@george1421 so your saying
mv /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi
i could all instances of “ipxe.efi” with any one of these
intel.efi
ipxe.efi
realtek.efi
snp.efi
snponly.efi
thanks,
rob
@george1421 thanks
also im using as the boot file name “snp.efi” is that a problem
@george1421 thank you george very much
im doing this on another laptop with secure boot on and then il transfer the files to my fog server that way
is the below file the only file i need from the laptop, or do i need these two files aswell
/opt/fog/secureboot/efitools/EnrollKeys.efi
/opt/fog/secureboot/efikeys/DB.crt
/opt/fog/secureboot/efikeys/DB.key
thanks,
rob
sudo efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl
I did run this command and then I moved it to this dir as you can see from my previous post when I ran the ls command
I did run the make command in the efitools dir but as you can see it’s not here as I’ve done an ls command and it’s not listed
I can’t mv dbx.esl as it’s not there to move
I can however cp hw_dbx.esl and rename the copy dbx.esl so I do have a dbx.esl file, do I have to do this?
Thanks
Rob
hi all,
im following this guide
https://forums.fogproject.org/topic/15888/imaging-with-fog-and-secure-boot-poc/3
but getting stuck at below
mv dbx.esl dbx-fog.esl
mv: cannot stat 'dbx.esl': No such file or directory
root@rkw-Venue-11-Pro-7140:/opt/fog/secureboot/efitools# ls
cert-to-efi-hash-list DB2-pkupdate.auth efi-updatevar hw_db.esl KeyTool-signed.efi ms-kek.crt PK.esl ShimReplace-signed.efi
cert-to-efi-hash-list.c DB2-update.auth efi-updatevar.c hw_dbx.esl KeyTool.so ms-kek-hash-blacklist.auth PK.h ShimReplace.so
cert-to-efi-hash-list.o DB.auth efi-updatevar.o hw_KEK.esl lib ms-kek-pkupdate.auth PK-hash-blacklist.auth sig-list-to-certs
cert-to-efi-sig-list DB-blacklist.auth flash-var hw_PK.esl Loader.c ms-kek-update.auth PK.key sig-list-to-certs.c
cert-to-efi-sig-list.c DB.cer flash-var.c include Loader.efi ms-uefi.auth PK-pkupdate.auth sig-list-to-certs.o
cert-to-efi-sig-list.o DB.crt flash-var.o KEK.auth Loader-signed.efi ms-uefi-blacklist.auth PK-update.auth sign-efi-sig-list
COPYING DB-fog.esl hash-to-efi-sig-list KEK-blacklist.auth Loader.so ms-uefi.crt PreLoader.c sign-efi-sig-list.c
DB1.auth DB.h hash-to-efi-sig-list.c KEK.cer LockDown.c ms-uefi-hash-blacklist.auth README sign-efi-sig-list.o
DB1-blacklist.auth DB-hash-blacklist.auth hash-to-efi-sig-list.o KEK.crt LockDown.efi ms-uefi-pkupdate.auth ReadVars.c UpdateVars.c
DB1-hash-blacklist.auth DB.key HashTool.c KEK-fog.esl LockDown.o ms-uefi-update.auth ReadVars.efi UpdateVars.efi
DB1.key DB-pkupdate.auth HashTool.efi KEK.h LockDown-signed.efi myGUID.txt ReadVars-signed.efi UpdateVars-signed.efi
DB1-pkupdate.auth DB-update.auth HashTool-signed.efi KEK-hash-blacklist.auth LockDown.so noPK.auth ReadVars.so UpdateVars.so
DB1-update.auth doc HashTool.so KEK.key Makefile noPK.esl SetNull.c xxdi.pl
DB2.auth efi-keytool.c HelloWorld.c KEK-pkupdate.auth Make.rules PK.auth SetNull.efi
DB2-blacklist.auth efi-readvar HelloWorld.efi KEK-update.auth mkusb.sh PK-blacklist.auth SetNull-signed.efi
DB2-hash-blacklist.auth efi-readvar.c HelloWorld-signed.efi KeyTool.c ms-kek.auth PK.cer ShimReplace.c
DB2.key efi-readvar.o HelloWorld.so KeyTool.efi ms-kek-blacklist.auth PK.crt ShimReplace.efi
root@rkw-Venue-11-Pro-7140:/opt/fog/secureboot/efitools#
can i manually put a dbx.esl in there, if so has anyone got the file i could drop in here
thanks,
rob
@sebastian-roth when George says this
mkdir -p /opt/fog/secureboot/hwkeys
cd /opt/fog/secureboot/
sudo efi-readvar -v PK -o /opt/fog/secureboot/hwkeys/hw_PK.esl
sudo efi-readvar -v KEK -o /opt/fog/secureboot/hwkeys/hw_KEK.esl
sudo efi-readvar -v db -o /opt/fog/secureboot/hwkeys/hw_db.esl
sudo efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl
sudo chmod 666 /opt/fog/secureboot/hwkeys/*
He says he got the certs above on a debian instance running on a hardware pc,
What about if this a Ubuntu vm?
