Re: How to set up dhcpd.conf to serve different UEFI files per OS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Once upon a time, Thomas Cameron <thomas.cameron@xxxxxxxxxxxxxxx> said:
> Is it that the shim.efi file is signed for UEFI environments, and
> the RHEL kernel is expecting the signature for the RHEL shim.efi
> file? If so, how do I specify which shim.efi file I want to use
> based on the kernel? I would assume I'd need to add the correct
> shim.efi file in /var/lib/tftpboot/images/[kickstart_os] the same as
> I add the vmlinuz and initrd.img. But how do I tell the machine
> being kickstarted where to get the correct shim.efi? Is there a
> vendor-class-identifier I can check to see what the OS is, and then
> point the machine being kickstarted to that file?

As far as I can tell, you cannot configure network boot for different
OSes in a UEFI Secure Boot environment.  The shim is loaded first,
before you get to the point of choosing which kernel to boot, and a
given distribution's shim will only load other Linux things signed by
that distribution's key.

It'd be nice if there was a way to chainload one shim from another
(they're all signed by the MS firmware-trusted key, so it seems like
this should be possible and still meet the security requirements), so
you could have a menu option "Switch to RHEL" that would load the RHEL
shim+bootloader, but I don't think that's possible today.  I'm using
grub2 for network book rather than syslinux, but I couldn't figure out a
way to make that work.

The only way to handle it would be to distinguish the clients at the
DHCP server (use separate VLANs, pre-configure MAC addresses, etc.).
Once the DHCP server sends an answer, it's too late to change.
-- 
Chris Adams <linux@xxxxxxxxxxx>
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux