Deploying FOG in a Secure‑Boot‑Mandated UEFI Environment
-
Background / Environment
Component Details
FOG version
1.5.10 (fresh install)OS on FOG server
Ubuntu 22.04 LTSBoot services
Proxy DHCP via dnsmasq (no ISC‑DHCP on same network)Client hardware
Mixed Dell OptiPlex 7× / Latitude 5× series (UEFI‑only)Secure Boot policy Must remain enabled at all times; only Microsoft‑signed keys are in the firmware (no option to enrol custom keys).
What I’ve attempted
Replaced FOG’s default bootloaders with Microsoft‑signed shim (bootx64.efi) and GRUB (grubx64.efi).Updated dnsmasq.conf to hand out the signed shim.
Configured GRUB to chain‑load FOG’s ipxe.efi.
Result: GRUB launches but i can’t make it boot to fogIf you have a Secure‑Boot‑friendly FOG setup—or tips on signing iPXE/adjusting the boot chain—I’d greatly appreciate:
-
@Aaexy said in Deploying FOG in a Secure‑Boot‑Mandated UEFI Environment:
Secure Boot policy Must remain enabled at all times; only Microsoft‑signed keys are in the firmware (no option to enrol custom keys).
If this is the case there is nothing you can do with FOG. You will need to get the ipxe kernel (ipxe.efi / snp.efi) and bzImage signed with the microsoft keys so they can boot in your environment. While this pains me to say, you would probably be better off with a different imaging solution than FOG.
-
I’ve gotten a very similar set up to what you want and have tried working.
You’ll need to either rebuild the FOG version of iPXE with the shim command enabled or use a stock version of iPXE with the default.ipxe script replaced with an autoexec.ipxe script (I haven’t tested this so you mileage may vary). Once you’ve done that you can just sign your iPXE binary with your sec boot key, and save it as grubx64.efi (or see this Shim Issue or this part of the foguefi install script if you use Dell PCs.)
Finally now when you netboot, provided you also have mokmanager (mmx64.efi) in the same folder, you’ll be prompted to install your secboot key and on next boot you’ll be able to boot. iPXE with secure boot on. You will also need to sign you bzImage etc and then modify your default.ipxe script to load the shim with the shim command, and then you’ll be able to boot into fog fully!
If anyone wants I can put together a more coherent guide and I’m happy to answer any questions you have on this.