Jump to content











Photo
- - - - -

Chainload WinPE - PXE UEFI


  • Please log in to reply
46 replies to this topic

#26 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 15 January 2014 - 07:56 PM

To use http you would need wimboot or memdisk or sanboot.

These modules are not yet available in EFI mode.



#27 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 15 January 2014 - 08:05 PM

Confirmed !

bcdedit.exe /store my.bcd /set {bootmgr} nointegritychecks yes

does indeed solve the issue error code 0xc0000428 (The digital signature for this file couldn’t be verified).

 

The following boot sequence is a success : PXE-> IPXE ->MS Bootx64.efi ->BCD (winload.efi) ->Boot.wim (x64) :)


  • SanBarn likes this

#28 Sha0

Sha0

    WinVBlock Dev

  • Developer
  • 1682 posts
  • Location:reboot.pro Forums
  • Interests:Booting
  •  
    Canada

Posted 16 January 2014 - 12:45 AM

I'm confused as to how the Microsoft program comes up with \grub\bootx64.efi if it's not in iPXE's options, anywhere. If I recall correctly, this filename is coming across the network connection and is not being booted from a hard disk. Oh well, it's nice that it's working, now.

The Microsoft program doesn't use HTTP, but implements its own TFTP protocol, so it doesn't/can't take advantage of iPXE's HTTP feature.

#29 Leandro Paulin

Leandro Paulin

    Newbie

  • Members
  • 22 posts
  •  
    Brazil

Posted 22 January 2014 - 08:51 PM

Today I've discovered that this solution works if Secure Boot is disabled. If it's enabled then occurs the same error again.

in Microsoft documentation (http://msdn.microsof...2(v=vs.85).aspx):

 

nointegritychecks [ on | off ]

Disables integrity checks. Cannot be set when secure boot is enabled. This value is ignored by Windows 7 and Windows 8.

 

Well, so I'm still looking for a solution for Secure Boot...

I'll let you know if there is an update about this.

 

Thanks,



#30 Mr.JoeM

Mr.JoeM
  • Members
  • 4 posts
  •  
    United States

Posted 23 January 2014 - 01:36 AM

 

Well, so I'm still looking for a solution for Secure Boot...

 

 

Right now, I don't think one exists. I know there is a signed version of grub2 that is compatible with secure boot. I don't think that Microsoft trusts it though. As soon as you have anything untrusted in your boot chain, secure boot fails; as it should. I hope to get some time to test later this week. I will let you know if I find a solution, but I am not hopeful.

 

~joe



#31 Leandro Paulin

Leandro Paulin

    Newbie

  • Members
  • 22 posts
  •  
    Brazil

Posted 23 January 2014 - 01:29 PM

I'm using a signed Grub2. The Grub's menu is working correctly with or without secure boot.

The problem happens after chainloding WinPE from Grub's menu when secure boot is enabled.

 

What I'm going to investigate is to change the boot order. I'll try PXE --> BCD(WinPE) --> Grub2.

 

Thanks,



#32 Leandro Paulin

Leandro Paulin

    Newbie

  • Members
  • 22 posts
  •  
    Brazil

Posted 24 January 2014 - 08:55 PM

I've tried to add an BCD entry for Grub2 using the instructions from http://spam/index.php?topic=530.msg8154#msg8154:

:GRUB2EFI
echo GRUB2
for /f "tokens=3" %%A in ('%BCDEDIT% %STORE% /create /d "Grub2 %choice%" /application bootsector') do set guid=%%A
%BCDEDIT% %STORE% /set %guid% device %partition%
%BCDEDIT% %STORE% /set %guid% path \efi\boot\grubx64.efi
%BCDEDIT% %STORE% /displayorder %guid% /addlast
goto :eof

It didn't work . I've even tried in a local computer (HDD with Windows 8) without using PXE boot.

 

After reading:

http://www.linuxques...54/#post4968531

http://www.linuxques...tml#post4901195

http://reboot.pro/to...cation-via-bcd/

 

I was able to PXE chainload Microsoft's memtest.efi from BCD menu, but not any other non-Microsoft .efi:frusty:

The process was: PXE --> Grub2 --> BCD --> memtest.efi

 

After chainloading a non-MS .efi, it's shown error code 0xc000007b ("The application or operating system couldn't be loaded because a required file is missing or contains errors.")

