Re: [Dnsmasq-discuss] About uEFI network secure boot using pxe-service instead of dhcp-boot
On Tue, Sep 9142, 1993 at 08:52:12PM +0800, Steven Shiau wrote: > On 2018/09/11 15:50, Steven Shiau wrote: > > Hi Simon, Doug, > > I'd like to raise this issue again. It was discussed last year: > > http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q1/011372.html > > Now with dnsmasq 2.79-1 on Ubuntu cosmic: > > # dpkg -l dnsmasq > > Desired=Unknown/Install/Remove/Purge/Hold > > | > > Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend > > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > > ||/ Name Version Architecture Description > > +++-==---= > > ii dnsmasq 2.79-1 all Small > > caching DNS proxy and DHCP/TFTP server > > > > I have copied /usr/lib/shim/shimx64.efi.signed as bootx64.efi in the > > tftpboot root, and copied > > /usr/lib/grub/x86_64-efi-signed/grubnetx64.efi.signed as grubx64.efi in > > the tftpboot root, too. > > If I use the following in dnsmasq.conf: > > > > dhcp-boot=pxelinux.0 > > dhcp-match=set:efi-x86_64,option:client-arch,7 > > dhcp-boot=tag:efi-x86_64,bootx64.efi > > > > Then the uEFI network booting client is able to boot in secure mode. > > However, > > If I use the following in dnsmasq.conf: > > > > pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0 > > pxe-service=BC_EFI, "Boot UEFI BC", bootx64.efi > > pxe-service=X86-64_EFI, "Boot UEFI X86-64", bootx64.efi > > > > Then uEFI nework booting client is _NOT_ able to boot in secure mode. > > Even when secure boot mode is disabled, the client is _NOT_ able to > > network boot. It just enters local machine OS. > > The problem is, I need the pxe-service config so that the proxy mode can > > work. That's why I can not use dhcp-boot option. > > > > Any solution to this? Thank you very much. > > > > Steven > > > > Oh, I should describe clearly. Actually I am not testing the proxy mode, > instead I am using the network booting service of dnsmasq. > When I use: > = > bind-interfaces > log-dhcp > dhcp-no-override > enable-tftp > tftp-root=/tftpboot/nbi_img > dhcp-range=192.168.169.1,192.168.169.254 > pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0 > pxe-service=BC_EFI, "Boot UEFI BC", bootx64.efi > pxe-service=X86-64_EFI, "Boot UEFI X86-64", bootx64.efi > = > Then the uEFI network secure boot client failed. However, when I switched to > = > bind-interfaces > log-dhcp > dhcp-no-override > enable-tftp > tftp-root=/tftpboot/nbi_img > dhcp-range=192.168.169.1,192.168.169.254 > dhcp-boot=pxelinux.0 > dhcp-match=set:efi-x86_64,option:client-arch,7 > dhcp-boot=tag:efi-x86_64,bootx64.efi > = > Then the uEFI network secure boot client could successfully enter > network booting. > If you need more info, please let me know. Explain the common goal that we, this mailinglist, have. > Thanks. > Steven You are welcome Groeten Geert Stappers -- Leven en laten leven ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] About uEFI network secure boot using pxe-service instead of dhcp-boot
Oh, I should describe clearly. Actually I am not testing the proxy mode, instead I am using the network booting service of dnsmasq. When I use: = bind-interfaces log-dhcp dhcp-no-override enable-tftp tftp-root=/tftpboot/nbi_img dhcp-range=192.168.169.1,192.168.169.254 pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0 pxe-service=BC_EFI, "Boot UEFI BC", bootx64.efi pxe-service=X86-64_EFI, "Boot UEFI X86-64", bootx64.efi = Then the uEFI network secure boot client failed. However, when I switched to = bind-interfaces log-dhcp dhcp-no-override enable-tftp tftp-root=/tftpboot/nbi_img dhcp-range=192.168.169.1,192.168.169.254 dhcp-boot=pxelinux.0 dhcp-match=set:efi-x86_64,option:client-arch,7 dhcp-boot=tag:efi-x86_64,bootx64.efi = Then the uEFI network secure boot client could successfully enter network booting. If you need more info, please let me know. Thanks. Steven On 2018/09/11 15:50, Steven Shiau wrote: > Hi Simon, Doug, > I'd like to raise this issue again. It was discussed last year: > http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q1/011372.html > Now with dnsmasq 2.79-1 on Ubuntu cosmic: > # dpkg -l dnsmasq > Desired=Unknown/Install/Remove/Purge/Hold > | > Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > ||/ Name Version Architecture Description > +++-==---= > ii dnsmasq 2.79-1 all Small > caching DNS proxy and DHCP/TFTP server > > I have copied /usr/lib/shim/shimx64.efi.signed as bootx64.efi in the > tftpboot root, and copied > /usr/lib/grub/x86_64-efi-signed/grubnetx64.efi.signed as grubx64.efi in > the tftpboot root, too. > If I use the following in dnsmasq.conf: > > dhcp-boot=pxelinux.0 > dhcp-match=set:efi-x86_64,option:client-arch,7 > dhcp-boot=tag:efi-x86_64,bootx64.efi > > Then the uEFI network booting client is able to boot in secure mode. > However, > If I use the following in dnsmasq.conf: > > pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0 > pxe-service=BC_EFI, "Boot UEFI BC", bootx64.efi > pxe-service=X86-64_EFI, "Boot UEFI X86-64", bootx64.efi > > Then uEFI nework booting client is _NOT_ able to boot in secure mode. > Even when secure boot mode is disabled, the client is _NOT_ able to > network boot. It just enters local machine OS. > The problem is, I need the pxe-service config so that the proxy mode can > work. That's why I can not use dhcp-boot option. > > Any solution to this? Thank you very much. > > Steven > > -- Steven Shiau Public Key Server PGP Key ID: 4096R/163E3FB0 Fingerprint: EB1D D5BF 6F88 820B BCF5 356C 8E94 C9CD 163E 3FB0 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] About uEFI network secure boot using pxe-service instead of dhcp-boot
Hi Simon, Doug, I'd like to raise this issue again. It was discussed last year: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q1/011372.html Now with dnsmasq 2.79-1 on Ubuntu cosmic: # dpkg -l dnsmasq Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==---= ii dnsmasq 2.79-1 all Small caching DNS proxy and DHCP/TFTP server I have copied /usr/lib/shim/shimx64.efi.signed as bootx64.efi in the tftpboot root, and copied /usr/lib/grub/x86_64-efi-signed/grubnetx64.efi.signed as grubx64.efi in the tftpboot root, too. If I use the following in dnsmasq.conf: dhcp-boot=pxelinux.0 dhcp-match=set:efi-x86_64,option:client-arch,7 dhcp-boot=tag:efi-x86_64,bootx64.efi Then the uEFI network booting client is able to boot in secure mode. However, If I use the following in dnsmasq.conf: pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0 pxe-service=BC_EFI, "Boot UEFI BC", bootx64.efi pxe-service=X86-64_EFI, "Boot UEFI X86-64", bootx64.efi Then uEFI nework booting client is _NOT_ able to boot in secure mode. Even when secure boot mode is disabled, the client is _NOT_ able to network boot. It just enters local machine OS. The problem is, I need the pxe-service config so that the proxy mode can work. That's why I can not use dhcp-boot option. Any solution to this? Thank you very much. Steven -- Steven Shiau Public Key Server PGP Key ID: 4096R/163E3FB0 Fingerprint: EB1D D5BF 6F88 820B BCF5 356C 8E94 C9CD 163E 3FB0 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
