RE: creating new menu option in fog PXE

lovely stuff, job done -

kernel http://fog/listing/centos7_1804/images/pxeboot/vmlinuz ks=http://fog/listing/centos7_1804/ks.cfg
initrd http://fog/listing/centos7_1804/images/pxeboot/initrd.img
boot || goto MENU

@george1421 made it into all one script, even the mkkeys.sh

#!/bin/bash

apt-get update
apt-get upgrade -y

apt-get install -y openssl efitools gnu-efi git build-essential help2man libssl-dev
perl -e'use CPAN; install "File::Slurp"'

mkdir -p /opt/fog/secureboot/efikeys

cat << EOF > /opt/fog/secureboot/mkkeys.sh
#!/bin/bash
# Copyright (c) 2015 by Roderick W. Smith
# Updated 26-Nov-2021 by George1421 for the FOG Project
# Licensed under the terms of the GPL v3

NAME=FOGProjectSB

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout efikeys/PK.key \
        -out efikeys/PK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout efikeys/KEK.key \
        -out efikeys/KEK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout efikeys/DB.key \
        -out efikeys/DB.crt -days 3650 -nodes -sha256
openssl x509 -in efikeys/PK.crt -out efikeys/PK.cer -outform DER
openssl x509 -in efikeys/KEK.crt -out efikeys/KEK.cer -outform DER
openssl x509 -in efikeys/DB.crt -out efikeys/DB.cer -outform DER

GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
echo $GUID > efikeys/myGUID.txt

cert-to-efi-sig-list -g $GUID efikeys/PK.crt efikeys/PK.esl
cert-to-efi-sig-list -g $GUID efikeys/KEK.crt efikeys/KEK.esl
cert-to-efi-sig-list -g $GUID efikeys/DB.crt efikeys/DB.esl
rm -f efikeys/noPK.esl
touch efikeys/noPK.esl

sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/PK.esl efikeys/PK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/noPK.esl efikeys/noPK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k efikeys/PK.key -c efikeys/PK.crt KEK efikeys/KEK.esl efikeys/KEK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k efikeys/KEK.key -c efikeys/KEK.crt db efikeys/DB.esl efikeys/DB.auth

chmod 0600 efikeys/*.key

echo ""
echo ""
echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
echo "flash drive or to your EFI System Partition (ESP)."
echo "For use with most UEFIs' built-in key managers, copy the *.cer files;"
echo "but some UEFIs require the *.auth files."
echo ""
EOF

chmod a+x /opt/fog/secureboot/mkkeys.sh
cd /opt/fog/secureboot/
./mkkeys.sh

git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git

cd /opt/fog/secureboot/efitools
make

mkdir -p /opt/fog/secureboot/hwkeys
cd /opt/fog/secureboot/

efi-readvar -v PK -o /opt/fog/secureboot/hwkeys/hw_PK.esl
efi-readvar -v KEK -o /opt/fog/secureboot/hwkeys/hw_KEK.esl
efi-readvar -v db -o /opt/fog/secureboot/hwkeys/hw_db.esl
efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl
chmod 666 /opt/fog/secureboot/hwkeys/*

cp /opt/fog/secureboot/efikeys/* /opt/fog/secureboot/efitools/
cp /opt/fog/secureboot/hwkeys/* /opt/fog/secureboot/efitools/
cd /opt/fog/secureboot/efitools

cat hw_db.esl > DB.esl
cat hw_KEK.esl > KEK.esl
cat hw_dbx.esl > dbx.esl

rm LockDown*efi LockDown.so LockDown.o
make

cp LockDown-signed.efi EnrollKeys.efi

mkdir -p /tftpboot

cp /opt/fog/secureboot/efitools/EnrollKeys.efi /tftpboot

mv /var/www/html/fog/service/ipxe/bzImage /var/www/html/fog/service/ipxe/bzImage-unsigned
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/bzImage /var/www/html/fog/service/ipxe/bzImage-unsigned

mv /var/www/html/fog/service/ipxe/bzImage32 /var/www/html/fog/service/ipxe/bzImage32-unsigned
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/bzImage32 /var/www/html/fog/service/ipxe/bzImage32-unsigned

mv /var/www/html/fog/service/ipxe/refind.efi /var/www/html/fog/service/ipxe/refind-unsigned.efi
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/refind.efi /var/www/html/fog/service/ipxe/refind-unsigned.efi


mv /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi

mv /tftpboot/snponly.efi /tftpboot/snponly-unsigned.efi
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/snponly.efi /tftpboot/snponly-unsigned.efi

mv /tftpboot/snp.efi /tftpboot/snp-unsigned.efi
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/snp.efi /tftpboot/snp-unsigned.efi

@robertkwild good news, its worked!

before i did “quick inventroy” it listed the vm in “hosts” and then i clicked on “capture” to the image i just created, i used the “windows 10” as the os drop down

i syspreped windows 11, it failed first time, due to some program stopping it, all i had to do was remove it in powershell