 

So, I've thought that with PXE --> BCD --> Grub2 I would be able to boot in Secure Boot enabled computers. As it's not possible (AFAIK) to chain non-MS EFI files from BCD, I'm still stucked with the Secure Boot problem.



#33 Sha0

Sha0

    WinVBlock Dev

  • Developer
  • 1682 posts
  • Location:reboot.pro Forums
  • Interests:Booting
  •  
    Canada

Posted 25 January 2014 - 01:20 AM

As it's not possible (AFAIK) to chain non-MS EFI files from BCD, I'm still stucked with the Secure Boot problem.

I'd mentioned here[1]:

Yes, bootx64.efi if the only one of those which is an actual (U)EFI program (ignore the misleading extensions).

BootMgr doesn't boot (U)EFI programs. Forget about the file extension. Use Dependency Walker to quickly see that the "Subsystem" for your GRUB2 is not the same as the subsystem for MemTest.Efi; they are different kinds of programs.

Also, the bootsector parameter isn't valid for (U)EFI systems, so that won't work.

[1] http://reboot.pro/to...ng/#entry181338

#34 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 25 January 2014 - 05:04 AM

Well, so I'm still looking for a solution for Secure Boot...

I'll let you know if there is an update about this.

 

 

May be this helps:

 

Section 6. - UEFI Secure Boot - Multi-Boot of Fedora-18 + Windows 8 from USB-harddisk

 

UEFI Secure Boot - Multi-Boot of Fedora-18 + Windows 8 from USB-harddisk
Grub2 EFI Boot Manager instead of REFIND - in UEFI_MAN rename folder efi_fedora18 as efi
Fedora-18 Secure Boot files efi\boot\BOOTX64.efi and efi\boot\grubx64.efi
and using Fedora vmlinuz0 and initrd0.img in LiveOS folder of Fedora-18 on 2_BOOT partition

 

 

http://www.911cd.net...showtopic=25269



#35 moob

moob

    Newbie

  • Members
  • 12 posts
  •  
    Switzerland

Posted 21 May 2015 - 04:18 PM

Bonjour, I need some help too:

 

When my x64 Client does network boot using boot\x64\wdsmgfw.efi it stops with error message 0x102.

I've been fiddling about with default.bcd but no avail.

 

We have WDS Server 2012 and DHCP Server on different networks and we use dhcp options 66 and 67, which works perfectly with BIOS-clients and wdsnbp.com.

 

Any advice?


Edited by moob, 21 May 2015 - 04:22 PM.


#36 moob

moob

    Newbie

  • Members
  • 12 posts
  •  
    Switzerland

Posted 21 May 2015 - 04:19 PM

Bonjour, I need some help too:

 

When my x64 Client does network boot using boot\x64\wdsmgfw.efi it stops with error message 0x102.

I've been fiddling about with default.bcd but no avail.

 

We have WDS Server 2012 and DHCP Server on different networks and we use dhcp options 66 and 67, which works perfectly with BIOS-clients and wdsnbp.com.

 

Any advice?



#37 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 21 May 2015 - 08:48 PM

Bonjour, I need some help too:

 

When my x64 Client does network boot using boot\x64\wdsmgfw.efi it stops with error message 0x102.

I've been fiddling about with default.bcd but no avail.

 

We have WDS Server 2012 and DHCP Server on different networks and we use dhcp options 66 and 67, which works perfectly with BIOS-clients and wdsnbp.com.

 

Any advice?

 

add dhcp option 60 = PXECLIENT .



#38 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 21 May 2015 - 08:48 PM

try adding dhcp option 60 = PXECLIENT .



#39 moob

moob

    Newbie

  • Members
  • 12 posts
  •  
    Switzerland

Posted 22 May 2015 - 08:21 AM

Well, I tried Option 60 already, but with option 60 in place, my client won't even load wdsmgfw.efi or wdsnbp.com.

DHCP Server and WDS are on different Servers but in the same subnet. In my posting I wrote that they were in different networks but that was wrong - sorry bout that. Same network, different machines.


Edited by moob, 22 May 2015 - 08:32 AM.


