CCBoot Cloud Wiki Database

Wiki Home Installation Diskless boot with UEFI SECURE BOOT

Diskless boot with UEFI SECURE BOOT

2023-08-12
diskless, boot, client, uefi, secureboot

• List of boards not support Secure boot

After CCBooCloud 2023 ver 0812 Secure boot supported (Upgrate server and image)

• Verify UEFI Compatibility
  Check if your motherboard firmware supports UEFI and Secure Boot for Windows 10/11. If not, update the motherboard's firmware to the latest version available on the official motherboard website.
  If your bios version is very old you must update 1 by 1 the versions from oldest to latest version.

• Prepare an USB format in FAT32 and download Youngzsoft.cer , which is a custom certificate created by our company. This certificate is essential for secure boot access.
• For realtek NIC (network drivers) , you need to download the NIC version from the link below (DON'T use the lastest driver, it's not working) - https://update.youngzsoft.com/icafecloud/update/realtekwin11.zip

MSI Secure boot

1. Access the BIOS settings and navigate to the boot page. (Figure 1)

Figure 1

2. Set secure boot as windows UEFI mode (Figure 2)

Figure 2

3. Next on the secure boot page at KEY management import the Youngzsoft.cer from the usb prepare earlier, in DB Management. (Figure 3)
   (*DBX is black list of secure boot key, DO NOT IMPORT ON DBX)

Figure 3

4. When you choose DB Management, it will prompt you to select the input file format. Choose 'Public Key Certificate'. (Figure 4)

Figure 4

5. When prompted to append key, click 'No' to continue from USB drive.(Figure 5)

Figure 5

6. Select the USB and next will show the Youngzsoft.cer on the list click on it. (Figure 6)

Figure 6

7. Once you done save the changes of BIOS and go back to create a UEFI boot image

8. Once the image is ready on iCafeCloud admin panel in Boot section , edit the client PC and select secureboot in PXE field. (Figure 7)

Figure 7

9. In case the Append key failed remove the mouse USB and use only keyboard or follow the steps below (Figure 8)

Figure 8

10. Here is how you update bios and get the secure boot to work
    Step 1 - Ensure that you update the BIOS to the latest version.
    Step 2 - After the BIOS update is complete, reboot your system.
    Step 3 - Unplug the flash drive
    Step 4 - Navigate to the BIOS settings and choose either IEXPO or XMP Profile 1 (Figure 9)
    Step 5 - Reboot your system to apply the selected profile.
    Step 6 -  Load back into the BIOS, go to the Security tab, and follow the steps outlined in the wiki..
    Use only keyboard and unplug mouse for this to work !!

Figure 9

GIGABYTE Secure boot

1. Open BIOS then go to IO ports (Figure 1).

Figure 1

2. Then go to “Settings>Network Stack Configuration” (Figure 2).

Figure 2

3. Enable the network stack if it is disabled (Figure 3).

Figure 3

4. Then in the “Boot” tab, check the settings as in the following figures 4 and 5.

Figure 4

Figure 5

5. Finally save and exit(Figure 6).

Figure 6

6. Once reboot done Open Secure boot page again. (Figure 7)

Figure 7

7. Navigate to Key management.(Figure 8)

Figure 8

8. On the Key management page click on the ‘Authenticated Signatures” and import the Youngszoft.cer that you previously created. (Figure 9)

Figure 9

9. When opting for "Authenticated Signatures," the system will prompt you to choose the input file format. Select 'Public Key Certificate.'
10. Following that, it will inquire whether you want to append Youngzsoft.cer , click Yes to proceed.
11. Once you done save the changes of BIOS and go back to create a UEFI boot image
12. Once the image is ready on iCafeCloud admin panel in Boot section , edit the client PC and select secureboot in PXE field. (Figure 10)

Figure 10

13. If a "Failed" error persists after disconnecting the mouse as (Secure boot violation) (Figure 11)
    Follow the steps beflow

Figure 11

14. Locate a PC that can successfully import keys (based on user experience approximately 1/2 of all PCs).
15. Import the keys on this PC, save the changes, and navigate to "Export all DB keys".
16. Save these keys onto a USB drive.
17. Connect the USB drive to the PC that is unable to import keys manually.
18. Instead of attempting to append keys from Youngzsoft.cer, update the authorized keys using the record from the USB drive (on Gigabyte motherboards, this file is typically named "db").
19. Save the changes and exit.

Asrock Secure boot

1. Go to advance mode(Figure 1)

Figure 1

2. Then select security and click on secure boot to enable it(Figure 2)

Figure 2

3. On the Secure boot mode select custom (Figure 3)

Figure 3

4. Select the key management (Figure 4)

Figure 4

5. Click on the Authorized Signatures (Figure 5)

Figure 5

6. A popup window will open with 2 options select Append (Figure 6)

Figure 6

7. Once Appened will ask you to load factory reset click “NO” (Figure 7)

Figure 7

8. You will get the option to load from the USB click enter to continue (Figure 8)

Figure 8

9. Click on the usb that you have prepared from before with the Youngzsoft.cer (Figure 9)

Figure 9

10. And select the Public key Certificate (Figure 10)

Figure 10

11. Next will ask you to append the Youngzsoft.cer click YES (Figure 11)

Figure 11

12. Your done save changed and exit

Figure 12

ASUS Secure boot

1. On Bios select Advanced mode(Figure 1)

Figure 1

2. Navigate to “Boot” and click on the secure boot. (Figure 2)

Figure 2

3. Select OS type “Windows UEFI mode” and secure boot mode “Custom”.(Figure 3)

Figure 3

4. Next click on the Key management. (Figure 4)

Figure 4

5. On the list with the option to select ,click on the “DB Management”. (Figure 5)

Figure 5

6. On DB Management select Append key.(Figure 6)

Figure 6

7. On Append key will ask to load factory default select No. (Figure 7)

Figure 7

8. Next select the USB you prepared earlier as requested on the start on this manual .(Figure 8)

Figure 8

9. Next select the Youngzsoft.cer file  ( You can find if on the start of this manual) (Figure 9)

Figure 9

10. On input file format select “Public key Certificate”. (Figure 10)

Figure 10

11. Next it will ask to append key select Yes. (Figure 11)

Figure 11

12. Save and exit changes. (Figure 12)

Figure 12

Related:

• Diskless boot client with legacy BIOS
• Diskless boot with UEFI BIOS
• BIOS configure videos
• SuperFetch on CCBoot
• Motherboards