How to replace the NBP (Network Boot Program) of the Q35 EFI VM to iPXE ?

[shodan]

Hi,

I am experimenting with netbooting my VM and I would like to use iPXE.
The intel 440 VM has ipxe pre-installed by the Q35 has some other PXE client as the boot rom.

I would like to put my own updated ipxe firmware in both of these VM.

How do I do that ?

thanks !

 

[fba]

Hi,

just checked on a PVE 8.3.0: both chipsets result in usage of iPXE 1.20.1+ (g4bd0). What PVE are you using?
The only difference I have seen so far is from booting with SeaBios vs. booting with OVMF (UEFI)

For the change of the firmware: AFAIK even so Qemu provides the possibility to use different PXE ROM for SeaBIOS boot, Proxmox VE doesn't.
The firmware files use by PVE are stored in /usr/share/kvm/. If you make changes to one of the existing ones, it will effect all vm using them, not just selected ones and with next package update any change might be overwritten. As the PXE functionality is provided by option ROMs it is stored in the network adapter related files, like pxe-virtio.rom.

For OVMF (UEFI) boot the PXE functionality is built-in instead. You will have to build your own EDK2/OVMF and replace the existing one.

 

[shodan]

Hi,

I am running PVE 8.3, trying in a OVMF UEFI Q35 VM
Does not show the iPXE banner when booting it looks like an unnamed PXE boot rom ?
Maybe something default provided with UEFI ?




In my proxydhcp running dnsmasq I hand out ipxe.efi to client whose userclass is not iPXE

root@ipxe:~# cat /etc/dnsmasq.d/pxe.conf

# Enable Proxy DHCP
dhcp-range=192.168.1.0,proxy,255.255.255.0

# Tag for iPXE clients based on the "iPXE" User-Class
dhcp-userclass=set:ipxe,iPXE

# PXE service for x86PC
# Serve "ipxe.pxe" to regular PXE clients
pxe-service=tag:!ipxe,x86PC,'Load iPXE firmware for PXE clients',ipxe.pxe

# Serve "autoexec.ipxe" to iPXE clients (based on the iPXE tag)
pxe-service=tag:ipxe,x86PC,'Load iPXE script via TFTP',autoexec.ipxe

# UEFI configurations for x86-64 EFI
# (Unchanged in this example)
pxe-service=X86-64_EFI,'Start iPXE (EFI)',ipxe.efi

# PXE prompt message (optional, uncomment if desired)
# pxe-prompt="PXE Boot Menu",10

I have created an iPXE EFI 64 rom using the following build url on my rom-o-matic lxc thing

http://rom-o-matic.lan/?BINARY=8086...KEYBOARD:=1&branding.h/PRODUCT_NAME=alldress&

I attached the rom file this created 80861539.efirom

It is strange ipxe.org seems to expect user to build their own rom, you would think the most common roms would be pre-compiled, but I can't find 'em.
Make updating quite a chore !

So anyway, I look in /usr/share/kvm and there are quite a few rom files in there.

efi-e1000e.rom    efi-pcnet.rom    pxe-e1000.rom     pxe-rtl8139.rom
efi-e1000.rom     efi-rtl8139.rom  pxe-eepro100.rom  pxe-virtio.rom
efi-eepro100.rom  efi-virtio.rom   pxe-ne2k_pci.rom  qboot.rom
efi-ne2k_pci.rom  efi-vmxnet3.rom  pxe-pcnet.rom

Looks like mine is the efi-e1000.rom ?

When I compiled this I had to specify the VENDOR and DEVICE ID
Strangely that is not specified on the build url, I set 8086 and 1539

I renamed efi-e1000.rom to efi-e1000.rom.bak
Then I copied over 80861539.efirom to /usr/share/kvm/efi-e1000.rom

But that just broke it apparently



Will work on that more tomorrow !

 

[shodan]

Oh I was close, I just got the wrong device id I though it was the same for LXCs, which is all I had an actually OS running in.

but the right vendor/device ID is 8086 and 100e



So it appears that it starts as "exact version unspecified" ipxe 1.0 and it actually receives a ipxe.efi file from the dhcpproxy server
So that means the user class is wrong too

Here is the build url for that one

http://rom-o-matic.lan/?BINARY=ipxe...KEYBOARD:=1&branding.h/PRODUCT_NAME=alldress&



This might make using efi-virtio.rom a problem ?
Does the rom get uploaded to the network card processor ?
The vendor and device code will require to match that of the paravirtualized network card ??

Built it again, this time I put the version number in the PRODUCT_NAME,
Can't find where to change the displayed version or the "PXE user class"



I include in attachement this new rom

 

[shodan]

