DOCTEAM-2023 Issue in Creating GRUB 2 NetBoot directories for PXE server#654
DOCTEAM-2023 Issue in Creating GRUB 2 NetBoot directories for PXE server#654
Conversation
|
Why is ppc not covered? |
@hramrach |
sounix000
force-pushed
the
ssarkar/DOCTEAM-2023
branch
from
20c3cf7 to
d7ab112
Compare
… package as alternative source for signed EFI files.
…ocation of its GRUB bootloader
sounix000
force-pushed
the
ssarkar/DOCTEAM-2023
branch
from
6338181 to
28cc852
Compare
| <revdescription> | ||
| <para> | ||
| Clarified that Secure Boot applies to UEFI-based architectures (&x86-64;, &aarch64;), as | ||
| well as &ppc64le; which is non-UEFI. Added <package>shim</package> package as alternative source for signed EFI |
There was a problem hiding this comment.
shim is not an alternative source. It is required on architectures that use it.
There was a problem hiding this comment.
It's an alternative in sense of where you take the shim file from: (shim.efi) from shim package, ISO or tftpboot-agama-installer RPM (shim.efi is bootx64.efi or shim.efi is bootaa64.efi).
| (<filename>arm64-efi</filename> and <filename>powerpc-ieee1275</filename>). | ||
| and &aarch64; create their UEFI directory | ||
| <filename>arm64-efi</filename>. &ppc64le; systems (<filename>powerpc-ieee1275</filename>) supports secure boot too, but not UEFI; the grub bootloader is in <filename>/boot/grub2/grub.elf</filename> on the ISOs. | ||
| </para> |
There was a problem hiding this comment.
Why does it have to specify not UEFI?
| <para> | ||
| This section explains creating &grub; NetBoot directories for PXE servers using | ||
| <command>grub2-mknetdir</command>, which generates architecture-specific directories for | ||
| &x86-64; (UEFI and BIOS), &aarch64;, and &ppc64le; systems. For &uefisecboot; support, |
There was a problem hiding this comment.
If you did not tie secure boot to UEFI here you would not have to disclaim UEFI later.
| <listitem> | ||
| <para> | ||
| The <package>shim</package> package installed on the PXE server itself (<command>zypper | ||
| install shim</command>), which provides <filename>shim.efi</filename>, |
There was a problem hiding this comment.
This will likely not work.
Just as grub the shim is architecture-specific.
Both x86_64 and aarch64 have their own shim. You need shim for the correct architecture in each case.
There was a problem hiding this comment.
Yes, on x86_64 you've a shim-16.1-160000.1.1.x86_64 -> shim.efi is usable only on x86_64 (as bootx64.efi), but not for aarch64.
Means, with RPMs you'd have to add aarch64 SLES-16 repository on the x86_64 machine and vice versa. While the shim.efi is in /usr/share/efi/x86_64/shim.efi, the package (from the other arch) installs also e.g. /usr/sbin/shim-install script -> rpm conflicts.
That is, you have to copy the architecture specific shim files from a different machine with the desired architecture or manually extract it from the arch-specific shim package.
3 participants
PR creator: Description
Clarified Secure Boot scope (UEFI/x86_64/AArch64 only) and added shim package as alternative source for signed EFI files.
PR creator: Are there any relevant issues/feature requests?
PR reviewer: Checklist for editorial review
Apart from the usual checks, please double-check also the following: