How to create a simple PXE server to serve a single version of ShredOS (UEFI mode only, not legacy boot)

[PartialVolume]

Prerequisite

• A PC to act as the PXE server running Ubuntu or a Debian derivative. For other distros the procedure will be similar but commands may differ.
• The server OS ideally needs to be setup with a static IP address for the purposes of this configuration.
• The network subnet I'm using in this procedure is 192.168.1.0
• IMPORTANT ! The latest ShredOS bootx64.efi file is required. bootx64.efi - with network support

Overview

The purpose of this procedure is to setup a very simple PXE server that allows client hosts on the network to boot ShredOS in UEFI mode only (not legacy boot) using ShredOS's own bootx64.efi software.

For those not familiar with PXE that means ShredOS is hosted on the PXE server and the client PCs on the network pull ShredOS across the network and load it when PXE booting is selected on the client PCs. To maximise load speed, ideally a gigabit network port on the server, gigabit switch and gigibit client network port is preferable, although older network hardware will work fine, just slow.

Your network cable is important. Don't use some old cat5 cable like I did when making the video below, hence the 4MB/s speed, use cat5e or cat6 cable to achieve maximum speed on a gigabit network. However, having said that, no matter what network spec you have you may not achieve a boot speed of greater than 4MB/s due to a limitation in tftpd code. Redhat have applied a patch to their version of tftpd to improve the speed, but unfortunately I don't think it has been applied upstream. So if you are using Ubuntu you may find your boot speed is limited to 4MB/s. The only alternative is to either rebuild tftpd yourself applying redhats patches or just use redhat as your PXE server. I assume Fedora applies these patches too, but I don't know that for certain. Here's a thread that discussesTFTP Windowsize Option RFC 7440 with links to the patches and a discussion about updating tftp-hsa in Debian/Ubuntu.

The following configuration does not provide a boot menu where you can select different distros or multiple different versions of ShredOS. It boots straight into ShredOS.

I will create a separate discussion showing a similar procedure that uses syslinux or more likely grub2, as I prefer to retain the progress info during the kernel being loaded. Which ever method I go for it will provide a menu system and allows the user to select different distros or versions of ShredOS and boot in both UEFI & legacy.

Software Installation

Locate a suitable server PC, preferably with a Gigabit network connection to maximise boot speed. A raspberry PI4 would meet this spec.

• Install ubuntu or a debian based OS.

• First, setup the OS with a static IP address, it's assumed that once you have installed ubuntu, you disconnect the internet routers running DHCP servers on the network. This is done just to keep things as simple as possible for the purposes of this procedure.

• Then, install the tftp and dhcpd software as follows:

sudo apt install isc-dhcp-server tftpd-hpa

• Check that the directory /srv/tftp exists. It should do as it would have been created when you installed tftpd-hpa, however, if it doesn't exist, then create it as follows:

sudo mkdir /srv/tftp

Configure the tftp-hpa server software

Examine the contents of /etc/default/tftpd-hpa using more and make alterations so the file looks as follows:, note, the TFTP_DIRECTORY="/srv/tftp" path is the root where the contents of the ShredOS USB stick will get copied to later in the procedure. Make sure that path is as shown below. TFTP_ADDRESS=":69" is the network port address, if you have a firewall, port 69 needs to be open.

#>sudo more /etc/default/tftpd-hpa

# /etc/default/tftpd-hpa

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/srv/tftp"
TFTP_ADDRESS=":69"
TFTP_OPTIONS="--secure"

Open port 69 in the firewall

• Check whether the firewall is enabled, if it is then open port 69

sudo ufw status

• If active and port 69 not listed then:

sudo ufw allow 69

• Confirm port 69 is open

sudo ufw status

Start the tftpd server

sudo systemctl start tftpd-hpa

• Then check it's running correctly and reporting no errors:

sudo systemctl status tftpd-hpa

Setup configuration of the dhcp server

sudo vim /etc/dhcp/dhcp.conf

Comment out the following options:

default-lease-time 600;
max-lease-time 7200;

• Add the following lines near the top of the file, you will need to determine the MAC address of your tftp server and edit the MAC address below as appropriate. hardware ethernet b8:ca:3a:84:eo:b9;

# ShredOS config
subnet 192.168.0.0 netmask 255.255.255.0 {
    range 192.168.1.170 192.168.1.180;
    option routers 192.168.1.1;
    default-lease-time 3600;
    max-lease-time 86400;

    # IP address of this server hosting tftp
    next-server 192.168.1.241;

    # EFI file to execute
    option bootfile-name "EFI/BOOT/bootx64.efi";
}

# host details of the tftpd server
host nick-tftpserver {
    hardware ethernet b8:ca:3a:84:eo:b9;
    fixed-address 192.168.1.241;
}

• Find the domain-name-servers line and change to:

option domain-name-servers 8.8.8.8, 8.8.4.4;

• Find the following line and remove the hash prefix, assuming you have no other working dhcp server on this network.

