First install - Secure boot and some pointers to info please



  • At the beginning of my fog journey, so hello all,

    I’ve got various machines already booting to the fog menu but wanted to rule out potential problems with my setup please, as a couple of machines aren’t behaving.

    I’m reading through a lot of information but conscious that I’m reading quite a lot of out of date info on my travels (and chasing my own tail a little) so thought I’d respectfully ask for some guidance.

    Usage won’t be large scale - mixed windows/ *nix environment, maybe osx later. UEFI and BIOS.
    It’s more that I have a lot of different machines to manage for myself/ friends/ family, rather than an office of hundreds. I’m constantly creating and tearing down virt machines for learning, so I’m seeing if fog can centralise some of the initial install here - ansible can take over a lot from there.
    Plus, you know, learning.

    Questions:
    1 - Secure Boot
    An HP 450 G3 laptop is being a slight pain. It works if I disable secure boot butas I’m looking to use this with bitlocker that isn’t ideal, especially as there will be other machines in a similar position, just haven’t tested them yet.

    With secure boot enabled I can see it quickly flashes

    Downloading NBP file
    Succeed to download NBP File.
    

    And then boots to the hard drive, ignoring the fog menu

    I can see here that George mentions there’s a way to shim this but am having trouble finding instructions on this.

    2 -Hyper-V
    Gen 2 machines seem to work ok.
    Gen 1 (with legacy network adapter) - get’s stuck at iPXE initialising devices… photo attached (hopefully)
    ![0_1584549088279_hyper-v.JPG](Uploading 100%)
    Probably no loss (my proxmox works fine) but I wanted to check it wasn’t a problem in my setup and just interested in why.
    I’ve read several historic posts on old versions not working but wanted to check if this is still a known problem please?

    3 - Dual boot
    Reading up on this next so just thought I’d check if there are any good guides as I suspect this will be full of gotchas, and mentioning it in case it’s relevant for the secure boot part.

    4- Wiki Edit
    Forgive this please as I know the point of a wiki is to change it myself (and appears lazy to ask someone to do it) but I think the above makes clear I’m not at that level of confidence with this yet.
    May I humbly suggest that on the dnsmasq proxy page the 3 links at the top are put down the bottom. As a newbie you feel you should check them but they just take you in a loop of isc/ legacy information.
    The good content you need is on this page directly below these links. Perhaps also a quick reference to pi-hole just so it comes up in searches.

    Appreciate there’s a lot here so shout if I should delete and do seperate posts.
    Huge thanks for taking the time to read and thank you for all the hard work makiing this.

    ---------- Some information on setup ----------------
    Fog 1.5.8 on an Ubuntu 19.10 hyper-v VM using dnsmasq as proxy to a pihole server, config below.

    No changes in dnsmasq to pi-hole server for fog - other than setting up reserved IP for machine.

    root@fog:~# cat /etc/dnsmasq.d/
    cat: /etc/dnsmasq.d/: Is a directory
    root@fog:~# cat /etc/dnsmasq.d/ltsp.conf
    # Don't function as a DNS server:
    port=0
    
    # Log lots of extra information about DHCP transactions.
    log-dhcp
    
    # Set the root directory for files available via FTP.
    tftp-root=/tftpboot
    
    # The boot filename, Server name, Server Ip Address
    dhcp-boot=undionly.kpxe,,192.168.21.28
    
    # Disable re-use of the DHCP servername and filename fields as extra
    # option space. That's to avoid confusing some old or broken DHCP clients.
    dhcp-no-override
    
    # inspect the vendor class string and match the text to set the tag
    dhcp-vendorclass=BIOS,PXEClient:Arch:00000
    dhcp-vendorclass=UEFI32,PXEClient:Arch:00006
    dhcp-vendorclass=UEFI,PXEClient:Arch:00007
    dhcp-vendorclass=UEFI64,PXEClient:Arch:00009
    
    # Set the boot file name based on the matching tag from the vendor class (above)
    dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,,192.168.21.28
    dhcp-boot=net:UEFI,ipxe.efi,,192.168.21.28
    dhcp-boot=net:UEFI64,ipxe.efi,,192.168.21.28
    
    # PXE menu.  The first part is the text displayed to the user.  The second is the timeout, in seconds.
    pxe-prompt="Booting FOG Client", 3
    
