opsi with Secure Boot

Secure Boot, sometimes spelled "Secureboot", is an additional security feature provided by OEM manufacturers. It allows only authorized software and operating systems to be installed on the computer. This protective measure and security feature included in recent versions of Windows and some Linux distributions, which ensures that the software being run on your computer is verified by a trusted authority. Secure Boot uses digital signatures to confirm the validity of the software, specifically the operating system’s files, and that it has not been tampered with. The software must first be sent to a certificate authority for verification, and this CA will then sign it with a digital signature. Once signed, it can run on a device that has Secure Boot enabled. In this case, the device will verify the signature before executing the software, if the signature does not match, the system will not allow the software to run.

Prerequisites

This module is a paid extension. This means that you need an activation file to unlock it. You will receive this file after you have purchased the extension. For evaluation purposes, we’re happy to provide you with a temporary license free of charge. Please contact us via email.

More details can be found in opsi Extensions.

The extension requires opsi 4.1 or newer. The following table lists the required opsi packages:

Table 1. Required Packages
Package Version

opsi-linux-bootimage

>= 201900923-4

opsipxeconfd

>= 4.1.1.15-1

General Requirements

The firmware of the clients must support UEFI and Secure Boot. Just like for the UEFI extension, the module only supports 64 bit.

For installation via PXE boot (Preboot eXecution Environment), you need a UEFI-capable WinPE_UEFI (a Windows PE version specifically designed to boot on systems with UEFI firmware). Often Windows PE (Windows Preinstallation Environment) already contains UEFI support (check if there is a folder EFI and a file winpe/bootmgr.efi of the opsi netboot product). Otherwise, use DISM (Deployment Image Servicing and Management) to create an up-to-date Windows PE (see section clients:windows-client/os-installation.adoc#firststeps-osinstall-fill-base-packages-nt6-pe-manual[Manual PE Creation]). A UEFI WinPE is expected in the winpe_uefi folder of the opsi netboot product.

If there is a Windows PE for both boot modes, you can replace winpe_uefi with a symbolic link to winpe.

Configuration of the opsi Server for Secure Boot Clients

You have to configure an external DHCP server to enable PXE boot via the opsi server. Enter opsi/opsi-linux-bootimage/loader/shimx64.efi.signed as the boot file.

clientconfig.dhcpd.filename=opsi/opsi-linux-bootimage/loader/shimx64.efi.signed
This only has to be done in opsi-configed < 4.3.0.0. In the management interface opsi-configed activate the checkbox UEFI-Boot for UEFI clients. Alternatively, configure the host parameter clientconfig.dhcpd.filename for the clients and enter the boot file there:
opsi-admin method configState_create "clientconfig.dhcpd.filename" "<Host-ID>" "opsi/opsi-linux-bootimage/loader/shimx64.efi.signed"
Using the file shimx64.efi.signed via the opsi-admin command only serves the purpose to enable the UEFI-Boot option in opsi-configed. It does not affect the use of the DHCP boot file. In future releases, opsi-configed should accept the correct file and enable a secure boot checkbox.

In addition, change the template files for the UEFI installation in the opsipxeconfd configuration file. To do this, replace

uefi netboot config template x64

with this:

/tftpboot/opsi/opsi-linux-bootimage/cfg/install-grub-x64
After saving the changes, it is best to run the opsiconfd setup command.

All UEFI clients boot the shimx64.efi.signed file provided by the opsi-linux-bootimage and signed by Microsoft. Clients with Secure Boot enabled verify the signature and then continue. Clients without Secure Boot will fail to verify, but still start the GRUB2 boot loader and continue with the installation.

The installation process looks exactly the same. Secure boot clients are in the so-called "safe boot state" after installation, ordinary UEFI clients are not. You can check the state under Windows with the msinfo32 command.

Configuration of the Secure Boot Clients

The menus of the different BIOS versions use different terms and names. If in doubt, choose the setting that is suitable for your computer:

  • Disable Secure Boot: The setting is often found in the Boot or Startup section, sometimes under Security.

  • BIOS in UEFI mode: If you have the choice between UEFI only, Legacy only or Both, select UEFI only. Secure boot only works with UEFI only. If there is the entry Legacy Support, deactivate it. CSM Support in connection with UEFI only can remain activated, if you have no other choice. UEFI Network Boot has to be enabled; the option may also be called Network Stack in the UEFI section. If you have the option to configure IPv4 and IPv6 separately, IPv4 is the correct choice.