Secure Boot Network Installation | SUSE Communities
< Back to Blog

Secure Boot Network Installation

June 27, 2018 | By: Alexander Bergmann

Share
Share

1. Preboot Execution Environment (PXE)

We have to start with the standard PXE setup that is used for decades for disk-less client bootstrapping. The client requests an IP address and gets it together with the information where to find a boot file that can be loaded via TFTP. In our case the network connection is done via the EFI stack and the file the system is loading is an EFI application.

2. Copy relevant files to the right places

The relevant files that we need can simply be copied from the ISO image. First we need the the bootx64.efi file that is the shim that has an official digital signature from Microsoft. This file gets validated during Secure Boot and allows us to load and validate the grub.efi file that was signed with the “openSUSE Secure Boot CA”. Grub will then load its config file and offers the same menu we know from the ISO image.

The following steps are the same for openSUSE and SUSE Linux Enterprise:

#> mount -o loop openSUSE-Leap-15.0-DVD-x86_64.iso /mnt
#> cp /mnt/EFI/BOOT/{bootx64.efi,grub.efi,grub.cfg} /srv/tftpboot/
#> cp -r /mnt/boot /srv/tftpboot/

To run a full network installation we also need to provide the ISO image content. A simple way to do this is via HTTP. Just create an installation sub-directory with the full content of the ISO image. Best practice is to mount the ISO image inside the web server environment.

The 'Installation' menu-entry inside the grub.cfg file can then be extended with the netsetup= and install= parameters. Simply extend the linuxefi line with the following string:

netsetup=dhcp,all install=http://192.168.7.1/install/opensuse/leap150/

We can also customize the boot menu theme by editing the boot/x86_64/grub2-efi/themes/openSUSE/theme.txt file. In this example we will edit the theme title that is shown during boot.

title-text: "openSUSE Leap 15.0 (UEFI Network Installation)"

3. Showtime

You need to enable UEFI IPv4 Boot and Secure Boot inside the BIOS of your system. Then it should look similar to this KVM Secure Boot screen cast.

Have a lot of fun! 😉

Share

Related Articles

Jul 08th, 2023

From CentOS to openSUSE Leap: How to Feel at Home

Mar 08th, 2024

SUSE Linux Enterprise Service Pack 6 Public Beta is now available

Jan 16th, 2024

SUSE Receives 30 Badges in the Winter G2 Report

Sep 13th, 2022

Security, Sustainability and Speed: Introducing the IBM LinuxONE Emperor 4

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet

Avatar photo
11,349 views
Alexander Bergmann
Back

IT Modernization


SAP Solutions


AI and Analytics


Hybrid Cloud Solutions


Nonstop IT


Exit Federal Government

Back

Business-Critical Linux

Enterprise Container Management

Edge

All Products
Back

Solutions

Hybrid Cloud IT
Business-critical Linux

Run & secure cloud and on-prem workloads
Run SAP
Run SAP

Deliver mission-critical SAP solutions
Enterprise Container Management
Enterprise Container Management

Orchestrate cloud-native apps
IT Operations at the Edge
Edge

Deploy intelligent devices to the edge
Public Cloud
SUSE for Public Cloud

Accelerate innovation across your clouds
Security
Security

Secure your digital enterprise

Industries

Back

Support

Product Support
Premium Support Services

Dedicated support services from a premium team


Long Term Service Support

Stay on your existing product version


Renew Your Support Subscription

Services

Consulting Services
Training & Certification
Premium Technical Advisory Services

Resources

SUSE Support User Guide
Patches & Updates
Product Documentation
Knowledgebase
SUSE Customer Center
Product Support Life Cycle
Licensing
Package Hub

Community packages for SUSE Linux Enterprise Server


Driver Search
Support Forums
Developer Services
Beta Program
Security
Back

Partners

Partner Program


Find a Partner


Become a Partner


Login to the SUSE Partner Portal

Back

Communities

Community

Blog


Forum


Open Source Projects


openSUSE.org



SUSE Polska

Back

About

About Us


Leadership


Careers


Newsroom


Success Stories


Investor Relations


Social Impact


SUSE Logo and Brand


Events & Webinars


Merchandise Store


Communications Preferences