Get-AppxPackage Microsoft.BingNews* | Remove-AppxPackage

then try again

sysprep /oobe /generalize /shutdown

it captured it fine, then i deleted that vm, created a new vm, disabled “secure boot”, network booted to my fog clicked on “deploy image” chose the windows 11 image

and the end result i get a nice windows 11 vm desktop

@AlexPDX @Sebastian-Roth it was something simple in the end

BIOS > advanced > system options

i turned off/unticked - configure storage controller for VMD

basically its there version of RAID, untick it and its AHCI

hi all,

got a good way installing windows 11 on esxi, bypassing tpm check, as thats where i got the error saying “your pc doesnt meet all the requirements”

ive also on the vm disabled/unticked “secure boot” so i can still network boot my fog server

heres the how to

https://www.virten.net/2021/10/windows-11-on-vmware-esxi-this-pc-cant-run-windows-11/

basically, when you come to the “enter your key screen” press shift+f10

REG ADD HKLM\SYSTEM\Setup\LabConfig /v BypassTPMCheck /t REG_DWORD /d 1

my end goal is to sysprep it and capture it to fog and then see if i can deploy it to new vm!

thanks,
rob

@george1421 result!!!

i bought a HP NIC as i have a HP laptop and it works

this one if anyone is inteerested

https://www.amazon.co.uk/HP-N7P47AA-Network-DesignJet-Adapters-Black/dp/B01618WGMY?th=1

as literally star tech, ugreen, tp link, realtek or asix chipsets didnt work

@george1421 the good thing is, you only need to do the reg hack and app removal on the GI, once you sysprep the GI and capture it, when you deploy it, you have to do nothing and you can deploy to multiple laptops, vms etc

the pic i shows you shows a laptop with TPM enabled, using the deployed image

@Tom-Elliott

when you say move to a working-1.6 branch what do you mean?

any news on this as all of a sudden its not working, ie i have to manually copy to /images from /images/dev

@Tom-Elliott sorry Tom

no i only have one /images mounted

df -h
Filesystem               Size  Used Avail Use% Mounted on
devtmpfs                  95G     0   95G   0% /dev
tmpfs                     95G     0   95G   0% /dev/shm
tmpfs                     95G   18M   95G   1% /run
tmpfs                     95G     0   95G   0% /sys/fs/cgroup
/dev/mapper/centos-root   50G  7.1G   43G  15% /
/dev/md6                 3.6T  902G  2.6T  26% /images
/dev/sdf4               1014M  154M  861M  16% /boot
/dev/mapper/centos-home  835G  309M  835G   1% /home
tmpfs                     19G     0   19G   0% /run/user/0
[root@lon-c-fog10 ~]# ls /images/
backup  dev  lon-transkoder  lost+found  os  postdownloadscripts  w11-gi  win10-22h2gi  Win10H22_Theatres
[root@lon-c-fog10 ~]# ls /
bin   dev  home    lib    media  opt   root  sbin    srv           sys       tftpboot.prev  usr
boot  etc  images  lib64  mnt    proc  run   script  swapfile.sys  tftpboot  tmp            var
[root@lon-c-fog10 ~]#

@Tom-Elliott Hi Tom, this is happening all the time now, im having to run the commands everytime now i create new image

is there anyway i can automate this as in /dev folder i see the mac address of the host so in that folder would it contain the image name of what i called the image, if i know this i can definately automate it?

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>en-GB</InputLocale>
            <SystemLocale>en-GB</SystemLocale>
            <UILanguage>en-GB</UILanguage>
            <UILanguageFallback>en-GB</UILanguageFallback>
            <UserLocale>en-GB</UserLocale>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideLocalAccountScreen>true</HideLocalAccountScreen>
                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <ProtectYourPC>3</ProtectYourPC>
                <UnattendEnableRetailDemo>false</UnattendEnableRetailDemo>
            </OOBE>
            <UserAccounts>
                <LocalAccounts>
                    <LocalAccount wcm:action="add">
                        <Password>
                            <Value>admin</Value>
                            <PlainText>true</PlainText>
                        </Password>
                        <Description>admin</Description>
                        <DisplayName>admin</DisplayName>
                        <Group>Administrators</Group>
                        <Name>admin</Name>
                    </LocalAccount>
                </LocalAccounts>
            </UserAccounts>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

Hi all,

Has anyone got a good unattended xml answer file I can use for windows 11 when I sysprep the image so I miss all the OOBE

Thanks,
Rob

@Tom-Elliott you are the main man, thanks so much !!!

rm -f /images/W11_24H2_GI
cp -rf /images/dev/00505692a681 /images/
mv /images/00505692a681 /images/W11_24H2_GI
chown -R fogproject:fogproject /images/W11_24H2_GI
chmod -R 775 /images/W11_24H2_GI/d1*

when i deploy it now works

is it ok to delete the folder in dev or leave it?

@Tom-Elliott this is interesting

yes i sysprep’d and then captured it using fog

ls /images/win10-22h2gi/
d1.fixed_size_partitions  d1.original.swapuuids  d1p4.img
d1.mbr                    d1p1.img               d1.partitions
d1.minimum.partitions     d1p2.img               d1.shrunken.partitions
d1.original.fstypes       d1p3.img
[root@lon-c-fog10 ~]# ls /images/w11_24H2
/images/w11_24H2

du -sh /images/w11_24H2
0       /images/w11_24H2
[root@lon-c-fog10 ~]# du -sh /images/win10-22h2gi/
18G     /images/win10-22h2gi/

but when i look on the fog web gui i get this

its saved the image as a file not a dir, why is this?

hi all,

im getting this error when i deploy a windows 11 image

sorry no idea what the error could be, i was hoping you guys can let me know

thanks,
rob

@Tom-Elliott i had the exact same error on another pc i wanted to image, you were right Tom, as the CMOS battery died it had the wrong date/time so i amde it correct and voila

thanks for pointing me in the right direction!!!