#authoritative;

Bind the dhcp server to a network port

• List all the network interfaces so you can determine which is the ethernet name. ifconfig is not automatically installed so install net-tools which includes the ifconfig command.

sudo apt install net-tools 

• List the network hardware info to determine your network interface name.

ifconfig 

alternatively use the command ip -a to view the network interfaces.

• Then edit the following file /etc/default/isc-dhcp-server

sudo vim /etc/default/isc-dhcp-server

• Add the network name to INTERFACESv4, eno1 in my case:

INTERFACESv4="eno1"

Copy the entire contents of a ShredOS USB stick into /src/tftp/, change /dev/sdx to whatever the correct drive name is for the USB stick. Alternatively use the desktop to mount and copy the USB stick.

sudo mount /dev/sdx /media/nick/shredos
sudo cp -rp /media/nick/shredos/* /srv/tftp/
sudo umount /media/nick/shredos

Copy the latest bootx64.efi to /srv/tftp/EFI/BOOT/

sudo cp bootx64.efi  /srv/tftp/EFI/BOOT/

Restart the tftp server

sudo systemctl enable tftp-hpa
sudo systemctl restart tftp-hpa

Start the dhcp server

Warning
Before starting the isc-dhcp-server, makesure your ethernet lead is plugged in and link active, i.e the lead is connected to a live switch, router or another computer. If you don't have a ethernet port that is live, the isc-dhcp-server will fail to start and complain about a configuration error.

sudo systemctl enable isc-dhcp-server
sudo systemctl start isc-dhcp-server

That's it, check your client PC bios supports PXE booting and that PXE booting is enabled. Power cycle the PC you want to network boot, press whatever the shortcut keys is to bring up the boot menu. Select PXE V4 boot and you should see some text appear and a couple of seconds later the ShredOS progress info as the ShredOS kernel is loaded across the network. Then nwipe should appear. In the video below the text mentions NBP, just in case you were were wondering, it's stands for Network Boot Program which is EFI/BOOT/bootx64.efi in our case.

VID_20230623_195216.2.1.mp4

/etc/dhcp/dhcpd.conf in full

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#
# ShredOS config
subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.170 192.168.1.180;
        option routers 192.168.1.1;
        default-lease-time 3600;
        max-lease-time 86400;

        # IP address of this server hosting tftp
        next-server 192.168.1.241;

        # EFI file to execute
        option bootfile-name "EFI/BOOT/bootx64.efi";

        # Alternate EFI file to execute
        #option bootfile-name "syslinux.efi";
} 

# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers 8.8.8.8, 8.8.4.4;

###default-lease-time 600;
###max-lease-time 7200;

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;

# No service will be given on this subnet, but declaring it helps the 
# DHCP server to understand the network topology.

#subnet 10.152.187.0 netmask 255.255.255.0 {
#}

# This is a very basic subnet declaration.

#subnet 10.254.239.0 netmask 255.255.255.224 {
#  range 10.254.239.10 10.254.239.20;
#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}

# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.

#subnet 10.254.239.32 netmask 255.255.255.224 {
#  range dynamic-bootp 10.254.239.40 10.254.239.60;
#  option broadcast-address 10.254.239.31;
#  option routers rtr-239-32-1.example.org;
#}

# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
#  range 10.5.5.26 10.5.5.30;
#  option domain-name-servers ns1.internal.example.org;
#  option domain-name "internal.example.org";
#  option subnet-mask 255.255.255.224;
#  option routers 10.5.5.1;
#  option broadcast-address 10.5.5.31;
#  default-lease-time 600;
#  max-lease-time 7200;
#}

# Hosts which require special configuration options can be listed in
# host statements.   If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.

#host passacaglia {
#  hardware ethernet 0:0:c0:5d:bd:95;
#  filename "vmunix.passacaglia";
#  server-name "toccata.example.com";
#}

# Fixed IP addresses can also be specified for hosts.   These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
#  hardware ethernet 08:00:07:26:c0:a5;
#  fixed-address fantasia.example.com;
#}

# You can declare a class of clients and then do address allocation
# based on that.   The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.

