Booting UEFI only devices with USB network adapters - problem and solution

Hi all,

We’ve just hit a problem that I think has been coming for a while. The problem is as follows:

When network booting a UEFI only device via a USB network adapter, after downloading the initial NBP file (snponly.efi) the PXE shell can’t see any network devices.

We tried forcing these devices to load ipxe.efi instead but the problem persisted.

After some digging it seems the reason is FOGs use of USB_HCD_USBIO instead of USB_EFI. We built our own ipxe.efi with USB_EFI instead and it got further but then hit permission errors - turns out this is because we weren’t trusting the ssl certificate.

Anyway, long story short, we modded the buildipxe.sh to add in a usb.h config file and we removed the sed commands forcing USB_HCD_USBIO instead of USB_EFI and then we changed the dhcpd.conf to direct all efi devices to snp.efi instead of snponly.efi.

This has now fixed the issue and our UEFI only devices can now network boot from USB network adapters.

For reference here are the changes to the build files:

The new buildipxe.sh:

#!/bin/bash
if [[ -r $1 ]]; then
  cert=$1
elif [[ -r /opt/fog/snapins/ssl/CA/.fogCA.pem ]]; then
  cert="/opt/fog/snapins/ssl/CA/.fogCA.pem"
fi

BUILDOPTS="CERT=${cert} TRUST=${cert}"
IPXEGIT="https://github.com/ipxe/ipxe"

# Change directory to base ipxe files
SCRIPT=$(readlink -f "$BASH_SOURCE")
FOGDIR=$(dirname $(dirname $(dirname "$SCRIPT") ) )
BASE=$(dirname "$FOGDIR")

if [[ -d ${BASE}/ipxe ]]; then
  cd ${BASE}/ipxe
  git clean -fd
  git reset --hard
  git pull
  cd src/
  # make sure this is being re-compiled in case the CA has changed!
  touch crypto/rootcert.c
else
  git clone ${IPXEGIT} ${BASE}/ipxe
  cd ${BASE}/ipxe/src/
fi


# Get current header and script from fogproject repo
echo "Copy (overwrite) iPXE headers and scripts..."
cp ${FOGDIR}/src/ipxe/src/Makefile.housekeeping .
cp ${FOGDIR}/src/ipxe/src/ipxescript .
cp ${FOGDIR}/src/ipxe/src/ipxescript10sec .
cp ${FOGDIR}/src/ipxe/src/config/general.h config/
cp ${FOGDIR}/src/ipxe/src/config/settings.h config/
cp ${FOGDIR}/src/ipxe/src/config/console.h config/
# For BIOS builds, disable USB_HCD_USBIO as it's EFI-specific
sed -i 's+#define       USB_HCD_USBIO+//#define USB_HCD_USBIO+g' config/usb.h

# Build the files
make -j$(nproc) EMBED=ipxescript bin/ipxe.iso bin/{undionly,ipxe,intel,realtek}.{,k,kk}pxe bin/ipxe.lkrn bin/ipxe.usb ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 40

# Copy files to repo location as required
cp bin/ipxe.iso bin/{undionly,ipxe,intel,realtek}.{,k,kk}pxe bin/ipxe.lkrn bin/ipxe.usb ${FOGDIR}/packages/tftp/
cp bin/ipxe.lkrn ${FOGDIR}/packages/tftp/ipxe.krn

# Build with 10 second delay
make -j$(nproc) EMBED=ipxescript10sec bin/ipxe.iso bin/{undionly,ipxe,intel,realtek}.{,k,kk}pxe bin/ipxe.lkrn bin/ipxe.usb ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 48

# Copy files to repo location as required
cp bin/ipxe.iso bin/{undionly,ipxe,intel,realtek}.{,k,kk}pxe bin/ipxe.lkrn bin/ipxe.usb ${FOGDIR}/packages/tftp/10secdelay/
cp bin/ipxe.lkrn ${FOGDIR}/packages/tftp/10secdelay/ipxe.krn

# Change to the efi layout
if [[ -d ${BASE}/ipxe-efi ]]; then
  cd ${BASE}/ipxe-efi/
  git clean -fd
  git reset --hard
  git pull
  cd src/
  # make sure this is being re-compiled in case the CA has changed!
  touch crypto/rootcert.c
else
  git clone ${IPXEGIT} ${BASE}/ipxe-efi
  cd ${BASE}/ipxe-efi/src/
fi

