove dhcp options 66 and 67 (or leave them since dnsmasq will override the settings) from your 2008 dhcp server. Setup dnsmasq on your fog server and ensure the dnsmasq service is running. DNSMasq with my configuration file will only supply dhcp boot information and nothing more, the rest of the dhcp info comes from your main dhcp server. If you have vlans and you are running a dnsmasq server, you will need to enter the fog server’s IP address as the very last entry in your vlan routers dhcp-relay/dhcp-helper service and that’s it.

  • @george1421 thanks for the reply.

    So I was reading the following article here: Cuz it looks like all I need is to be able to PXE while keeping the computer in UEFI. Secure boot no longer needed since I can enable bitlocker without secureboot.

    So now that I understand that the requirement is UEFI…I’ve run into a new issue…

    I’m using Server 2008 in my environment. The above mentioned article says no one has got it working…

    Has anyone gotten it working or am I screwed?

  • Moderator

    @jcabuco I have my fog server setup so that you can leave secure boot on and uefi pxe boot. Its been a while since I set it up. You will need to use some ubuntu boot kernels to launch ipxe in a secure boot safe environment. You do this using a secure boot shim and a singed version of grub pxe boot. just realize that having secure boot pxe boot enabled will not give you the ability to clone a bitlocker protected disk. The disk must be unprotected for cloning and then you can enable bitlocker in your setupcomplete.cmd batch file once WinSetup/OOBE is finished.

  • @Tom-Elliott Thanks Tom.

    I was initially confused as my requirement is to be able to utilize Bitlocker more so than Secure Boot. I was under the false impression that Secure Boot was required in order to enable Bitlocker.

    Now that I know all that it requires is UEFI, then I can focus on getting my fog installation to work with UEFI.

  • From a purely technical standpoint, it’s actually fully possible to use FOG while maintaining machine’s with Secure boot, but it requires a lot of “customization” that our generic code base most likely would not easily be able to support (as it’s respective of each organization.)

    @Lee-Rowlett Has done something like this, and while I’ve been kind of distant with minor chip-in’s here and there (Sorry Lee) I do still try to keep up with things so as to provide good and accurate information.

    That said, if Lee’s willing to share his process, I’m sure you could have a setup where you wouldn’t require disabling Secure boot. Of course, I do think to get the setup initially done, you would need to set the machines up without secure boot, run the process, then go ahead and re-enable secure boot and frolic in the joy that is secure boot and FOG.

  • @Quazz Thanks for helping me understand. So then is it possible to place something in UEFI boot and have it be able to PXE so that I can image?

    That way I can image using FoG while keeping the system set as UEFI so I can enable bitlocker.

    If so can you point me in the direction to something that can walk me through setting up FoG so that it can image for UEFI?

  • Moderator

    @jcabuco You can UEFI boot with secure boot disabled.

    Secure boot and bitlocker are unrelated. They can be enabled irrespective of the other.

  • @Wayne-Workman Thanks for the reply.

    I’m wondering then how do others who image with FoG enable bitlocker encryption without secure boot? If FoG requires legacy boot, what have others done to get encryption enabled?

    Or is this just not possible?

  • This post is deleted!

  • @jcabuco No, not realistically. Blame Microsoft for that. They charge money to sign iPXE binaries. With FOG being an incredibly low budget open source project supported by volunteers, Microsoft has pretty much all but barred FOG from playing the SecureBoot game (eyes on you, Microsoft).