Secure Boot Network Installation

Share
Share

1. Preboot Execution Environment (PXE)

We have to start with the standard PXE setup that is used for decades for disk-less client bootstrapping. The client requests an IP address and gets it together with the information where to find a boot file that can be loaded via TFTP. In our case the network connection is done via the EFI stack and the file the system is loading is an EFI application.

2. Copy relevant files to the right places

The relevant files that we need can simply be copied from the ISO image. First we need the the bootx64.efi file that is the shim that has an official digital signature from Microsoft. This file gets validated during Secure Boot and allows us to load and validate the grub.efi file that was signed with the “openSUSE Secure Boot CA”. Grub will then load its config file and offers the same menu we know from the ISO image.

The following steps are the same for openSUSE and SUSE Linux Enterprise:

#> mount -o loop openSUSE-Leap-15.0-DVD-x86_64.iso /mnt
#> cp /mnt/EFI/BOOT/{bootx64.efi,grub.efi,grub.cfg} /srv/tftpboot/
#> cp -r /mnt/boot /srv/tftpboot/

To run a full network installation we also need to provide the ISO image content. A simple way to do this is via HTTP. Just create an installation sub-directory with the full content of the ISO image. Best practice is to mount the ISO image inside the web server environment.

The 'Installation' menu-entry inside the grub.cfg file can then be extended with the netsetup= and install= parameters. Simply extend the linuxefi line with the following string:

netsetup=dhcp,all install=http://192.168.7.1/install/opensuse/leap150/

We can also customize the boot menu theme by editing the boot/x86_64/grub2-efi/themes/openSUSE/theme.txt file. In this example we will edit the theme title that is shown during boot.

title-text: "openSUSE Leap 15.0 (UEFI Network Installation)"

3. Showtime

You need to enable UEFI IPv4 Boot and Secure Boot inside the BIOS of your system. Then it should look similar to this KVM Secure Boot screen cast.

Have a lot of fun! 😉

Share
(Visited 37 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet

Avatar photo
12,375 views