#40 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 22 May 2015 - 06:14 PM

Well, I tried Option 60 already, but with option 60 in place, my client won't even load wdsmgfw.efi or wdsnbp.com.

DHCP Server and WDS are on different Servers but in the same subnet. In my posting I wrote that they were in different networks but that was wrong - sorry bout that. Same network, different machines.

 

As we are deviating from the main topic, what about posting a new topic ?

Mentionning the server setup, client setup, hardware/software, etc ...



#41 maxsubzero

maxsubzero
  • Members
  • 3 posts
  • Location:Zaporizhzhia
  •  
    Ukraine

Posted 27 August 2015 - 06:07 PM

I have captured the network traffic with wireshark.
 
1) WinPE Legacy boot with PXELinux
   This is the WinPE PXE boot for Legacy BIOS computers. The WDS's default boot program (x86 and x64) were changed to "pxelinux.0".

1.1) DHCP negotiation
      - Next server: 192.168.1.10 (WDS Server)
      - Boot file name: "" (empty)
      - Option 67 (Bootfile Name): "" (empty)
1.2) DHCP negotiation
      - Next server: 192.168.1.10 (WDS Server)
      - Boot file name: boot\x86\wdsnbp.com
      - BCD File: \tmp\x86{...}.bcd
1.3) Read request: boot\x86\wdsnbp.com
1.4) DHCP Request
1.5) DHCP ACK
      - Next server: 192.168.1.10
      - Boot file name: pxelinux.0
      - BCD File: \tmp\x86{...}.bcd
1.6) Read request: pxelinux.0
1.7) Read request: pxelinux.cfg\default
1.8) Read request: pxelinux.cfg\Menu\default.menu
1.9) Read request: pxelinux.cfg\Menu\menu.c32
1.10) Read request: pxelinux.cfg\default
1.11) Read request: pxelinux.cfg\Menu\default.menu
1.12) Read request: Boot/pxeboot.0
1.13) Read request: bootmgr.exe
1.14) Read request: \Tmp\x86x64{...}.bcd
1.15) Read request: \hiberfil.sys
      - Error: file not found
1.16) Read request: \Boot\x64\Images\winpe_amd64_20131030.wim
      - Error: TFTP aborted
1.17) Read request: \Boot\Boot.sdi
      - Error: TFTP aborted
1.18) Read request: \boot\fonts\wgl4_boot.ttf
1.19) Read request: \Boot\x64\Images\winpe_amd64_20131030.wim
      - WinPE boot successfully

 
2) WinPE UEFI WDS
   This is the default WinPE UEFI boot in WDS (WDS configuration wasn't changed).

2.1) DHCP negotiation
      - Next server: 192.168.1.10 (WDS Server)
      - Boot file name: "" (empty)
      - Option 66 (TFTP Server Name): 192.168.1.10 (WDS Server)
      - Option 67 (Bootfile Name): "" (empty)
2.2) altserviceboot (4011) Request
2.3) altserviceboot (4011) Response
      - Boot file: boot\x64\wdsmgfw.efi
      - BCD File: \tmp\x64uefi{...}.bcd
2.4) Read request: boot\x64\wdsmgfw.efi
2.5) DHCP Request
2.6) DHCP ACK
      - Next server: 192.168.1.10 (WDS Server)
      - Boot file name: Boot\x64\bootmgfw.efi
      - BCD File: \tmp\x64uefi{...}.bcd
2.7) Read request: boot\x64\bootmgfw.efi
2.8) Read Request: \Boot\x64\BCD
      -  Error: file not found
2.9) Read Request: \Tmp\x64uefi{9474C15E-088A-447F-90D9-2236AACE1048}.bcd
2.10) Read request: \Boot\x64\bootmgfw.efi
2.11) Read request: \Boot\x64\Images\winpe_amd64_20131030.wim
      - Error: TFTP aborted
2.12) Read request: \Boot\Boot.sdi
      - Error: TFTP aborted
2.13) Read request: \Boot\fonts\wgl4_boot.ttf
2.14) Read request: \Boot\Boot.sdi
2.15) Read request: \Boot\x64\Images\winpe_amd64_20131030.wim
      - WinPE boot successfully    

 
3) WinPE boot without GRUB 
   The default boot program for "x64uefi" architecture in WDS was changed to "Boot\x64\bootmgfw.efi".