# Get current header and script from fogproject repo
echo "Copy (overwrite) iPXE headers and scripts..."
cp ${FOGDIR}/src/ipxe/src-efi/Makefile.housekeeping .
cp ${FOGDIR}/src/ipxe/src-efi/ipxescript .
cp ${FOGDIR}/src/ipxe/src-efi/ipxescript10sec .
cp ${FOGDIR}/src/ipxe/src-efi/config/general.h config/
cp ${FOGDIR}/src/ipxe/src-efi/config/settings.h config/
cp ${FOGDIR}/src/ipxe/src-efi/config/console.h config/
cp ${FOGDIR}/src/ipxe/src-efi/config/usb.h config/

# Build the files
make -j$(nproc) EMBED=ipxescript bin-{i386,x86_64}-efi/{snp{,only},ipxe,intel,realtek}.efi ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 80

# Apply USB configuration for ARM64 build
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu- ARCH=arm64 EMBED=ipxescript bin-arm64-efi/{snp{,only},ipxe,intel,realtek}.efi ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 82

# Copy the files to upload
cp bin-arm64-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/arm64-efi/
cp bin-i386-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/i386-efi/
cp bin-x86_64-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/

# Build with 10 second delay
make -j$(nproc) EMBED=ipxescript10sec bin-{i386,x86_64}-efi/{snp{,only},ipxe,intel,realtek}.efi ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 91

make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu- ARCH=arm64 EMBED=ipxescript10sec bin-arm64-efi/{snp{,only},ipxe,intel,realtek}.efi ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 93

# Copy the files to upload
cp bin-arm64-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/10secdelay/arm64-efi/
cp bin-i386-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/10secdelay/i386-efi/
cp bin-x86_64-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/10secdelay/

And usb.h:

#ifndef CONFIG_USB_H
#define CONFIG_USB_H

/** @file
 *
 * USB configuration
 *
 */

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

#include <config/defaults.h>

/*
 * USB host controllers (enable all)
 */
#define USB_HCD_XHCI    /* xHCI USB 3.0 host controller */
#define USB_HCD_EHCI    /* EHCI USB 2.0 host controller */
#define USB_HCD_UHCI    /* UHCI USB 1.1 host controller */
//#undef USB_HCD_USBIO   /* Very slow EFI USB host controller */

/*
 * USB peripherals
 */
#define USB_KEYBOARD    /* USB keyboards */
//#undef USB_BLOCK       /* USB block devices */

/*
 * USB external interfaces
 */
#define USB_EFI         /* Provide EFI_USB_IO_PROTOCOL interface */

#include <config/named.h>
#include NAMED_CONFIG(usb.h)
#include <config/local/usb.h>
#include LOCAL_NAMED_CONFIG(usb.h)

#endif /* CONFIG_USB_H */

@george1421 That’s literally perfect, thanks! Seems fairly straightforward, I’ll update this thread with progress later.

As a note, we are charity refurbishing computers/laptops and donating them on. We have our own external database that we push data to but we use FOG to harvest data (we’ve created our own inventory and registration scripts to record all drives and pci devices and every RAM module separately). We also use FOG to image outgoing devices and to load tools like parted magic. We are now writing our own data erasure and verification script which is why we need to be able to sleep machines (in order to unfreeze drives), this will be used to effectively complete the automation of processing incoming items, currently we have to use external tools to perform data erasure and some of these we have configured to also report into our database but it would be quicker/more convenient to be able to do it all through 1 boot of the machine, hence adding the functionality to our FOS image.

@george1421 We’re half a step ahead here! Already enabled all the CONFIG_ACPI options and CONFIG_SUSPEND etc. and built a new kernel. We also enabled RTC for rtcwake but that still leaves the screen blank. It also turns out that acpitools (something we thought might work) tries to suspend using /proc/acpi/sleep which, from what I have read, is deprecated because it’s an abuse of /proc.

We are running under the assumption that at least some power management tools have scripts built in to reinitialise monitors/displays etc. using methods which are currently unknown to us and that the easiest solution would be to just get one of them to do it all for us. Unfortunately, so far, this hasn’t worked out.

Right now I’m thinking we need to see if we can just tell stuff to turn back on so I might have to figure out enough ASL to turn the screen back on using acpiexec and an AML file. I’ve also added kexec in to our init though so maybe we can just reload the init after sleeping to unfreeze and that will restart everything.

Another option might be (if this is possible) to use ASL/AML/acpiexec to directly remove power from the drive and then power it back up.

hdparm has an unfreeze command (doesn’t always work) but unfortunately nvme-cli has no equivalent, even tried setting the power states to their lowest possible and then setting them back, also tried the reset command (didn’t work) and the reset-subsystem command just made the drive disappear.

