• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Deploying FOG in a Secure‑Boot‑Mandated UEFI Environment

    Scheduled Pinned Locked Moved Unsolved
    FOG Problems
    3
    3
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Aaexy
      last edited by

      Background / Environment
      Component Details
      FOG version
      1.5.10 (fresh install)

      OS on FOG server
      Ubuntu 22.04 LTS

      Boot services
      Proxy DHCP via dnsmasq (no ISC‑DHCP on same network)

      Client hardware
      Mixed Dell OptiPlex 7× / Latitude 5× series (UEFI‑only)

      Secure Boot policy Must remain enabled at all times; only Microsoft‑signed keys are in the firmware (no option to enrol custom keys).

      What I’ve attempted
      Replaced FOG’s default bootloaders with Microsoft‑signed shim (bootx64.efi) and GRUB (grubx64.efi).

      Updated dnsmasq.conf to hand out the signed shim.

      Configured GRUB to chain‑load FOG’s ipxe.efi.
      Result: GRUB launches but i can’t make it boot to fog

      If you have a Secure‑Boot‑friendly FOG setup—or tips on signing iPXE/adjusting the boot chain—I’d greatly appreciate:

      george1421G 1 Reply Last reply Reply Quote 0
      • george1421G
        george1421 Moderator @Aaexy
        last edited by

        @Aaexy said in Deploying FOG in a Secure‑Boot‑Mandated UEFI Environment:

        Secure Boot policy Must remain enabled at all times; only Microsoft‑signed keys are in the firmware (no option to enrol custom keys).

        If this is the case there is nothing you can do with FOG. You will need to get the ipxe kernel (ipxe.efi / snp.efi) and bzImage signed with the microsoft keys so they can boot in your environment. While this pains me to say, you would probably be better off with a different imaging solution than FOG.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        1 Reply Last reply Reply Quote 0
        • K
          KMEH
          last edited by

          I’ve gotten a very similar set up to what you want and have tried working.

          You’ll need to either rebuild the FOG version of iPXE with the shim command enabled or use a stock version of iPXE with the default.ipxe script replaced with an autoexec.ipxe script (I haven’t tested this so you mileage may vary). Once you’ve done that you can just sign your iPXE binary with your sec boot key, and save it as grubx64.efi (or see this Shim Issue or this part of the foguefi install script if you use Dell PCs.)

          Finally now when you netboot, provided you also have mokmanager (mmx64.efi) in the same folder, you’ll be prompted to install your secboot key and on next boot you’ll be able to boot. iPXE with secure boot on. You will also need to sign you bzImage etc and then modify your default.ipxe script to load the shim with the shim command, and then you’ll be able to boot into fog fully!

          If anyone wants I can put together a more coherent guide and I’m happy to answer any questions you have on this.

          1 Reply Last reply Reply Quote 1
          • 1 / 1
          • First post
            Last post

          39

          Online

          12.2k

          Users

          17.4k

          Topics

          155.6k

          Posts
          Copyright © 2012-2024 FOG Project