3.1) DHCP negotiation
      - Next server: 192.168.1.10 (WDS Server)
      - Boot file name: "" (empty)
      - Option 66 (TFTP Server Name): 192.168.1.10 (WDS Server)
      - Option 67 (Bootfile Name): "" (empty)
3.2) altserviceboot (4011) Request
3.3) altserviceboot (4011) Response
      - Boot file: boot\x64\bootmgfw.efi
      - BCD File: \tmp\x64uefi{...}.bcd
3.4) Read request: boot\x64\bootmgfw.efi
3.5) Read Request: \Boot\x64\BCD
      - Error: file not found
3.6) Read Request: \Tmp\x64uefi{9474C15E-088A-447F-90D9-2236AACE1048}.bcd
3.7) Read request: \Boot\x64\bootmgfw.efi
3.8) Read request: \Boot\x64\Images\winpe_amd64_20131030.wim
      - Error: TFTP aborted
3.9) Read request: \Boot\Boot.sdi
      - Error: TFTP aborted
3.10) Read request: \Boot\fonts\wgl4_boot.ttf
3.11) Read request: \Boot\Boot.sdi
3.12) Read request: \Boot\x64\Images\winpe_amd64_20131030.wim
      - WinPE boot successfully 

 
4) WinPE boot with GRUB
   The default boot program for "x64uefi" architecture in WDS was changed to "grub\bootx64.efi".

4.1) DHCP negotiation
      - Next server: 192.168.1.10 (WDS Server)
      - Boot file name: "" (empty)
      - Option 66 (TFTP Server Name): 192.168.1.10 (WDS Server)
      - Option 67 (Bootfile Name): "" (empty)
4.2) altserviceboot (4011) Request
4.3) altserviceboot (4011) Response
      - Boot file: boot\x64\wdsmgfw.efi
      - BCD File: \tmp\x64uefi{...}.bcd
4.4) Read request: boot\x64\wdsmgfw.efi
4.5) DHCP Request
4.6) DHCP ACK
      - Next server: 192.168.1.10 (WDS Server)
      - Boot file name: grub\bootx64.efi
      - BCD File: \tmp\x64uefi{...}.bcd
4.7) Read request: grub\bootx64.efi
4.8) Read request: /grubx64.efi
4.9) Read request: /grub/x86_64-efi/command.lst
4.10) Read request: /grub/x86_64-efi/fs.lst
4.11) Read request: /grub/x86_64-efi/crypto.lst
4.12) Read request: /grub/x86_64-efi/terminal.lst
4.13) Read request: /grub/grub.cfg
4.14) Read request: /grub/Menu/Menu.cfg
4.15) Read request: /grub/x86_64-efi/command.lst
4.16) Read request: /grub/x86_64-efi/fs.lst
4.17) Read request: /grub/x86_64-efi/crypto.lst
4.18) Read request: /grub/x86_64-efi/terminal.lst
4.19) Read request: /grub/unicode.pf2
4.20) Read request: /grub/unicode.pf2
4.21) Read request: /grub/Menu/WinPE.cfg
4.22) Read request: /Boot/x64/bootmgfw.efi
4.23) Read Request: \grub\BCD
      - Error: file not found
4.24) Read Request: \Tmp\x64uefi{9474C15E-088A-447F-90D9-2236AACE1048}.bcd
4.25) Read request: \grub\bootx64.efi
4.26) Read request: \boot\fonts\wgl4_boot.ttf
      - WinPE fail with error code 0xc0000428 (The digital signature for this file couldn’t be verified).

It looks like that the problems occurs in step 4.25 (Read request: \grub\bootx64.efi). It shouldn't get "\grub\bootx64.efi", it should get again "\Boot\x64\bootmgfw.efi" (comparing to the "WinPE boot without GRUB" process).

 

 

Ive also repeated "WinPE boot with GRUB" but before step 4.25 occurs, I've copied "\Boot\x64\bootmgfw.efi" to "\grub\bootx64.efi". So when the file (step 4.25) "\grub\bootx64.efi" is gotten from the server, actually was the bootmgfw.efi gotten.

When I did this, WinPE booted correctly.