I was curious why does it boot ipxe.efi instead of autoexec.ipxe

I got the logs out of the dhcp proxy server

Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 available DHCP subnet: 192.168.1.0/255.255.255.0
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 vendor class: PXEClient:Arch:00007:UNDI:003010
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 user class: iPXE
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 PXE(eth0) bc:24:11:72:ba:18 proxy
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 tags: ipxe, eth0
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 next server: 192.168.1.150
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 broadcast response
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 sent size:  1 option: 53 message-type  2
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 sent size:  4 option: 54 server-identifier  192.168.1.150
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 sent size:  9 option: 60 vendor-class  50:58:45:43:6c:69:65:6e:74
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 sent size: 17 option: 97 client-machine-id  00:cd:02:70:c6:4d:76:70:4e:ab:c0:42:75:48...
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 available DHCP subnet: 192.168.1.0/255.255.255.0
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 vendor class: PXEClient:Arch:00007:UNDI:003010
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 user class: iPXE
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 available DHCP subnet: 192.168.1.0/255.255.255.0
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 vendor class: PXEClient:Arch:00007:UNDI:003010
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 user class: iPXE
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 PXE(eth0) bc:24:11:72:ba:18 proxy
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 tags: ipxe, eth0
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 bootfile name: ipxe.efi
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 server name: 192.168.1.150
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 next server: 192.168.1.150
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 sent size:  1 option: 53 message-type  5
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 sent size:  4 option: 54 server-identifier  192.168.1.150
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 sent size:  9 option: 60 vendor-class  50:58:45:43:6c:69:65:6e:74
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 sent size: 17 option: 97 client-machine-id  00:cd:02:70:c6:4d:76:70:4e:ab:c0:42:75:48...


Jan  4 11:47:51 dnsmasq-tftp[505]: sent /tftp/ipxe.efi to 192.168.1.139


Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 available DHCP subnet: 192.168.1.0/255.255.255.0
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 vendor class: PXEClient
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 user class: iPXE
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 PXE(eth0) bc:24:11:72:ba:18 proxy
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 tags: ipxe, eth0
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 next server: 192.168.1.150
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 broadcast response
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 sent size:  1 option: 53 message-type  2
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 sent size:  4 option: 54 server-identifier  192.168.1.150
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 sent size:  9 option: 60 vendor-class  50:58:45:43:6c:69:65:6e:74
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 sent size: 17 option: 97 client-machine-id  00:cd:02:70:c6:4d:76:70:4e:ab:c0:42:75:48...


Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 available DHCP subnet: 192.168.1.0/255.255.255.0
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 vendor class: PXEClient
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 user class: iPXE
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 available DHCP subnet: 192.168.1.0/255.255.255.0
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 vendor class: PXEClient:Arch:00007:UNDI:003010
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 user class: iPXE
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 PXE(eth0) bc:24:11:72:ba:18 proxy
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 tags: ipxe, eth0
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 bootfile name: ipxe.efi
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 server name: 192.168.1.150
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 next server: 192.168.1.150
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 sent size:  1 option: 53 message-type  5
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 sent size:  4 option: 54 server-identifier  192.168.1.150
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 sent size:  9 option: 60 vendor-class  50:58:45:43:6c:69:65:6e:74
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 sent size: 17 option: 97 client-machine-id  00:cd:02:70:c6:4d:76:70:4e:ab:c0:42:75:48...


Jan  4 11:48:15 dnsmasq-tftp[505]: sent /tftp/ipxe.efi to 192.168.1.139


Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 available DHCP subnet: 192.168.1.0/255.255.255.0
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 vendor class: PXEClient
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 user class: iPXE
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 PXE(eth0) bc:24:11:72:ba:18 proxy
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 tags: ipxe, eth0
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 next server: 192.168.1.150
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 broadcast response
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 sent size:  1 option: 53 message-type  2
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 sent size:  4 option: 54 server-identifier  192.168.1.150
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 sent size:  9 option: 60 vendor-class  50:58:45:43:6c:69:65:6e:74
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 sent size: 17 option: 97 client-machine-id  00:cd:02:70:c6:4d:76:70:4e:ab:c0:42:75:48...


Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 available DHCP subnet: 192.168.1.0/255.255.255.0
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 vendor class: PXEClient
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 user class: iPXE
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 available DHCP subnet: 192.168.1.0/255.255.255.0
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 vendor class: PXEClient:Arch:00007:UNDI:003010
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 user class: iPXE
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 PXE(eth0) bc:24:11:72:ba:18 proxy
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 tags: ipxe, eth0
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 bootfile name: ipxe.efi
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 server name: 192.168.1.150
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 next server: 192.168.1.150
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 sent size:  1 option: 53 message-type  5
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 sent size:  4 option: 54 server-identifier  192.168.1.150
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 sent size:  9 option: 60 vendor-class  50:58:45:43:6c:69:65:6e:74
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 sent size: 17 option: 97 client-machine-id  00:cd:02:70:c6:4d:76:70:4e:ab:c0:42:75:48...

So I was wrong, the issue is not that it does not send the right user class because it does send

Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 vendor class: PXEClient:Arch:00007:UNDI:003010
Jan  4 11:47:35 dnsmasq-dhcp[505]: 3279481922 user class: iPXE
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 vendor class: PXEClient
Jan  4 11:47:57 dnsmasq-dhcp[505]: 2450945538 user class: iPXE
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 vendor class: PXEClient:Arch:00007:UNDI:003010
Jan  4 11:47:58 dnsmasq-dhcp[505]: 2450945538 user class: iPXE
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 vendor class: PXEClient
Jan  4 11:48:21 dnsmasq-dhcp[505]: 1711223121 user class: iPXE
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 vendor class: PXEClient:Arch:00007:UNDI:003010
Jan  4 11:48:22 dnsmasq-dhcp[505]: 1711223121 user class: iPXE

Maybe something is wrong in /etc/dnsmasq.d/pxe.conf
But strangely I think this was working before ?!
Maybe something else is wrong with my rom

dhcp-userclass=set:ipxe,iPXE
pxe-service=tag:!ipxe,x86PC,'Load iPXE firmware for PXE clients',ipxe.pxe
pxe-service=tag:ipxe,x86PC,'Load iPXE script via TFTP',autoexec.ipxe