#class "foo" {
#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}

#shared-network 224-29 {
#  subnet 10.17.224.0 netmask 255.255.255.0 {
#    option routers rtr-224.example.org;
#  }
#  subnet 10.0.29.0 netmask 255.255.255.0 {
#    option routers rtr-29.example.org;
#  }
#  pool {
#    allow members of "foo";
#    range 10.17.224.10 10.17.224.250;
#  }
#  pool {
#    deny members of "foo";
#    range 10.0.29.10 10.0.29.230;
#  }
#}

[PartialVolume]

If anybody wants to have a go at adding legacy support to the configuration of /etc/dhcp/dhcp.conf as shown above, then please feel free to add the changes and I will update the above procedure to support both UEFI and legacy PXE booting.

[PartialVolume]

Regarding PXE booting using tftp-hsa on Debian/Ubuntu. Here's a thread that discussesTFTP Windowsize Option RFC 7440 with links to the patches and a discussion about updating tftp-hsa in Debian/Ubuntu.

If anybody wants to apply the RFC 7440 patch to tftp-hsa, I'd be interested in seeing what the speed improvement would be. I'm sort of expecting a five fold increase in speed on a gigabit network. So instead of 4 Mbyes/sec you would see 20 Mbytes/sec so in terms of ShredOS booting over the network you would see it takes 6 seconds to boot rather than 33 seconds.

I need to stay focused on completing the nwipe features so if anybody else who has a interest in PXE booting and has some time to try this out, please feel free, and update us with how much of a speed improvement it is.

[PartialVolume]

Patches for tftp c7 https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES
RFC7440 https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-rfc7440-windowsize.patch

[PartialVolume]

I've created a tftp repository tftp-pv applied most of the patches, just need to apply the last three.

  | tftp-0.40-remap.patch
  | tftp-0.42-tftpboot.patch
  | tftp-0.49-chk_retcodes.patch
  | tftp-0.49-cmd_arg.patch
  | tftp-doc.patch
  | tftp-enhanced-logging.patch
  | tftp-hpa-0.39-tzfix.patch
  | tftp-hpa-0.49-fortify-strcpy-crash.patch
  | tftp-hpa-0.49-stats.patch
  | tftp-hpa-5.2-pktinfo.patch
  | tftp-rewrite-macro.patch
  | tftp-rfc7440-windowsize.patch
  | tftp.service
  | tftp.socket

[tftp-0.40-remap.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-0.40-remap.patch)
[tftp-0.42-tftpboot.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-0.42-tftpboot.patch)
[tftp-0.49-chk_retcodes.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-0.49-chk_retcodes.patch)
[tftp-0.49-cmd_arg.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-0.49-cmd_arg.patch)
[tftp-doc.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-doc.patch)
[tftp-enhanced-logging.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-enhanced-logging.patch)
[tftp-hpa-0.39-tzfix.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-hpa-0.39-tzfix.patch)
[tftp-hpa-0.49-fortify-strcpy-crash.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-hpa-0.49-fortify-strcpy-crash.patch)
[tftp-hpa-0.49-stats.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-hpa-0.49-stats.patch)
[tftp-hpa-5.2-pktinfo.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-hpa-5.2-pktinfo.patch)
[tftp-rewrite-macro.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-rewrite-macro.patch)
[tftp-rfc7440-windowsize.patch](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp-rfc7440-windowsize.patch)
[tftp.service](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp.service)
[tftp.socket](https://git.centos.org/rpms/tftp/blob/c7/f/SOURCES/tftp.socket)

[PartialVolume]

Just a thought, but in theory it would be relatively easy to add a feature to ShredOS where you can turn it into a PXE server, serving up just ShredOS. So on a network of 100 PC's and assuming they are already networked together, all you would need is one USB stick with ShredOS, then you just PXE boot each PC in turn from a single PC that has the ShredOS USB flash drive. I would need to pull in the tftpd server software that I'm currently building based on the centos patches with RFC 7440 support as the boot time would need to be brought down as much as possible.

A PXE server can be a pain to setup sometimes, so if all it took was adding the option "pxe_server=enable" to grub.cfg to turn ShredOS into an instant PXE server, that would pretty useful for some people I guess? it would add next to nothing in terms of increase in size to the ShredOS .img/.iso, so I can't really see any downsides.

Does that sound like a useful feature to add to ShredOS at some point?

[strahb]

Seems like a niche feature that I really need right now for my cluster of old computers, I thought of using iventoy but this guide seems way better, i feel like a pxe switch would be a godsend when you really need it. Thanks btw you may have saved me many many USBs!!!

