Differences between revisions 23 and 24
Revision 23 as of 2019-04-08 09:32:31
Size: 8583
Revision 24 as of 2020-02-25 14:37:19
Size: 9179
Comment: Disable Secure Boot in BIOS
Deletions are marked like this. Additions are marked like this.
Line 203: Line 203:
Disable Secure Boot in BIOS

If the PXE client system BIOS is configured for UEFI_ Secure_Boot_
then the PXE boot will fail with an error about an **invalid signature**.

As explained in `Installation of RHEL8 on UEFI system with Secure Boot enabled fails with error 'invalid signature' on vmlinuz <https://access.redhat.com/solutions/3771941>`_
RedHat is currently working on a solution for RHEL 8.

**Workaround:** Disable secureboot from BIOS settings.

.. _Secure_Boot: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#SECURE-BOOT

Install CentOS 7 via PXE and UEFI


This HowTo guide documents how to install CentOS 7 using PXE on a client host booting by UEFI.

This page assumes that you already have a working DHCP and PXE boot server for installing client hosts using the Legacy_BIOS_boot method. Optionally, you may also use an NFS server to store Kickstart files.

See also some useful pages:

Setting up the DHCP and PXE server

Enable UEFI support in the DHCP server

We assume a Linux DHCP server and add the following to /etc/dhcpd.conf in the top (global) section (no documentation has been found):

# These settings are required for UEFI boot:
option space PXE;
option PXE.mtftp-ip    code 1 = ip-address;
option PXE.mtftp-cport code 2 = unsigned integer 16;
option PXE.mtftp-sport code 3 = unsigned integer 16;
option PXE.mtftp-tmout code 4 = unsigned integer 8;
option PXE.mtftp-delay code 5 = unsigned integer 8;
option arch code 93 = unsigned integer 16; # RFC4578

The Client System Architecture Type Option 93 (EFI x86-64) is defined in RFC4578.

In the DHCP subnet section(s) define UEFI or PXE (legacy) boot images in the uefi/ subdirectory:

# UEFI x86-64 boot (RFC4578 architecture types 7, 8 and 9)
if option arch = 00:07 {
      filename "uefi/bootx64.efi";
} else if option arch = 00:08 {
      filename "uefi/bootx64.efi";
} else if option arch = 00:09 {
      filename "uefi/bootx64.efi";
} else {
      # PXE boot
      filename "pxelinux.0";

NOTE: It seems that having the boot file in a subdirectory such as uefi/bootx64.efi will cause the client host PXE to download all further files also from that same uefi/ subdirectory, so you need to place other files there.

Copy UEFI boot files

Here we have created a special directory for UEFI boot files on the TFTP server:

mkdir /var/lib/tftpboot/uefi

We need to copy UEFI boot files from CentOS 7, and we need these RPMs:

yum install grub2-efi-x64 shim-x64

UEFI boot files may be located in different places depending on your distribution:


Copy the boot files, for example:

cp -p /boot/efi/EFI/centos/*.efi /var/lib/tftpboot/uefi/
chmod 755 /var/lib/tftpboot/uefi/*.efi

Alternatively, you can build your own using this RPM:

yum install grub2-efi-x64-modules

Then build your own boot file bootx64.efi by:

grub2-mkstandalone -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi --modules="tftp net efinet linux part_gpt efifwsetup" -o /var/lib/tftpboot/uefi/bootx64.efi

The grub2 modules are documented in https://www.linux.org/threads/understanding-the-various-grub-modules.11142/

Copy CentOS Linux boot images

For each CentOS (and other OS) version you should copy Linux boot images to a separate directory on the TFTP server, for example:

mkdir /var/lib/tftpboot/CentOS-7.5.1804-x86_64/

and download the PXE boot images:

cd /var/lib/tftpboot/CentOS-7.5.1804-x86_64/
wget http://mirror.centos.org/centos-7/7.5.1804/os/x86_64/images/pxeboot/initrd.img
wget http://mirror.centos.org/centos-7/7.5.1804/os/x86_64/images/pxeboot/vmlinuz

Other mirror sites may be used in stead of mirror.centos.org.

