Secure Boot

Justin Cattle j at
Mon Mar 1 21:44:30 CET 2021

I got this working in the end.

A few key takeaways if anyone else is looking at this.

If you are using debian for the nfsroot, you have to use buster, as Secure
Boot was not supported properly on any release before that.

The nfsroot should contain these packages: shim-signed,

You have to use grub as the boot loader, not syslinux.

Make sure the following files are copied into your tftp dir:

NFSROOT/usr/lib/shim/shimx64.efi.signed -> bootx64.efi
NFSROOT/usr/lib/grub/x86_64-efi-signed/grubnetx64.efi.signed -> grubx64.efi
NFSROOT/usr/share/grub/unicode.pf2 -> grub/fonts/unicode.pf2
NFSROOT/usr/lib/grub/x86_64-efi -> grub/x86_64-efi

You may also need to symlink the grub dir back from the tftp root, in our
case that looked like: TFTP_DIR/grub -> TFTP_DIR/fai/grub

Then you need a grub.cfg in: TFTP_DIR/fai/grub/grub.cfg

Ours looked a little like this:

set default="0"
set timeout=1

if loadfont unicode ; then
  set gfxmode=auto
  set locale_dir=$prefix/locale
  set lang=en_US
terminal_output gfxterm

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray
if background_color 44,0,30; then

menuentry 'FAI' {
        linux fai/vmlinuz console=ttyS0,115200n8 console=tty0 ip=dhcp
root= rootovl
FAI_FLAGS=verbose,sshd,createvt,reboot FAI_ACTION=install BOOTIF=$net_default_mac
        initrd fai/initrd.img


On Thu, 25 Feb 2021 at 16:05, Justin Cattle <j at> wrote:

> Hi FAI-ers,
> Has anyone done any work on using FAI on hardware that has Secure Boot
> enabled ?
> In particular I'm interested in what you are doing in your nfsroot.
> Cheers,
> Just


This email is confidential and may contain copyright material of 
members of the Ocado Group. Opinions and views expressed in this message 
may not necessarily reflect the opinions and views of the members of the 
Ocado Group.

If you are not the intended recipient, please notify us 
immediately and delete all copies of this message. Please note that it is 
your responsibility to scan this message for viruses.

References to the 
"Ocado Group" are to Ocado Group plc (registered in England and Wales with 
number 7098618) and its subsidiary undertakings (as that expression is 
defined in the Companies Act 2006) from time to time. The registered office 
of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, 
Hatfield, Hertfordshire, AL10 9UL.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the linux-fai mailing list