[PartialVolume]

Many USB's ? I may have misunderstood, but you know you don't need to leave the USB stick plugged into the computer after the nwipe application has appeared. You only need one USB stick no matter how many PCs you have.

So, for instance, say you have 10 PCs to wipe. Just create one ShredOS USB stick. Boot the first PC with ShredOS, as soon as nwipe appears, unplug the USB stick and plug into the second PC, boot it with the ShredOS stick, when nwipe appears, unplug the stick and move to the third PC.

ShredOS isn't like a live Linux DVD , the entire system is loaded into memory. So once booted it doesn't need the USB stick until the wipe has finished. When you press return once all wipes have finished on a given PC that's when it will mount the USB stick to copy the Wipe certificates & logs onto the stick. Each wipe certificate has a unique name made up from the model & serial number of the drive being written.

So you never really need more than one ShredOS USB stick.

[strahb]

No no you're spot-on!! Took me a while but I noticed my usb isn't actively getting used :P
Thanks for the detailed walkthrough by the way

[sainthol020]

Hello,

I just followed your procedure to install shredos in PXE. The problem, a recent update this month (Windows) has modified the secure boot in the BIOS (I could not tell you what exactly, Microsoft indicates that the update has done something with the SBAT shim). When booting in PXE I have the following messages:

Start PXE over IPV4.
Station IP address is 192.168.1.173

Server IP address is 192.168.1.85
NBP filename is EFI/BOOT/bootx64.efi
NBP filesize is 1097728 Bytes
Downloading NBP file...

Following the messages, the screen goes black while the PC button is on. After 5 minutes, the PC restarts under Windows. When I reset the secure boot in the BIOS, the PC boots on SHREDOS correctly (annoying to go to all the PCs to reset the secure boot). Do you have a solution? In addition, I would like to ask you if there is a way for the workstations to directly execute the formatting in DOD Short 3 passes without going through the interface (time saving).

Thank you in advance for your help and advice. I don't speak Shakespeare's language well.
Kind regards.

[PartialVolume]

Do you have a solution [to secure boot]?

I don't see secure boot happening anytime soon unless I move ShredOS to a Ubuntu based OS. Secure boot could be added but it would mean you had to load the keys into the bios rather than it just seamlessly working like Ubuntu.

I would like to ask you if there is a way for the workstations to directly execute the formatting in DOD Short 3 passes without going through the interface (time saving).

Yes, by editing the grub.cfg files as described in the readme.md by appending nwipe_options=" --method=dodshort" to the kernel command line.

https://github.com/PartialVolume/shredos.x86_64?tab=readme-ov-file#how-to-change-the-default-nwipe-options-so-the-change-persists-between-reboots

I don't speak Shakespeare's language well.

Nor me, and I'm English. I've heard Jean Luc Picard can be quite good at it though.

https://youtu.be/irYYBx8djsU?si=FgqlWNH1w0NStlOY

[sainthol020]

Hello,
Thanks for your answer, I will test this solution

[sainthol020]

Hello,
If I want to use nvme-cli instead of nwipe, is it possible to configure it on the server so that clients automatically start the wipe like with nwipe. Also, I want to tell you that shredos works very well in server mode and allows me to wipe multiple PCs without any problem. Kind regards.

[PartialVolume]

Glad to hear it works well for you.

Regarding nvme-cli. You would need to edit or replace the file nwipe_launcher depending on how much of the functionality you wanted to change.

https://github.com/PartialVolume/shredos.x86_64?tab=readme-ov-file#boardshredosfsoverlayusrbinnwipe_launcher and then build ShredOS from source.

There are no plans to add that sort of change to ShredOS as it was always meant to simply show case nwipe. However it does seem to have become more popular than I was expecting, so you never know.

There's no easy way for a non programmer to do what you want, but if you are ok editing and writing bash then it should be possible. Don't forget though that nwipe generates the pdf reports if you remove it you won't get reports.

[sainthol020]

Thank you for your responsiveness, I will look into this. Have a good evening.

[jamesaepp]

Putting this into record.

Today I integrated ShredOS very simply into my existing iPXE menu system. I downloaded the latest .img file from the github releases in my use here (shredos-2024.02.2_26.0_x86-64_0.37_20240610.img).

