opsi SecureBoot bootloader now free for all UEFI installations

With the release and introduction of the opsi SecureBoot module we started using Grub2 as the default bootloader. A Microsoft signed shim and Grub2 enabled SecureBoot. Not long ago, SecureBoot was solely available for customers who purchased the opsi SecureBoot module. This changed in the recent weeks.

Customers using new Dell devices contacted us regarding opsi UEFI module elilo bootloader problems. We found elilo refuses to share allocated memory with the Dell UEFI firmware and is the root cause of opsi-linux-bootimage bootup failures. For context, note that elilo has not been developed since 2013 and is inconsistent with today's UEFI implementations.

To solve this issue, we tested the opsi SecureBoot module shim and Grub2 combination with these particular customers, and everything worked without other complications. The customers changed the DHCP boot filename from elilo.efi to shimx64.efi.signed and changed the opsipxeconfd UEFI netboot pipe template. After these simple changes, the new bootloader was operational.

After these successful tests, we decided to share the shim and Grub2 bootloader combination to anyone using the opsi UEFI module since we expect increased UEFI incompatibility with elilo as it appears its development has come to an end.

Furthermore, the opsi documentation changed to the new default shim/Grub2 combination at the UEFI section of the opsi manual. In addition, the default entry for the UEFI netboot template in the opsipxeconfd package has changed. New opsi UEFI module installations use the new bootloader.

This last change led to another UEFI boot up related issue for opsi installations that didn’t manually modify the opsipxeconfd configuration file. As a result, the system's package manager overwrites the opsipxeconfd configuration file, and although the current netboot template supports Grub2, the bootloader defaults to elilo, causing a UEFI netboot failure. Fortunately, the solution is simple: change your DHCP boot filename to shimx64.efi.signed and restart your DHCP to fix the error.