 

 

Any suggestion to make it work? I can't changed "\grub\bootx64.efi" because GRUB's menu must be shown to the user.

 

Thanks,

 

 

Cool!
 
Above, DHCP does not provide a filename but ProxyDHCP (on UDP 4011) does.
 
Why wdsmgfw.efi instead of the bootmgfw.efi?
 
Above, there have been both a DHCP as well as a ProxyDHCP response. That is different.
 
You have two filename options, which makes things confusing. I don't know if you manually modified the DHCP parameters, but if you did, the DHCP filename is taking precedence over the ProxyDHCP filename because option 60 isn't set.

But regardless of that, it looks like Microsoft wants to redownload the file that was originally booted. This might be a security feature. What you'd probably need to do is to patch the filename option, perhaps using iPXE to do so. Other hacks would be using a specially-modified TFTP service that would hand out (U)EFI GRUB upon the first request, but BootMgFw.efi upon the second request.

 

Hello!

I want to share with you some research on this topic.

My guess is that UEFI firmware when pxe-booting stores in memory (or in environment variables) DHCP optoins, option 67 in our case.

And when Windows' Boot Manager Loads it do some things:

1. Selfchecks it's signature.

2. Checks availability of BCD and it's validity.

3. Checks availability of font file.

4. Checks the record about PXE Boot File Name in UEFI memory (environment variable)

5. Downloads file, discovered in ( 4 ).

6. Check this file ( 4-5 ) against own signature ( 1 ).

7. Continue with Boot Menu / Downloading and executing WIMs.

If any of these step (maybe except font check) fails -- entire boot sequence fails with familiar error 0xc0000428.

My guess this is some kind of MS's "antimalware" (if you know what I mean) effort, designed to protect windows loader against inermediate bootloader (which could patch some memory and gain low level access to the system and do some neat things to your PC).

There is another interesting thing: when Windows Boot Manager does (5) it always prepends a leading slash to the path/filename if there is none (so if BootFileName is "grub/grubx64.efi" (5) asks for "/grub/grubx64.efi"). So there is a little workaround for "0xc0000428 problem": you should use paths/filenames without leading slash (I don't know about WDS/MS DHCP, but on ISC-DHCPD it works) and add a line to mapping file of your TFTP-server ("in.tftpd -m /etc/tftpd.map" in my case):

r ^/path/to/pxe/loader.efi$ path/to/ms/bootmgrfw.efi

So when bootmgrfw.efi asks TFTP-server for default bootloader it gets itself and validation passes.

I've checked this with Ubuntu's signed grub2 EFI binary on PC with SecureBoot turned off and it works like a charm. SecureBoot check I'll do on monday and share results.

I guess there should be more covenient way to change BootFileName in UEFI memory (like in iPXE), but in GRUB2 there is only read-only env var net_pxe_boot_file, so filename mapping is the only solution now (except disabling signature check in BCD).

iPXE doesn't work properly in my environment: snponly.efi does not recognize efi NIC and full-sized ipxe.efi tooks forever to initialize NIC (Gigabyte Motherboard and Realtek NIC).

 

P.S. Sorry for my bad English, I'm Ukrainian.



#42 bmf614

bmf614
  • Members
  • 1 posts
  •  
    United States

Posted 10 September 2015 - 06:04 PM

Hi,

 

Using various tips i gleaned from this posting in the past I was able to get WinPE to load in UEFI mode if I make bootmgfw.efi my filename in dhcpd.conf. So thank you so much for that.

 

However I have not been able to get it to boot as an 'option' under SysLinux 6 or Grub2.

 

SysLinux 6's UEFI support is a little wacky so that I can understand but you folks have indicated that you have gotten it working under grub2 so i wondered if you could assist me? below is my grub.cfg

 

set default="1"

function load_video {
  insmod efi_gop
  insmod efi_uga
  insmod video_bochs
  insmod video_cirrus
  insmod all_video
}

load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod ext2
insmod fat

set timeout=60
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/10_linux ###
menuentry "WinPE" {
   terminal_output console
   insmod chain
   chainloader bootmgfw.efi
}

 

when it tries to boot WinPE it says: error: not a valid root device

 

on the tftp server i can see it is downloading bootmgfw.efi I copied this grub2 from the redhat 7.1 installation media.. is there a different version that I need?