hi,
replyijng back to this old post as i looked at the link that @Sebastian-Roth replied to me about making secure boot work, and isnt it just a case of self signing the kernel ie
/var/www/html/fog/service/ipxe/bzImage and
/var/www/html/fog/service/ipxe/bzImage32
and copying the self signed cert to all the hosts?
thanks,
rob
check out this neat guide, could make installing windows 11 on fog a breeze
hi all,
so now i have UEFI working on my fog server, issue is now it works when secure boot is off but when on it doesnt work
is this the only way to get it working with fog
https://forums.fogproject.org/topic/13832/secureboot-issues
thanks,
rob
@sebastian-roth quick Google, it cannot be done on uefi
https://askubuntu.com/questions/917961/can-i-boot-memtest86-if-im-using-uefi
Is there an alternative memtest
hi all,
i noticed theres a memtest in the fog menu but the parameters is blank, i was wondering how to get it working
thanks,
rob
@robertkwild scrap this it works and when it runs the setup eventually its quick like a normal install
dont think my cifs share can handle the setup over the network as it gets stuck sometimes after mounting the smb share where my windows 10 install is
after this it should pop up with the setup.exe, sometimes it works, sometimes it doesnt, so im pretty sure my smb share cant handle it
@george1421 thank you so much george, if i could see you i would buy you a beer mate!!!
set tftp-path tftp://${fog-ip}
set pe-path ${tftp-path}/os/winpe
kernel ${tftp-path}/wimboot gui
imgfetch --name BCD ${pe-path}/BCD BCD
imgfetch --name boot.sdi ${pe-path}/boot.sdi boot.sdi
imgfetch --name boot.wim tftp://${fog-ip}/os/mswindows/boot.wim boot.wim
boot || goto MENU
basically i made the winpe, mounted it, slipstreamed the drivers, edited the startnet.cmd, unmounted it and comitted
in
C:\WinPE_amd64\media\sources\boot.wim
i copied it over to the above and now it all works lovely
again, thank you so much george!!!
@george1421 lol OK I’m being a donut
So I take that new boot wim from the winpe iso and put it in the same place Ie overwrite my normal boot wim in my windows 10 dvd folder that I have saved in the smb share?
@george1421 so if i dont need the ISO what lines do i add in the menu, just the WinPE lines?
set tftp-path tftp://${fog-ip}
set pe-path ${tftp-path}/os/winpe
kernel ${tftp-path}/wimboot gui
imgfetch --name BCD ${pe-path}/BCD BCD
imgfetch --name boot.sdi ${pe-path}/boot.sdi boot.sdi
imgfetch --name boot.wim ${pe-path}/boot.wim boot.wim
boot || goto MENU
as atm for my windows 21h1 menu i have appended the iso line to it ie
initrd nfs://${fog-ip}:/images/os/mswindows/10-21h1/WinPE_amd64.iso
the wimboot is the latest one of there website
and at the bottom ive added the ISO
but when it start up it doesnt initialize the windows installer
i did add the net use command and point it to my cifs share where the windows install dvd is but it looks like its deleted those lines
i can run the command manually but i get permission denied
am i doing something wrong ?
thanks,
rob
@george1421 can I alter the boot.wim from the existing windows 10 installation file or do I have to do it via winpe boot.wim file
ok i can now succesfully boot up into windows 10
kernel nfs://${fog-ip}:/images/os/mswindows/wimboot
initrd nfs://${fog-ip}:/images/os/mswindows/10-21h1/boot/bcd bcd
initrd nfs://${fog-ip}:/images/os/mswindows/10-21h1/boot/boot.sdi boot.sdi
initrd nfs://${fog-ip}:/images/os/mswindows/10-21h1/sources/boot.wim boot.wim
boot
but now its says i have no device drivers, i guess i have to slip stream them in here
/images/os/mswindows/10-21h1/
is that right?
thanks,
rob
going to give this a go but obs change it
https://gist.github.com/rikka0w0/987d3e03c6f133802318669e85836870