diff --git a/articles/sles-pxe-server-setup.asm.xml b/articles/sles-pxe-server-setup.asm.xml index ea180981a..2fa60aec9 100644 --- a/articles/sles-pxe-server-setup.asm.xml +++ b/articles/sles-pxe-server-setup.asm.xml @@ -45,6 +45,13 @@ Setting Up a PXE Boot Server + 2026-03-19 + + + Clarified Secure Boot scope to UEFI-based architectures only, documented architecture-specific limitation of the shim package, and updated signed EFI file sourcing guidance. + + + 2026-03-18 diff --git a/tasks/sles-pxe-server-netboot-directories-uefi-secure-boot.xml b/tasks/sles-pxe-server-netboot-directories-uefi-secure-boot.xml index d64b2203b..3d63a2bc1 100644 --- a/tasks/sles-pxe-server-netboot-directories-uefi-secure-boot.xml +++ b/tasks/sles-pxe-server-netboot-directories-uefi-secure-boot.xml @@ -28,7 +28,7 @@ This section explains creating &grub; NetBoot directories for PXE servers using grub2-mknetdir, which generates architecture-specific directories for - &x86-64; (UEFI and BIOS), &aarch64;, and &ppc64le; systems. For &uefisecboot; support, + &x86-64; (UEFI and BIOS), &aarch64;, and &ppc64le; systems. For Secure Boot support, administrators must copy signed EFI files from installation media or use the shim package to replace the default unsigned bootloader files. @@ -42,16 +42,41 @@ architecture-specific directories under /srv/tftpboot/boot/grub2/ for different platforms. For example, &x86-64; systems generate both UEFI (x86_64-efi) and legacy BIOS (i386-pc) directories, - while &aarch64; and &ppc64le; systems create their respective UEFI directories - (arm64-efi and powerpc-ieee1275). + and &aarch64; create their UEFI directory + arm64-efi. &ppc64le; systems (powerpc-ieee1275) supports secure boot too; the &grub; bootloader is in /boot/grub2/grub.elf on the ISOs. + + + In the context of this section, Secure Boot applies to &x86-64; and &aarch64; architectures. &grub; PXE Secure Boot for &ppc64le; (which uses a different platform-specific mechanism) is not covered here. + + - For &uefisecboot; support, which is not provided by the default unsigned - core.efi files, administrators can either copy signed EFI files from - installation media or install the shim package and manually copy the - required bootloader files (shim.efi, grub.efi, - MokManager.efi) to the appropriate architecture directories, ensuring - proper symbolic link resolution to keep all files within the TFTP root directory. + For Secure Boot support, which is not provided by the default unsigned + core.efi files, administrators must obtain signed EFI files. + The signed files can be obtained from either of the following sources: + + + + + The shim package installed on the PXE server (zypper install + shim), which provides shim.efi, grub.efi, + and MokManager.efi under + /usr/share/efi/ARCH/. Note that the + shim package provides files only for the architecture of the PXE server + itself. To support a different architecture, use the installation media ISO or manually + extract the files from the architecture-specific shim package. + + + + + The installation media ISO (mounted and copied from /mnt/EFI/BOOT/*.efi), + which provides signed EFI files for the target architecture regardless of the PXE server + architecture. + + + + + The files must be copied to the appropriate architecture directories. This ensures proper symbolic link resolution to keep all files within the TFTP root directory.
@@ -153,7 +178,7 @@ Replace ARCH-efi with x86_64-efi or arm64-efi—the - supported architectures for &uefisecboot;. + supported architectures for Secure Boot.