Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Booting a Secure Boot UEFI system using PXE

How to boot a Secure Boot UEFI system using PXE.

When booting a system with UEFI Secure Boot, a chain of trust is established where the signature of the next step of the boot chain is checked by the previous step. For licensing reasons, grub is usually not signed with a key trusted by the system firmware and instead a UEFI shim loader is booted first. The UEFI shim loader will then load grub, verifying its signature against an embedded key and/or the keys trusted by the system firmware. Finally, grub will utilize a protocol provided by the UEFI shim loader to verify the signature of the kernel.

This means that when booting a UEFI Secure Boot system using PXE, you must use GRUB2 rather than syslinux, and you must boot the UEFI shim loader first.

  1. Create a grub.cfg file in /var/lib/tftpboot/grub/grub.cfg with the following contents.
    set default=0
     
    insmod tga
    background_image ($root)/boot/grub/splash.tga
    set color_normal=cyan/blue
    set color_highlight=white/blue
     
    menuentry "Vyatta" {
    linux           vmlinuz console=ttyS0,115200 console=tty0 quiet systemd.show_status=1 systemd.unified_cgroup_hierarchy=1 boot=live net.ifnames=1 iommu=pt nopersistent nonetworking noeject fetch=http://192.168.125.1/vyatta.iso
    initrd          initrd.img
    }
  2. Extract the kernel, initrd, and Vyatta squashfs from the Vyatta NOS ISO.
    isoinfo -J -i vyatta.iso -x /live/vmlinuz > vmlinuz
    isoinfo -J -i vyatta.iso -x /live/initrd.img > initrd.img
    isoinfo -J -i vyatta.iso -x /live/filesystem.squashfs > filesystem.squashfs
  3. Extract shim and the monolithic grubnet from the Vyatta squashfs.
    When using Secure Boot, loading grub modules is prohibited so a separate grubnet binary must be used which includes the required modules.
    unsquashfs filesystem.squashfs usr/lib/shim/shimx64.efi.signed usr/lib/grub/x86_64-efi-signed/grubnetx64.efi.signed
  4. Copy the kernel, initrd, shim, and grub to the TFTP root.
    Note that grub must be named grubx64.efi (not grubnetx64.efi) to be found by the UEFI shim loader.
    cp vmlinuz /var/lib/tftpboot/vmlinuz
    cp initrd.img /var/lib/tftpboot/initrd.img
    cp squashfs-root/usr/lib/shim/shimx64.efi.signed /var/lib/tftpboot/shimx64.efi
    cp squashfs-root/usr/lib/grub/x86_64-efi-signed/grubnetx64.efi.signed /var/lib/tftpboot/grubx64.efi
  5. Configure your DHCP server to provide shim64.efi as the boot filename.
The system will boot.