PXE-IPv6

Differences between revisions 5 and 6
Revision 5 as of 2013-09-23 03:22:41
Size: 4255
Editor: vorlon
Comment:
Revision 6 as of 2013-09-23 03:23:10
Size: 4280
Editor: vorlon
Comment:
Deletions are marked like this. Additions are marked like this.
Line 68: Line 68:
        linux /precise/linux         linux /precise/linux $vt_handoff quiet splash

SecureBoot-compatible UEFI netboot over IPv4 and IPv6

UEFI/PXE-netboot-install describes a method for preparing a self-contained netboot image for use with UEFI-based systems. However, with the introduction of UEFI SecureBoot, it is not possible to boot self-built netboot images on all UEFI systems without either disabling SecureBoot on the target system, or updating the SecureBoot key configuration in the firmware and signing your netboot images. This page therefore describes an alternate method for netbooting Ubuntu using a pre-prepared UEFI grub image.

This method also has two additional key features:

  • it allows booting to a grub menu providing a selection of boot options
  • changes can be made to the boot configuration by dropping in stock Ubuntu netboot images and/or updating the grub.cfg, with no requirement to regenerate special grub images.

It is expected that future versions of MAAS will use the described method for hardware provisioning.

TFTP server configuration

Downloading the standard boot files

Setting up the basic tftp root requires copying into place three main files: * shim.efi.signed from the shim-signed package, installed as bootx64.efi under the tftp root * grubnetx64.efi.signed from the grub2 source package (and shipped in the grub-efi-amd64-signed binary package), installed as 'grubx64.efi' under the tftp root * unicode.pf2 from the grub-common package, installed as grub/fonts/unicode.pf2 under the tftp root.

The last of these files is optional, but makes it possible to provide the same high-quality graphical output for the grub menu when netbooting that you get when booting locally.

The uefi-netboot.sh script enables you to download and install all of these files securely from Ubuntu. Ubuntu 13.10 or later is needed to run this script; if your tftp server is deployed on an earlier version of Ubuntu or on a different OS, you will want to create an Ubuntu 13.10 chroot, run the script, and copy the result over to your server. Note that it does *not* verify the grubnetx64.efi.signed file at download time, but instead relies on the fact that the bootx64.efi from the shim package will fail to pass control to grubx64.efi if it is not a properly signed EFI binary. (This does mean that an attacker could intercept your network traffic and replace the real grubx64.efi with any other binary signed by a trusted key, such as a different OS. If this is a concern, you should download the grub-efi-amd64-signed binary package with apt-get and extract the grubnetx64.efi.signed binary instead of using the attached script.)

Configuring the Ubuntu payload

In addition to the stock bootloader files, you will need to copy your kernel and initramfs to the tftp root, and install a grub2 config file at grub/grub.cfg under the tftp root. The kernel and initramfs can be downloaded from archive.ubuntu.com; e.g.:

wget http://archive.ubuntu.com/ubuntu/dists/precise/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64/linux -O precise/linux
wget http://archive.ubuntu.com/ubuntu/dists/precise/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64/initrd.gz -O precise/initrd.gz

Here is a sample grub.cfg that offers a single boot entry, assuming that the netboot files have been installed in the precise subdirectory of the tftp root. You can specify as many menuentry sections as you wish.

set default="0"
set timeout=-1

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
fi

if loadfont $font ; then
  set gfxmode=auto
  set locale_dir=$prefix/locale
  set lang=en_US
fi
terminal_output gfxterm

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray
if background_color 44,0,30; then
  clear
fi

function gfxmode {
        set gfxpayload="${1}"
        if [ "${1}" = "keep" ]; then
                set vt_handoff=vt.handoff=7
        else
                set vt_handoff=
        fi
}

set linux_gfx_mode=keep

export linux_gfx_mode

menuentry 'Ubuntu 12.04' {
        gfxmode $linux_gfx_mode
        linux /precise/linux $vt_handoff quiet splash
        initrd /precise/initrd.gz
}

UEFI/SecureBoot/PXE-IPv6 (last edited 2023-08-31 21:58:41 by vorlon)