In general, in buildroot, I can’t find any power management tools other than the acpi stuff and powertop (which is useless). Another option might be to try and add in uswsusp manually but the last build of that is from 2011!

The amount of stuff we are learning to solve one, small problem is nuts.

Final update: Got everything working! The monitor not waking up after sleep was fixed by adding in some extra graphics drivers to the kernel and we’ve found some solutions to wiping difficult machines (like Lenovo’s) which normally force you to use tools built into the UEFI or a special Lenovo wipe program that only works on certain models and asks you to confirm 5 times and gives you a random generated key that you have to enter in after a reboot. As a note, even parted magic fails to wipe Lenovo drives.

Anyway, thank you @george1421 you’ve helped me to learn a great deal and enabled our success in this.

Hi all,

We’ve just hit a problem that I think has been coming for a while. The problem is as follows:

When network booting a UEFI only device via a USB network adapter, after downloading the initial NBP file (snponly.efi) the PXE shell can’t see any network devices.

We tried forcing these devices to load ipxe.efi instead but the problem persisted.

After some digging it seems the reason is FOGs use of USB_HCD_USBIO instead of USB_EFI. We built our own ipxe.efi with USB_EFI instead and it got further but then hit permission errors - turns out this is because we weren’t trusting the ssl certificate.

Anyway, long story short, we modded the buildipxe.sh to add in a usb.h config file and we removed the sed commands forcing USB_HCD_USBIO instead of USB_EFI and then we changed the dhcpd.conf to direct all efi devices to snp.efi instead of snponly.efi.

This has now fixed the issue and our UEFI only devices can now network boot from USB network adapters.

For reference here are the changes to the build files:

The new buildipxe.sh:

#!/bin/bash
if [[ -r $1 ]]; then
  cert=$1
elif [[ -r /opt/fog/snapins/ssl/CA/.fogCA.pem ]]; then
  cert="/opt/fog/snapins/ssl/CA/.fogCA.pem"
fi

BUILDOPTS="CERT=${cert} TRUST=${cert}"
IPXEGIT="https://github.com/ipxe/ipxe"

# Change directory to base ipxe files
SCRIPT=$(readlink -f "$BASH_SOURCE")
FOGDIR=$(dirname $(dirname $(dirname "$SCRIPT") ) )
BASE=$(dirname "$FOGDIR")

if [[ -d ${BASE}/ipxe ]]; then
  cd ${BASE}/ipxe
  git clean -fd
  git reset --hard
  git pull
  cd src/
  # make sure this is being re-compiled in case the CA has changed!
  touch crypto/rootcert.c
else
  git clone ${IPXEGIT} ${BASE}/ipxe
  cd ${BASE}/ipxe/src/
fi


# Get current header and script from fogproject repo
echo "Copy (overwrite) iPXE headers and scripts..."
cp ${FOGDIR}/src/ipxe/src/Makefile.housekeeping .
cp ${FOGDIR}/src/ipxe/src/ipxescript .
cp ${FOGDIR}/src/ipxe/src/ipxescript10sec .
cp ${FOGDIR}/src/ipxe/src/config/general.h config/
cp ${FOGDIR}/src/ipxe/src/config/settings.h config/
cp ${FOGDIR}/src/ipxe/src/config/console.h config/
# For BIOS builds, disable USB_HCD_USBIO as it's EFI-specific
sed -i 's+#define       USB_HCD_USBIO+//#define USB_HCD_USBIO+g' config/usb.h

# Build the files
make -j$(nproc) EMBED=ipxescript bin/ipxe.iso bin/{undionly,ipxe,intel,realtek}.{,k,kk}pxe bin/ipxe.lkrn bin/ipxe.usb ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 40

# Copy files to repo location as required
cp bin/ipxe.iso bin/{undionly,ipxe,intel,realtek}.{,k,kk}pxe bin/ipxe.lkrn bin/ipxe.usb ${FOGDIR}/packages/tftp/
cp bin/ipxe.lkrn ${FOGDIR}/packages/tftp/ipxe.krn

# Build with 10 second delay
make -j$(nproc) EMBED=ipxescript10sec bin/ipxe.iso bin/{undionly,ipxe,intel,realtek}.{,k,kk}pxe bin/ipxe.lkrn bin/ipxe.usb ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 48

# Copy files to repo location as required
cp bin/ipxe.iso bin/{undionly,ipxe,intel,realtek}.{,k,kk}pxe bin/ipxe.lkrn bin/ipxe.usb ${FOGDIR}/packages/tftp/10secdelay/
cp bin/ipxe.lkrn ${FOGDIR}/packages/tftp/10secdelay/ipxe.krn