Create grub.cfg file

The uefi/bootx64.efi boot file will be looking for a Grub configuration file uefi/grub.cfg in the same subdirectory. Create /var/lib/tftpboot/uefi/grub.cfg with the contents:

set default="0"
function load_video {
  insmod efi_gop
  insmod efi_uga
  insmod video_bochs
  insmod video_cirrus
  insmod all_video
set gfxpayload=keep
insmod net
insmod efinet
insmod tftp
insmod gzio
insmod part_gpt
insmod ext2
set timeout=60
search --no-floppy --set=root -l 'CentOS 7.5 x86_64'
menuentry 'Install CentOS Linux 7.5' --class fedora --class gnu-linux --class gnu --class os {
  linuxefi (tftp)/CentOS-7.5.1804-x86_64/vmlinuz ip=dhcp inst.repo=http://mirror.centos.org/centos-7/7.5.1804/os/x86_64/
  initrdefi (tftp)/CentOS-7.5.1804-x86_64/initrd.img

Other mirror sites may be used in stead of mirror.centos.org.

Additional menu entries may be appended to the above, for example:

menuentry 'Install CentOS Linux 7.5 from NFS server' --class fedora --class gnu-linux --class gnu --class os {
  linuxefi (tftp)/CentOS-7.5.1804-x86_64/vmlinuz ip=dhcp inst.repo=nfs:ro,rsize=8192,wsize=8192,tcp,vers=3,nolock:nfs-server.example.com:/opt/centos75/os/x86_64
  initrdefi (tftp)/CentOS-7.5.1804-x86_64/initrd.img

Configuring Kickstart automated install

Automated installation using Anaconda is possible with UEFI as well as PXE legacy booting. In the above grub.cfg file use:

  • inst.ks= Gives the location of a Kickstart file to be used to automate the installation.

For example, the following menu item may be added to grub.cfg to download a Kickstart file ks-centos-7.5.1804-uefi-x86_64.cfg from the NFS server at IP address <server-IP>:

menuentry 'Install CentOS Linux 7.5 using Kickstart' --class fedora --class gnu-linux --class gnu --class os {
  linuxefi (tftp)/CentOS-7.5.1804-x86_64/vmlinuz ip=dhcp inst.ks=nfs:<server-IP>:/opt/kickstart/ks-centos-7.5.1804-uefi-x86_64.cfg
  initrdefi (tftp)/CentOS-7.5.1804-x86_64/initrd.img

The Kickstart Boot Options are defined in the page https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/chap-anaconda-boot-options#sect-boot-options-installer

Setting up an NFS server is not discussed here.

Disk partitions

With UEFI systems it is required to configure a special partition:


in your Kickstart file. See also:

It is most convenient to configure boot partitions using reqpart:

  • Automatically create partitions required by your hardware platform. These include a /boot/efi for x86_64 and Aarch64 systems with UEFI firmware, biosboot for x86_64 systems with BIOS firmware and GPT, and PRePBoot for IBM Power Systems.

An example Kickstart file section about disk partitions and using reqpart may be:

reqpart --add-boot
part swap --size 50000 --asprimary
part pv.01 --fstype xfs --size=1 --grow --asprimary volgroup VolGroup00 pv.01
logvol / --fstype xfs --name=lv_root --vgname=VolGroup00 --size=32768

Disable Secure Boot in BIOS

If the PXE client system BIOS is configured for UEFI Secure_Boot then the PXE boot will fail with an error about an invalid signature.

As explained in Installation of RHEL8 on UEFI system with Secure Boot enabled fails with error 'invalid signature' on vmlinuz RedHat is currently working on a solution for RHEL 8.

Workaround: Disable secureboot from BIOS settings.

efibootmgr - manipulate the EFI Boot Manager

efibootmgr is a userspace application used to modify the Intel Extensible Firmware Interface (EFI) Boot Manager. This application can create and destroy boot entries, change the boot order, change the next running boot option, and more.

To show the current boot order:

efibootmgr -v

Some useful command options (see the efibootmgr page):

-n | --bootnext XXXX   set BootNext to XXXX (hex)
-N | --delete-bootnext delete BootNext
-o | --bootorder XXXX,YYYY,ZZZZ,...     explicitly set BootOrder (hex)
-O | --delete-bootorder   delete BootOrder

IT-wiki: PXE_and_UEFI (last edited 2021-06-03 09:15:37 by OleHolmNielsen)