WDS, iPXE, DHCP and SecureBoot

[ndog]

(2017-01-12 09:35)abos_systemax Wrote:  For SecureBoot enabled devices, I'd like to always boot to WDS

If you insist on having a boot loader like syslinux, grub2 or ipxe you will have to disable secure boot on all machines as they come into the workshop. Until a time that ipxe.efi + wimboot is secure boot enabled, you will have to configure your DHCP server to serve Boot\x64\wdsmgfw.efi (from WDS) to clients in EFI mode. There are other boot loaders, AFAIK grub2.efi is the only secureboot enabled EFI booter, but currently fails to chainload WDS or wim files anyway, even after modifying BCD and other various options, plus is buggy, painfully slow, and cant timeout, exit then boot from the local disk (which ipxe can)

With your current setup modify your existing dhcp scope to something like this

(example for isc-dhcpd)

Code:

option space pxelinux;
option pxelinux.magic           code 208 = string;
option pxelinux.configfile      code 209 = text;
option pxelinux.pathprefix      code 210 = text;
option pxelinux.reboottime      code 211 = unsigned integer 32;

option space PXE;
option PXE.mtftp-ip             code 1 = ip-address;
option PXE.mtftp-cport          code 2 = unsigned integer 16;
option PXE.mtftp-sport          code 3 = unsigned integer 16;
option PXE.mtftp-tmout          code 4 = unsigned integer 8;
option PXE.mtftp-delay          code 5 = unsigned integer 8;

option arch                     code 93 = unsigned integer 16;

class "pxeclients" {
        match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
        next-server <tftp.server.ip.address>;
        if option arch = 00:06 {
                filename = "boot/x86/wdsmgfw.efi";
        } else if ((option arch = 00:07) or (option arch = 00:09)) {
                filename = "boot/x64/wdsmgfw.efi";
        } else {
                filename = "bios/pxelinux.0";
        }
}

untested