 

Please assist and thank you in advance!



#43 maxsubzero

maxsubzero
  • Members
  • 3 posts
  • Location:Zaporizhzhia
  •  
    Ukraine

Posted 20 September 2015 - 09:16 AM

1. Syslinux 6.xx does not support EFI binaries (yet?). I had no luck with CentOS7's GRUB2 binaries netbooting UEFI.

 

2. You should compile GRUB2 from source (grub2.00 stable does not netboot, latest git snapshot too) grub2_2.02~beta2.orig.tar.xz (from debian repository) and install it somewhere (~/grub for example):
 

cd /home/builder/grub2_2.02~beta2

configure --prefix=/home/builder/grub --disable-grub-emu-usb --disable-efiemu --disable-werror --with-platform=efi --target=i386

make

make install

make clean

configure --prefix=/home/builder/grub --disable-grub-emu-usb --disable-efiemu --disable-werror --with-platform=efi --target=x86_64

make

make install

make clean

 

3. Make netbootable GRUB2 EFI binaries and copy needed files to your tftpboot directory:

sudo mkdir -p /var/lib/tftpboot/efi/grub/fonts
sudo /home/builder/grub/bin/grub-mkimage -o /var/lib/tftpboot/efi/grub/bootx64.efi -O x86_64-efi -p "/efi/grub" -v efinet tftp normal minicmd
sudo /home/builder/grub/bin/grub-mkimage -o /var/lib/tftpboot/efi/grub/bootia32.efi -O i386-efi -p "/efi/grub" -v efinet tftp normal minicmd

sudo cp -r /home/builder/grub/lib/grub/*-efi /var/lib/tftpboot/efi/grub/

sudo cp /boot/efi/EFI/*/fonts/unicode.pf2 /var/lib/tftpboot/efi/grub/fonts/

 

4. Configure your dhcp-server to serve these binaries as pxe boot files (example for isc-dhcpd):

option space pxelinux;
option pxelinux.magic           code 208 = string;
option pxelinux.configfile      code 209 = text;
option pxelinux.pathprefix      code 210 = text;
option pxelinux.reboottime      code 211 = unsigned integer 32;

option space PXE;
option PXE.mtftp-ip             code 1 = ip-address;
option PXE.mtftp-cport          code 2 = unsigned integer 16;
option PXE.mtftp-sport          code 3 = unsigned integer 16;
option PXE.mtftp-tmout          code 4 = unsigned integer 8;
option PXE.mtftp-delay          code 5 = unsigned integer 8;

option arch                     code 93 = unsigned integer 16;

class "pxeclients" {
        match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
        next-server <tftp.server.ip.address>;
        if option arch = 00:06 {
                filename = "efi/grub/bootia32.efi";
        } else if ((option arch = 00:07) or (option arch = 00:09)) {
                filename = "efi/grub/bootx64.efi";
        } else {
                filename = "bios/pxelinux.0";
        }
}

NOTE: NO LEADING SLASH IN FILENAMES.

 

5. Configure TFTP-server (tftp-hpa here):

SystemD socketserver /etc/systmd/system/tftp-map.socket

[Unit]
Description=Tftp Server Activation Socket (with name remap)

[Socket]
ListenDatagram=69

[Install]
WantedBy=sockets.target

SystemD service /etc/systemd/system/tftp-map.service

[Unit]
Description=Tftp Server (with name remap)

[Service]
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot -m /etc/tftpd.map
StandardInput=socket

or /etc/xinetd.d/tftp

# default: off
# description: The tftp server serves files using the trivial file transfer \
#       protocol.  The tftp protocol is often used to boot diskless \
#       workstations, download configuration files to network-aware printers, \
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /var/lib/tftpboot -m /etc/tftpd.map
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

and then enable tftp server startup either by systemd socket or xinetd service

 

6. Create /etc/tftpd.map file with folowing content (THERE IS ALL MAGIC):

rg \\ /
rg ([A-Z]) \L\1
rg ^/efi/grub/bootx64.efi$ /efi/microsoft/boot/bootx64.efi
rg ^/efi/grub/bootia32.efi$ /efi/microsoft/boot/bootia32.efi

