Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecureBoot-compatible UEFI netboot over IPv4 and IPv6 #5

Open
3 of 7 tasks
micchickenburger opened this issue Apr 9, 2020 · 0 comments
Open
3 of 7 tasks

SecureBoot-compatible UEFI netboot over IPv4 and IPv6 #5

micchickenburger opened this issue Apr 9, 2020 · 0 comments
Labels
enhancement New feature or request help wanted Extra attention is needed role:pxe PXE Server Role

Comments

@micchickenburger
Copy link
Member

micchickenburger commented Apr 9, 2020
edited
Loading

(This work is being tracked in branch proxyboot.)

Currently, only PXE boot is supported for legacy BIOS. PXE boot for UEFI systems is a bit more complicated. For SecureBoot compatibility, boot images must be signed.

https://wiki.ubuntu.com/UEFI/SecureBoot/PXE-IPv6

  • Add UEFI-x64 support to dnsmasq (code 7)
  • Add UEFI-ia32 support to dnsmasq (code 6)
  • Add signed bootx64.efi to tftpboot
  • Add signed grubx64.efi to tftpboot
  • Add signed boot.efi to tftpboot (ia32)
  • Add signed grub.efi to tftpboot (ia32)
  • If we want IPv6 support, we may need to move from dnsmasq to isc-dhcp-server

Signed Grub binaries: http://archive.ubuntu.com/ubuntu/dists/bionic-updates/main/uefi/grub2-amd64/current/ (need grubnetx64.efi.signed)

Script for getting signed shim binary:

#!/bin/sh

set -e

# needed for unpacking the shim-signed source package
apt-get install dpkg-dev

tmpdir=$(mktemp -d)

cleanup () {
  if [ -n "$tmpdir" ]; then
    rm -rf "$tmpdir"
  fi
}

trap cleanup EXIT HUP INT QUIT PIPE TERM

cd "$tmpdir"
apt-get source shim-signed
cp shim-signed-*/shimx64.efi.signed /var/lib/tftpboot/bootx64.efi

# Unfortunately the unicode font is assembled by the grub2 package at
# build-time, so we can't grab it from the source; and we have no persistent
# URL for it since that changes with each version number; so try to install
# it (which should be a no-op on x86 anyway) and copy the contents.
apt-get install grub-common
mkdir -p grub/fonts
cp /usr/share/grub/unicode.pf2 /var/lib/tftpboot/grub/fonts

However, there is a bug currently in the shim binary as well as grub that prevent the grub menu from appearing. During proxyDHCP, the ElderberryPi will pass along the path to bootx64.efi (the shim) and it will be downloaded via TFTP, then executed on the client. Then, the shim will try to load the grub files from the primary DHCP server instead of the proxy DHCP server, which obviously doesn't work unless those are the same servers.

rhboot/shim#165

The issue exists in grub as well: https://savannah.gnu.org/bugs/index.php?55636

(Also something else to look into: booting into grubx64.efi works just as well as bootx64.efi... so why do we need both?)
@micchickenburger micchickenburger added enhancement New feature or request help wanted Extra attention is needed labels Apr 16, 2020
@micchickenburger micchickenburger mentioned this issue Apr 16, 2020
Open
12 tasks
@micchickenburger micchickenburger added the role:pxe PXE Server Role label May 12, 2020
@micchickenburger micchickenburger mentioned this issue May 13, 2020
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed role:pxe PXE Server Role
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@micchickenburger