    # The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
    # Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI
    # This option is first and will be the default if there is no input from the user.
    pxe-service=X86PC, "Boot to FOG", undionly.kpxe
    pxe-service=X86-64_EFI, "Boot to FOG UEFI", ipxe.efi
    pxe-service=BC_EFI, "Boot to FOG UEFI PXE-BC", ipxe.efi
    
    dhcp-range=192.168.21.28,proxy
    
    #!ipxe
    set fog-ip 192.168.21.28
    set fog-webroot fog
    set boot-url http://${fog-ip}/${fog-webroot}
    cpuid --ext 29 && set arch x86_64 || set arch i386
    goto get_console
    :console_set
    colour --rgb 0x00567a 1 ||
    colour --rgb 0x00567a 2 ||
    colour --rgb 0x00567a 4 ||
    cpair --foreground 7 --background 2 2 ||
    goto MENU
    :alt_console
    cpair --background 0 1 ||
    cpair --background 1 2 ||
    goto MENU
    :get_console
    console --picture http://192.168.21.28/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
    :MENU
    menu
    colour --rgb 0xff0000 0 ||
    cpair --foreground 1 1 ||
    cpair --foreground 0 3 ||
    cpair --foreground 4 4 ||
    item --gap Host is NOT registered!
    item --gap -- -------------------------------------
    item fog.local Boot from hard disk
    item fog.memtest Run Memtest86+
    item fog.reginput Perform Full Host Registration and Inventory
    item fog.reg Quick Registration and Inventory
    item fog.deployimage Deploy Image
    item fog.multijoin Join Multicast Session
    item fog.sysinfo Client System Information (Compatibility)
    choose --default fog.local --timeout 3000 target && goto ${target}
    :fog.local
    sanboot --no-describe --drive 0x80 || goto MENU
    :fog.memtest
    kernel memdisk initrd=memtest.bin iso raw
    initrd memtest.bin
    boot || goto MENU
    :fog.reginput
    kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.21.28/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.21.28:/images/ storageip=192.168.21.28 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=manreg
    imgfetch init_32.xz
    boot || goto MENU
    :fog.reg
    kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.21.28/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.21.28:/images/ storageip=192.168.21.28 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=autoreg
    imgfetch init_32.xz
    boot || goto MENU
    :fog.deployimage
    login
    params
    param mac0 ${net0/mac}
    param arch ${arch}
    param username ${username}
    param password ${password}
    param qihost 1
    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
    param sysuuid ${uuid}
    :fog.multijoin
    login
    params
    param mac0 ${net0/mac}
    param arch ${arch}
    param username ${username}
    param password ${password}
    param sessionJoin 1
    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
    param sysuuid ${uuid}
    :fog.sysinfo
    kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.21.28/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.21.28:/images/ storageip=192.168.21.28 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=sysinfo
    imgfetch init_32.xz
    boot || goto MENU
    :bootme
    chain -ar http://192.168.21.28/fog/service/ipxe/boot.php##params ||
    goto MENU
    autoboot```

  • Senior Developer

    @beardedfool If you want to go secure boot there might be a way using your own custom Certificate Authority to roll out things. I haven’t done this myself and can’t give you any details. You’d need to talk to @Lee-Rowlett about this. First checkout his posts here: https://forums.fogproject.org/topic/13832/secureboot-issues



  • OK, thanks for coming back George. Reply is hugely appreciated and saved me a lot of second guessing. Cheers.


  • Moderator

    1. Secure boot. You have to disable secure boot to boot with a non-signed kernel. The shim no longer works because of increased security around secure boot. The FOS kernel as well as iPXE needs to be signed by microsoft or the shim signed by microsoft and then the shim checked to see if the FOS kernel and iPXE are signed. For an opensource project having the kernels signed by microsoft every time gets to be a bit expensive. So you need to disable secure boot. I know that with the Dells you can use CCTK to enable secure boot after imaging. I assume HP has a similar firmware interface tool. Also remember that your golden image must not have bitlocker enabled before image capture. If its turned on your deployed image will not function correctly.

    2. Hyper-V… what more can I say. Its temperamental depending on the version of your host OS.


Log in to reply
 

280
Online

7.2k
Users

14.4k
Topics

135.6k
Posts