The below worked for me where "shredos" is the "shredos" file found within the boot subfolder of the .img file (I opened it with 7zip).

menu DEFAULT MENU
item shredos ShredOS
item foo Boot Foo
item bar Boot Bar
item foobar Boot FooBar
choose choice && goto ${choice}

:shredos
kernel ${httproot}/shredos/shredos console=tty3 loglevel=3
imgstat
# read null is optional, I treat it like a "pause" when doing initial setup/debugging
# read null
boot

I took the kernel options directly from the grub.cfg file which shows up inside the same img file. ShredOS is very easy to boot with iPXE - it's just one big kernel file which presumably has everything it needs without the need for a separate initrd or any other resources. For all I know there's other parameters you could slip into the cmdline to influence the options and reports and who knows what all else. I had a basic need.

[titielgozo]

Hello, i'm actually work to do an solution for erase and get certificat of hundred and hundred disk. This is a project for end of school too, so i don't want to use the finish version, i have to create it! I have juste a question about the file EFI in /srv/tftp i don't get it so i have to create it? Or my configuration wasn't good? Thanks for taking the time to read!

[jamesaepp]

@titielgozo I don't understand 100% what your end goal is, but I'll try to help.

When an EFI computer boots, it will look at its list of storage devices and looks for a particular kind of partition (EFI System Partition) based on a GUID. Once it finds that partition, it reads it as a FAT32 volume and then looks through the directory "EFI" to find the default boot files (or available ones for population in the boot menu if called by an operator).

In the case of booting via PXE, none of this is required. More often than not in modern days, you're using iPXE which is a program kind of like GRUB or Syslinux or systemd-boot which can be configured to load files however you like without regard for the EFI System Partition or its desired folder structure.

In the case of booting Linux systems via PXE (like ShredOS is) generally you need at least a kernel file and an initramfs file to load the OS. Sometimes you need other options too. In the case of ShredOS like I mention in a previous comment, you only need the kernel file - everything is self contained.

[titielgozo]

Hello,
Thanks for the explanation! I know what is EFI but in my case when i install tftpd-hda i don't have the path /srv/tftp/EFI/BOOT/

[Firminator]

Netboot also has ShredOS integrated for a while now, so that might forfeit the need to set it all up from scratch for you. See https://github.com/netbootxyz/netboot.xyz

[titielgozo]

Re, I'm going to take the time to explain all, in a first time i got a problem with a path because when I install tftpd-hpa the path /srv/tftp/EFI doesn't exist! I can do only a mkdir? Not any other changes?

I have an another problem, when i go in my server ( boot by network ) i have an access to the grub but he is not booting ShredOS so i continue to search solution!

And a specification about my infra, my tftp server is my dhcp server too because i'm in a local network. So in dhcpd.conf i don't define where is the tftp server.

[PartialVolume]

@titielgozo

the path /srv/tftp/EFI doesn't exist! I can do only a mkdir? Not any other changes?

I'm assuming you are talking about the instructions in the original post?

Even if ../EFI doesn't exist the sudo cp -rp /media/nick/shredos/* /srv/tftp/ would have created all the sub directories, eg that's what the -r does, recursively copy. If you forgot -r then the folders and files below tftp won't get copied.

However like @Firminator says there are easier ways like using netboot.xy. Depends what you goal is. I always planned on configuring shredos so that with changing a single configuration flag you could also have the ShredOS usb stick act as a PXE server, serving only ShredOS while simultaneously wiping the host. Just never got round to it and to be honest I'm not sure there is any demand for it. I quite liked the idea because I don't use PXE for anything else so personally for me it would be useful. It's a feature that doesn't add much to the size so it's not adding to the bloat.

[titielgozo]

Yes I speaking about the original post!

[titielgozo]

I don't understand everything and sorry that my english was not at the point and I start my studies on OS/networking. I know recursive copy and I use it np! I don't understand why you are talking about a stick for shredOS? I'll never want a stick, I have a hypervisor for taking all certificates, stock OS and in the futur the hypervisor will call Shred to reset the disk.

[PartialVolume]

@titielgozo

i have an access to the grub but he is not booting ShredOS so i continue to search solution!

I'd need a lot more detail to diagnose this. Like seeing verbatim copies of the relevant config files.

[titielgozo]

Hello, this is my conf file

I can give you my documentation too : https://hedgedoc.dawan.fr/BmTZUjfIS_iroVdDITE8Jw
Thanks!

[PartialVolume]

@titielgozo If you are using the latest ShredOS you can ignore the line sudo cp bootx64.efi /srv/tftp/EFI/BOOT/

[titielgozo]

It's done! But I'm not booting on any PXE server "Operating System Not Found". My 2 services work ( isci-dhcp-server and tftpd-hpa )