# Change to the efi layout
if [[ -d ${BASE}/ipxe-efi ]]; then
  cd ${BASE}/ipxe-efi/
  git clean -fd
  git reset --hard
  git pull
  cd src/
  # make sure this is being re-compiled in case the CA has changed!
  touch crypto/rootcert.c
else
  git clone ${IPXEGIT} ${BASE}/ipxe-efi
  cd ${BASE}/ipxe-efi/src/
fi

# Get current header and script from fogproject repo
echo "Copy (overwrite) iPXE headers and scripts..."
cp ${FOGDIR}/src/ipxe/src-efi/Makefile.housekeeping .
cp ${FOGDIR}/src/ipxe/src-efi/ipxescript .
cp ${FOGDIR}/src/ipxe/src-efi/ipxescript10sec .
cp ${FOGDIR}/src/ipxe/src-efi/config/general.h config/
cp ${FOGDIR}/src/ipxe/src-efi/config/settings.h config/
cp ${FOGDIR}/src/ipxe/src-efi/config/console.h config/
cp ${FOGDIR}/src/ipxe/src-efi/config/usb.h config/

# Build the files
make -j$(nproc) EMBED=ipxescript bin-{i386,x86_64}-efi/{snp{,only},ipxe,intel,realtek}.efi ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 80

# Apply USB configuration for ARM64 build
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu- ARCH=arm64 EMBED=ipxescript bin-arm64-efi/{snp{,only},ipxe,intel,realtek}.efi ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 82

# Copy the files to upload
cp bin-arm64-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/arm64-efi/
cp bin-i386-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/i386-efi/
cp bin-x86_64-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/

# Build with 10 second delay
make -j$(nproc) EMBED=ipxescript10sec bin-{i386,x86_64}-efi/{snp{,only},ipxe,intel,realtek}.efi ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 91

make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu- ARCH=arm64 EMBED=ipxescript10sec bin-arm64-efi/{snp{,only},ipxe,intel,realtek}.efi ${BUILDOPTS}
[[ $? -eq 0 ]] || exit 93

# Copy the files to upload
cp bin-arm64-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/10secdelay/arm64-efi/
cp bin-i386-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/10secdelay/i386-efi/
cp bin-x86_64-efi/{snp{,only},ipxe,intel,realtek}.efi ${FOGDIR}/packages/tftp/10secdelay/

And usb.h:

#ifndef CONFIG_USB_H
#define CONFIG_USB_H

/** @file
 *
 * USB configuration
 *
 */

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

#include <config/defaults.h>

/*
 * USB host controllers (enable all)
 */
#define USB_HCD_XHCI    /* xHCI USB 3.0 host controller */
#define USB_HCD_EHCI    /* EHCI USB 2.0 host controller */
#define USB_HCD_UHCI    /* UHCI USB 1.1 host controller */
//#undef USB_HCD_USBIO   /* Very slow EFI USB host controller */

/*
 * USB peripherals
 */
#define USB_KEYBOARD    /* USB keyboards */
//#undef USB_BLOCK       /* USB block devices */

/*
 * USB external interfaces
 */
#define USB_EFI         /* Provide EFI_USB_IO_PROTOCOL interface */

#include <config/named.h>
#include NAMED_CONFIG(usb.h)
#include <config/local/usb.h>
#include LOCAL_NAMED_CONFIG(usb.h)

#endif /* CONFIG_USB_H */

@sebastian-roth
Thanks for this, using the build.sh produced a working init. Part of me still wants to understand what broke but there really isn’t any point if this is working fine.

@george1421 So this gets weirder and weirder.

I just completely deleted our entire buildroot setup and all the fos information, everything. Re-downloaded everything and started again from absolute scratch. Completely fresh, FOG-standard FOS init and it still doesn’t work. BUT, I also found an old init we were using a couple of months ago and that works absolutely fine.

Now, the interesting thing here is that I did a “make clean” before the last init was compiled and it was then that the issue manifested.

This suggests to me that one of the packages that is downloaded during a clean make process has been updated or changed in the last month in such a way as to break things. If this is the case surely I can just manually download a safe version of whatever it is and put it in the buildroot/dl/ directory but first I need to work out what is broken.

Any ideas?

@george1421 Since we are currently building our own init with buildroot (thanks to your advice in https://forums.fogproject.org/topic/16145/unfreeze-drive-from-fog-init-image/8?_=1650556627677), with the latest from https://github.com/FOGProject/fos would that not include the fix? Or is it something server-side that is missing?

We’ve been using FOG 1.5.9 for over a year, we image multiple machines with Windows 10 every day.

