UEFI secure boot off not working with DDWRT

NuTech3

I have been able to use DDWRT successfully for years however since new desktops and laptop are not allowing legacy boot, I cannot get devices to pxe-boot. I have placed these settings in the DNSMasq Options:
dhcp-match=set:bios,60,PXEClient:Arch:00000
dhcp-match=set:efi32,60,PXEClient:Arch:00006
dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,192.168.112.24
dhcp-boot=net:UEFI,ipxe.efi,192.168.112.24
dhcp-boot=net:UEFI64,ipxe.efi,192.168.112.24

george1421

Two things.

1. FOG is not compatible with Secure boot == enabled.

2. For dnsmasq I can’t say for dnsmasq settings, but for dnsmasq settings on a standalone server these work perfectly with FOG.

# Don't function as a DNS server:
port=0

# Log lots of extra information about DHCP transactions.
log-dhcp

# Set the root directory for files available via FTP.
tftp-root=/tftpboot

# The boot filename, Server name, Server Ip Address
dhcp-boot=undionly.kpxe,,<fog_server_IP>

# Disable re-use of the DHCP servername and filename fields as extra
# option space. That's to avoid confusing some old or broken DHCP clients.
dhcp-no-override

# inspect the vendor class string and match the text to set the tag
dhcp-vendorclass=BIOS,PXEClient:Arch:00000
dhcp-vendorclass=UEFI32,PXEClient:Arch:00006
dhcp-vendorclass=UEFI,PXEClient:Arch:00007
dhcp-vendorclass=UEFI64,PXEClient:Arch:00009

# Set the boot file name based on the matching tag from the vendor class (above)
dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,,<fog_server_IP>
dhcp-boot=net:UEFI,ipxe.efi,,<fog_server_IP>
dhcp-boot=net:UEFI64,ipxe.efi,,<fog_server_IP>

# PXE menu.  The first part is the text displayed to the user.  The second is the timeout, in seconds.
pxe-prompt="Booting FOG Client", 1

# The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
# Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI
# This option is first and will be the default if there is no input from the user.
pxe-service=X86PC, "Boot to FOG", undionly.kpxe
pxe-service=X86-64_EFI, "Boot to FOG UEFI", ipxe.efi
pxe-service=BC_EFI, "Boot to FOG UEFI PXE-BC", ipxe.efi

dhcp-range=<fog_server_IP>,proxy

ref: https://forums.fogproject.org/topic/12796/installing-dnsmasq-on-your-fog-server

NuTech3

@george1421 Thanks for you reply. I have very little linux command skills. I setup the Fog Server using the tutorial. Where do I put these settings and how?

george1421

Well you said you had these in ddwrt for years.

dhcp-match=set:bios,60,PXEClient:Arch:00000
dhcp-match=set:efi32,60,PXEClient:Arch:00006
dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,192.168.112.24
dhcp-boot=net:UEFI,ipxe.efi,192.168.112.24
dhcp-boot=net:UEFI64,ipxe.efi,192.168.112.24

Those are not specifically right, not specifically wrong, but not right.

I would think this might get you closer. Some firmware require the last bit too

dhcp-boot=undionly.kpxe,,192.168.112.24

dhcp-vendorclass=BIOS,PXEClient:Arch:00000
dhcp-vendorclass=UEFI32,PXEClient:Arch:00006
dhcp-vendorclass=UEFI,PXEClient:Arch:00007
dhcp-vendorclass=UEFI64,PXEClient:Arch:00009

dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,,192.168.112.24
dhcp-boot=net:UEFI,ipxe.efi,,192.168.112.24
dhcp-boot=net:UEFI64,ipxe.efi,,192.168.112.24

Last bit that some firmware requires

pxe-prompt="Booting FOG Client", 1

# The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
# Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI
# This option is first and will be the default if there is no input from the user.
pxe-service=X86PC, "Boot to FOG", undionly.kpxe
pxe-service=X86-64_EFI, "Boot to FOG UEFI", ipxe.efi
pxe-service=BC_EFI, "Boot to FOG UEFI PXE-BC", ipxe.efi

NuTech3

@george1421 Thanks George. I used your link to find out how to get to the dnsmasq.d. The file is already there. I viewed it and all of those settings are present. I also ran ps aux|grep dnsmasq to make sure it was running. I am going to remove the setting from DDWRT and see if it works.

george1421

@NuTech3 OK so you installed dnsmasq on your fog server and are no longer using dnsmasq on ddwrt? If so make sure you remove the values from the config file and stop dnsmaq on your router (it may not be possible with ddwrt, I simply don’t know)

NuTech3

@george1421 Dnsmaq was already present. It may have been installed in the installation process. I have the router functioning as DCHP server. Do I need to disable that and set that up on the Fog Server?

NuTech3

@george1421 Does the Fog Server need to operate as the DHCP Server? I did not set that up during the initial install. I remember seeing the message not to enable DHCP on the Fog Server.

george1421

@NuTech3 said in UEFI secure boot off not working with DDWRT:

Does the Fog Server need to operate as the DHCP Server?

No fog does not need to operate as a dhcp server. BUT if you did install the dhcp server as part of the FOG install, then there would be no need for dnsmasq since the isc-dhcp server that fog uses is preconfigured to support both bios and uefi systems.

DNSMASQ has several modes of operation, but if you use my config file from the tutorial exactly DNSMASQ will operate in a proxydhcp mode. In this mode it supplements the main dhcp server with pxe boot information only. We will typically use dnsmasq running on a fog server when the main dhcp server is either incapable of sending pxe boot information (as in some soho routers) or the dhcp server is unmodifiable for some reason not related to FOG.

The interesting aspect of using dnsmasq on the fog server is that if the fog server is powered off so is dnsmasq. With dnsmasq off there is no chance of being directed to a server that is not powered on.