1st line changes backslash to slash in requested tftp file pathes so make it compatible with windows

2nd line converts all requested pathes and file names to lower case (optional  line, may be deleted)

3rd and 4th lines do workaround for MS's bootmanager integrity checks: bootmgrfw.efi requests original boot file (the one in "filename" DHCP option) from tftp server and compares it's checksum or signature with own. So to make it work we should feed it with originam bootmgrfw.efi binary, not grub's one. And filename remap does the trick: bootmgrfw.efi ALWAYS requests original bootloader WITH leading slash (and our DHCP option DOESN'T have leading slash, see 4.) so we can remap requests for our grub bootloader with leading slash to point to MS's bootmgrfw.efi.

 

7. Create /var/lib/tftpboot/efi/grub/grub.cfg:

set timeout=10

 

set superusers="root"

password_pbkdf2 root grub.pbkdf2.sha512.<VERYLONGCRYPTEDPASSWORDSTRING>

if loadfont unicode; then
    if [ "$grub_platform" = "efi" ]; then
        insmod efi_gop
        insmod efi_uga
    else
        insmod vga
        insmod vbe
    fi
    set gfxmode=640x480,auto
    insmod gfxterm
    terminal_output gfxterm
    if insmod png; then background_image /bios/logo.png; fi
fi

menuentry "Continue default boot order" --class local --unrestricted {
    exit
}

menuentry "Windows PE" --class windows --users ""{
    if [ "$grub_platform" = "efi" ]; then
        if [ "$grub_cpu" = "x86_64" ]; then
            chainloader efi/microsoft/boot/bootx64.efi
            terminal_output console
            boot
        elif [ "$grub_cpu" = "i386" ]; then
            chainloader efi/microsoft/boot/bootia32.efi
            terminal_output console
            boot
        else echo "Unsupported platform"; fi
    else echo "Unsupported platform"; fi
}

menuentry "Shutdown system" --class power --unrestricted {
    halt
}

menuentry "Reboot system" --class reboot --unrestricted {
    reboot
}

 

change/append menuenties as needed

8. Try netbooting your UEFI workstation...

 

NOTE: AFAIK dnsmasq's and WDS' tftp-servers do not support filename remap, so it only should work with tftp-hpa (tested) and atftpd (not tested).
 



#44 derekandclive

derekandclive
  • Members
  • 1 posts
  •  
    United Kingdom

Posted 04 April 2017 - 12:11 PM

Reanimating this thread as it's the best source of information out there on getting GRUB to work with UEFI PXEBOOT under WDS.

 

Essentially everything works fine for me and GRUB2 is served from WDS but does not show the menu - which I have in the same directory and named as grub.cfg

 

And if I try any commands such as insmod <module> or linuxefi <kernel> it just returns :

 

error: Access violation. .

 

I've double-checked perms everywhere but to no avail. Any thoughts on what might be wrong here would be greatly appreciated.

 

Thanks.



#45 SanBarn

SanBarn

    Newbie

  • Members
  • 14 posts
  •  
    Canada

Posted 23 August 2018 - 07:24 AM

Hi Leandro,

 

Thanks for the patched iPXE.

Will try to chainload winpe from iPXE later tonight.

 

For now, PXE->MS Bootx64.efi ->BCD (winload.efi) ->Boot.wim (x64) works fine for me, but just like you I need a menu as well.

 

Regards,

Erwan

 

 

Using Grub2 menus, iPXE was chainloaded:

menuentry "iPXE - mod xcat" {
   terminal_output console
   insmod chain
   chainloader /iPXE/snponly_ipxe_xcat.efi
}

after iPXE was loaded I've run the following commands:

iPXE> show filename
net0.dhcp/filename:string = 
iPXE> show proxydhcp/filename
proxydhcp/filename:string = boot\x64\wdsmgfw.efi
iPXE> set filename /boot/x64/bootmgfw.efi
iPXE> set proxydhcp/filename /boot/x64/bootmgfw.efi
iPXE> show filename
filename:string = /boot/x64/bootmgfw.efi
iPXE> show proxydhcp/filename
proxydhcp/filename:string = /boot/x64/bootmgfw.efi
iPXE> chain /boot/x64/bootmgfw.efi

After chaining bootmgfw.efi the WinPE's boot process starts, but again (Step 4.25) it gets "\grub\bootx64.efi"...  :frusty:

So even if I change the boot file name in iPXE, it doesn't make a difference for boomgfw.efi...