Unfortunately, all our images just stopped resizing the core partition.

I’ve checked every image d1.partition/minimum.partitions/fixed_size_partitions and everything is correct (fixed size is 1:2:4, 3 is the core partition, 4 is Windows Recovery which also blocks the main Windows partition from being expanded manually), but these shouldn’t be the issue anyway since the partitions were extending before and now, suddenly, they are not.

We are using a custom kernel and a modified init.xz (just added a few custom scripts, some extra tools and suspend to RAM functionality). I’ve also tried an old init.xz but we get the same issue. The last change I made was to include procps-ng (from buildroot) in the latest init.xz since busybox ps is super limited, I’m concerned that this might have caused the issue but it still didn’t work with the old init.xz so I’m really not sure!

I’m going to keep hammering away at this but any advice would be greatly appreciated.

Final update: Got everything working! The monitor not waking up after sleep was fixed by adding in some extra graphics drivers to the kernel and we’ve found some solutions to wiping difficult machines (like Lenovo’s) which normally force you to use tools built into the UEFI or a special Lenovo wipe program that only works on certain models and asks you to confirm 5 times and gives you a random generated key that you have to enter in after a reboot. As a note, even parted magic fails to wipe Lenovo drives.

Anyway, thank you @george1421 you’ve helped me to learn a great deal and enabled our success in this.

@george1421 We’re half a step ahead here! Already enabled all the CONFIG_ACPI options and CONFIG_SUSPEND etc. and built a new kernel. We also enabled RTC for rtcwake but that still leaves the screen blank. It also turns out that acpitools (something we thought might work) tries to suspend using /proc/acpi/sleep which, from what I have read, is deprecated because it’s an abuse of /proc.

We are running under the assumption that at least some power management tools have scripts built in to reinitialise monitors/displays etc. using methods which are currently unknown to us and that the easiest solution would be to just get one of them to do it all for us. Unfortunately, so far, this hasn’t worked out.

Right now I’m thinking we need to see if we can just tell stuff to turn back on so I might have to figure out enough ASL to turn the screen back on using acpiexec and an AML file. I’ve also added kexec in to our init though so maybe we can just reload the init after sleeping to unfreeze and that will restart everything.

Another option might be (if this is possible) to use ASL/AML/acpiexec to directly remove power from the drive and then power it back up.

hdparm has an unfreeze command (doesn’t always work) but unfortunately nvme-cli has no equivalent, even tried setting the power states to their lowest possible and then setting them back, also tried the reset command (didn’t work) and the reset-subsystem command just made the drive disappear.

In general, in buildroot, I can’t find any power management tools other than the acpi stuff and powertop (which is useless). Another option might be to try and add in uswsusp manually but the last build of that is from 2011!

The amount of stuff we are learning to solve one, small problem is nuts.

@george1421 Just wanted to update and say thanks again! Your guide is excellent, very easy to follow and everything is working. It would be really useful to have something like this up on fog docs.

Unfortunately we still haven’t been able to solve our core issue though. We can suspend to ram and then wake up (and ssh in) but the screens don’t wake up. I’m sure we’ll figure it out sooner or later. We are certainly learning a lot in the process!

@george1421 That’s literally perfect, thanks! Seems fairly straightforward, I’ll update this thread with progress later.

As a note, we are charity refurbishing computers/laptops and donating them on. We have our own external database that we push data to but we use FOG to harvest data (we’ve created our own inventory and registration scripts to record all drives and pci devices and every RAM module separately). We also use FOG to image outgoing devices and to load tools like parted magic. We are now writing our own data erasure and verification script which is why we need to be able to sleep machines (in order to unfreeze drives), this will be used to effectively complete the automation of processing incoming items, currently we have to use external tools to perform data erasure and some of these we have configured to also report into our database but it would be quicker/more convenient to be able to do it all through 1 boot of the machine, hence adding the functionality to our FOS image.

@george1421 Thank you for your response.

We compiled a custom FOS kernel following the instructions https://docs.fogproject.org/en/latest/reference/compile_fos_kernel.html?highlight=FOS but with CONFIG_SUSPEND=y etc.

This technically works, we can suspend and resume now and machines can be accessed via SSH but their screens stay blank. We’re assuming graphics driver issues but all of the information we can find for diagnosing and fixing these issues relies on tools which are not in the init image and are more complicated to add to it.

As such, we are now looking at following your advice and setting up our own buildroot environment but we’d like to keep everything as close to the default FOS setup as possible. I cannot find anything on docs.fogproject.org that would help with this so any guidance you can give would be extremely helpful!

Thank you.