iPXE discussion forum
WDS, iPXE, DHCP and SecureBoot - Printable Version

+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: WDS, iPXE, DHCP and SecureBoot (/showthread.php?tid=8290)



WDS, iPXE, DHCP and SecureBoot - abos_systemax - 2017-01-11 16:24

Hello,

Currently I am using iPXE as a menu on all devices except SecureBoot enabled devices. For SecureBoot enabled devices, I'd like to always boot to WDS;

I suspect that DHCP has to provide this to the client, based on the fact if it's secureboot enabled, or not.

Since iPXE has a lot of DHCP options, i was wondering if this was possible; is DHCP aware of secure boot? And if so, what DHCP class option is this?

btw, I am using Linux DHCPd.

On another server, i chain the other way around (so the devices boot to WDS, and WDS provides those devices with PXElinux (configured via:

wdsutil /set-server /bootprogram:boot\x64\pxelinux.com /architecture:x64
wdsutil /set-server /N12bootprogram:boot\x64\pxelinux.com /architecture:x64
)

Is that same situation available for iPXE?


RE: WDS, iPXE, DHCP and SecureBoot - NiKiZe - 2017-01-11 20:00

SecureBoot is only relevant in the case where the client boots in EFI mode, as such you can look at http://ipxe.org/howto/chainloading#uefi where a simple example is made about how the dhcp arch option is used to determine if a pcbios compatible version of ipxe should be sent or a efi compatible one.

so what you would probably like to do is to always boot ipxes undionly.kpxe in legacy/pcbios mode, and in efi mode chain into the wds.efi

Even if you can detect EFI or not as a base with the above mentioned arch option, there is no option or detection AFAIK in dhcp for if secure boot is enabled or not.

And mandatory question: you are aware of wimboot which makes it possible to boot winpe via http download? which is probably many times faster then the default WDS TFTP method.


RE: WDS, iPXE, DHCP and SecureBoot - abos_systemax - 2017-01-12 09:35

(2017-01-11 20:00)NiKiZe Wrote:  SecureBoot is only relevant in the case where the client boots in EFI mode, as such you can look at http://ipxe.org/howto/chainloading#uefi where a simple example is made about how the dhcp arch option is used to determine if a pcbios compatible version of ipxe should be sent or a efi compatible one.

so what you would probably like to do is to always boot ipxes undionly.kpxe in legacy/pcbios mode, and in efi mode chain into the wds.efi

Even if you can detect EFI or not as a base with the above mentioned arch option, there is no option or detection AFAIK in dhcp for if secure boot is enabled or not.

And mandatory question: you are aware of wimboot which makes it possible to boot winpe via http download? which is probably many times faster then the default WDS TFTP method.

I am indeed aware of Wimboot; but the problem is that ipxe is not allowed to load when secureboot is enabled; Since we sometimes only wish to boot devices to Windows PE for registration and thus do not need to disable secureboot (because WDS can handle that), I need some means to redirect (only those) clients to WDS.

What we were doing in the old situation, was redirecting DHCP to WDS (next-server to the WDS server) and then set the boot program from WDS to pxelinux.cfg; is there a similar method known for IPXE?


RE: WDS, iPXE, DHCP and SecureBoot - ndog - 2017-01-12 12:10

(2017-01-12 09:35)abos_systemax Wrote:  For SecureBoot enabled devices, I'd like to always boot to WDS

If you insist on having a boot loader like syslinux, grub2 or ipxe you will have to disable secure boot on all machines as they come into the workshop. Until a time that ipxe.efi + wimboot is secure boot enabled, you will have to configure your DHCP server to serve Boot\x64\wdsmgfw.efi (from WDS) to clients in EFI mode. There are other boot loaders, AFAIK grub2.efi is the only secureboot enabled EFI booter, but currently fails to chainload WDS or wim files anyway, even after modifying BCD and other various options, plus is buggy, painfully slow, and cant timeout, exit then boot from the local disk (which ipxe can)

With your current setup modify your existing dhcp scope to something like this

(example for isc-dhcpd)
Code:
option space pxelinux;
option pxelinux.magic           code 208 = string;
option pxelinux.configfile      code 209 = text;
option pxelinux.pathprefix      code 210 = text;
option pxelinux.reboottime      code 211 = unsigned integer 32;

option space PXE;
option PXE.mtftp-ip             code 1 = ip-address;
option PXE.mtftp-cport          code 2 = unsigned integer 16;
option PXE.mtftp-sport          code 3 = unsigned integer 16;
option PXE.mtftp-tmout          code 4 = unsigned integer 8;
option PXE.mtftp-delay          code 5 = unsigned integer 8;

option arch                     code 93 = unsigned integer 16;

class "pxeclients" {
        match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
        next-server <tftp.server.ip.address>;
        if option arch = 00:06 {
                filename = "boot/x86/wdsmgfw.efi";
        } else if ((option arch = 00:07) or (option arch = 00:09)) {
                filename = "boot/x64/wdsmgfw.efi";
        } else {
                filename = "bios/pxelinux.0";
        }
}

untested


RE: WDS, iPXE, DHCP and SecureBoot - NiKiZe - 2017-01-12 19:11

(2017-01-12 09:35)abos_systemax Wrote:  What we were doing in the old situation, was redirecting DHCP to WDS (next-server to the WDS server) and then set the boot program from WDS to pxelinux.cfg; is there a similar method known for IPXE?

Again SecureBoot is not relevant in pcbios, just use a filename for wds.efi when the requested arch is efi, and then if you wish chain from that wds menu into ipxe.

Current wimboot is actually signed by MS, the issue with ipxe is that MS does not like what you can do inside of ipxe, and also that the process for signing ipxe needs to be automatic to be officially available.

Not even grub is signed by MS, instead most distros rely on shim.efi which have been signed by MS.


RE: WDS, iPXE, DHCP and SecureBoot - abos_systemax - 2017-01-13 07:13

Thank you both for your replies. SecureBoot is and will be (at least for a while) a pain in the butt. I do indeed much prefer everything to be iPXE, which then continues to boot to either wimboot or other loaders.

Since we have an EV certificate; (and i've seen the instruction) how common is it that Microsoft will allow our signed iPXE to be 'available' for secure boot and will it be immediately available after Microsoft allows it, or will it be allowed in further firmwares?


RE: WDS, iPXE, DHCP and SecureBoot - NiKiZe - 2017-01-13 18:18

(2017-01-13 07:13)abos_systemax Wrote:  Since we have an EV certificate; (and i've seen the instruction) how common is it that Microsoft will allow our signed iPXE to be 'available' for secure boot and will it be immediately available after Microsoft allows it, or will it be allowed in further firmwares?

As with all certificates the "target" will not need any update since they use signatures, so that is safe. If you have a EV certificate for code signing, then you can try and get MS to sign a version of iPXE, I only know of one instance of it being done, and it was no easy task. You should probably come online on IRC and talk to mcb30 or Andreas about that process.