Secure Boot and EFI over PXE?

  1. last year
    Edited last year by TylerL

    Hello, we've been using CloneDeploy with great success in our school district since summer. Thanks for this great tool!

    We use USB sticks to initiate CloneDeploy's standard linux block imaging, keeping our devices in UEFI Secure Boot mode.
    We're now attempting to use PXE booting (via Proxy DHCP) to eliminate the need for physical USB sticks, but receive an "ACCESS DENIED" error after the pxeboot.0 file is transferred. Switching devices to legacy mode and using plain old pxelinux will boot just fine, but obviously adds extra steps pre- and post-imaging.
    Moreover, disabling Secure Boot while leaving UEFI on will allow the pxeboot.0 to run, but brings the computer to the GNU GRUB rescue shell, rather than the normal CloneDeploy Grub menu we're accustomed to from the USB sticks.

    I've tried messing with some of the files in /tftpboot and replaced pxeboot.0 with the USB stick's bootx64.efi, which seems to move on beyond the Secure Boot step (but then immediately fails for some other reason). Could it be that pxeboot.0 is not properly signed in the same way like bootx64.efi is? Or other critical files are not loading during the PXE/TFTP steps?

    The CloneDeploy documentation (http://clonedeploy.org/docs/imaging-environments/ ) states that Secure Boot (and therefore EFI) is supported when Proxy Efi64 PXE Mode is set to grub (which ours is).

    I tried searching for any chatter from other users, but haven't found an instance of someone using EFI Grub PXE with Secure Boot either on or off.
    Is there anything I'm missing?
    Thanks for any insight!

  2. clonedeploy

    20 Mar 2017 Administrator

    There is a bug with Grub that causes it not to work with proxydhcp. I have submitted a bug fix request but it doesn't appear that it's high on their priority list. If it were me I would disable secure boot, leave it in EFI and use ipxe. If you absolutely must use secure boot, then you'll need to stick with the usb method or use the WinPE imaging environment.

  3. Ok, thank you! ipxe will work for us for now.

 

or Sign Up to reply!