 

Wireshark doesn't show anything suggesting that bootmgfw.efi makes a new request to WDS server to find out what is the boot file name. It seems that bootmgfw.efi gets the boot file name from the begging of the PXE boot process:

4.6) DHCP ACK
      - Next server: 192.168.1.10 (WDS Server)
      - Boot file name: grub\bootx64.efi
      - BCD File: \tmp\x64uefi{...}.bcd

To test it, after iPXE booted I've changed the x64uefi boot file in WDS.

wdsutil /set-server /bootprogram:iPXE\snponly_ipxe_xcat.efi /architecture:x64uefi
wdsutil /set-server /N12bootprogram:iPXE\snponly_ipxe_xcat.efi /architecture:x64uefi

Then, in PXE, run "chain /boot/x64/bootmgfw.efi". It's gotten again "\grub\bootx64.efi" and not "snponly_ipxe_xcat.efi" so it doesn't make a new request to WDS to find out the file name during the PXE process.

 

I've look for an "unload" command for the network stack. In grub2 there is "pxe_unload" command (https://www.gnu.org/...#pxe_005funload) but is only for PC BIOS and not UEFI.

I couldn't find a similar command in iPXE.

 

What else can we try?

 

 

 

I've got iPXE from http://git.ipxe.org/ipxe.git and then applied only the changes from http://lists.ipxe.or...ust/002713.html.

If you build iPXE from https://git.ipxe.org...r/xcat/ipxe.git, iPXE has a newer version but in my test environment (vmware) it crashes the VM. My snponly.efi is in http://www.sendspace.com/file/t25406

 

 

 

I'm using only UEFI mode, secure boot is disable. I'm going to try more to investigate if it's possible to boot grub2 after BCD.

 

Thanks guys,

 

Hi,

 

I am using winpe.iso to boot the client machine in windows 10 using PXE linux server. Is there any way to load the iso file as in the case of Legacy mode using memdisk?

 

Thanks.



#46 SanBarn

SanBarn

    Newbie

  • Members
  • 14 posts
  •  
    Canada

Posted 23 August 2018 - 07:39 AM

Hi Leandro,

 

Would you be able to share your ipxe build with latest patches?

 

I am playing with uefi + pxe these days and I could definitely use a working snponly.efi :)

 

May be out of topic, but so far I have managed the following :  pxe -> bootfmgfw.efi -> bcd -> boot.wim (winpe4 / x64) in proxydhcp mode.

 

The boot.wim starts loading all fine but I end up with a 0xc0000001 screen.

Any idea?

I know my wim file is fine as it works in legacy mode.

 

Regards,

Erwan

 

Hi,

 

Despite this post is old, expecting somebody could reply on top of this post.

 

Can you please show me the windows pe directory structure in the clonezilla server and also the tftp remap file?

 

Thanks,

San



#47 jamoedo

jamoedo
  • Members
  • 1 posts
  •  
    Spain

Posted 18 October 2018 - 11:30 AM

Reanimating this thread as it's the best source of information out there on getting GRUB to work with UEFI PXEBOOT under WDS.

 

Essentially everything works fine for me and GRUB2 is served from WDS but does not show the menu - which I have in the same directory and named as grub.cfg

 

And if I try any commands such as insmod <module> or linuxefi <kernel> it just returns :

 

error: Access violation. .

 

I've double-checked perms everywhere but to no avail. Any thoughts on what might be wrong here would be greatly appreciated.

 

Thanks.

 

The WDS tFTP has a registry entry to control what is permitted to browse:

 

Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP

 

Value: ReadFilter

 

It is like:

\boot\*

boot\*

etc.

 

For grub2, who reads config file from /grub/grub.cfg and construct routes with / instead \ i had to add:

 

/boot/*

boot/*

etc.

 

and!

 

/grub/*

grub/*

 

This worked for me, hope it helps!

By the way, use wireshark to check routes and files failing :)


Edited by jamoedo, 18 October 2018 - 11:40 AM.





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users