Prevent a leftover autoexec.ipxe from a previous build with
generate_disks_secureboot enabled from being included in checksums
and release assets when the flag is later turned off.
Since secureboot directories are removed after ISO/USB generation,
the index page and checksums should only reference the self-contained
ISO/IMG files. Remove:
- Loose binary entries (shim, ipxe, snponly, autoexec) from bootloader
definitions in defaults/main.yml
- Subdirectory link logic from index.html.j2 template
- Secureboot-specific checksum tasks from generate_checksums.yml
- Secureboot sections from checksums.txt.j2 template
The autoexec.ipxe at the ipxe root is picked up automatically by
the existing flat-file checksum logic.
After ISO/USB images are generated from the secureboot directories,
move autoexec.ipxe to the ipxe root as a standalone file and remove
the secureboot directories. This means:
- Checksums are generated cleanly with no secureboot-* subdirectory entries
- autoexec.ipxe is checksummed automatically as a regular ipxe/ file
- build_release needs no special handling for secureboot directories
- autoexec.ipxe flows naturally into both githubout (release asset)
and s3out (CDN) through the existing copy logic
The Ansible-generated checksums file references files under
secureboot-x86_64/ and secureboot-arm64/ which are removed from
githubout. Strip those entries and add the standalone autoexec.ipxe
so the checksums file matches the actual release assets.
Ensure autoexec.ipxe is available at the root of the S3 bucket
(boot.netboot.xyz/{version}/autoexec.ipxe) alongside other boot
files, not only nested under ipxe/secureboot-x86_64/.
Instead of repackaging the iPXE signed binaries into netboot.xyz
tarballs, publish only the templated autoexec.ipxe boot script as a
release asset. Consumers (e.g. docker-netbootxyz) download the signed
binaries directly from the upstream iPXE release (ipxeboot.tar.gz),
preserving provenance and avoiding checksum mismatches from
repackaging.
The autoexec.ipxe is identical for both x86_64 and ARM64 -- it
contains the netboot.xyz-specific boot_domain, boot_version, and
menu chain logic with DHCP, failsafe menu, and HTTPS/HTTP fallback.
The Secure Boot directories (secureboot-x86_64/, secureboot-arm64/)
produced by generate_disks_secureboot cannot be uploaded directly as
GitHub release assets since releases are flat file lists. Package them
into secureboot-x86_64.tar.gz and secureboot-arm64.tar.gz so they are
included in the release alongside existing boot files.
This enables docker-netbootxyz and other consumers to download the
signed iPXE Secure Boot binaries and autoexec.ipxe directly from
netboot.xyz releases.
Fixes a bug where returning to the Ubuntu version menu after selecting
HWE, then choosing older_release or a legacy path, would leave
kernel_flavor set to 'hwe' and attempt to jump to a non-existent label.
Add kernel type selection (Generic vs HWE) for Ubuntu LTS versions
when HWE endpoints are available. The menu only appears when
netboot-hwe flavor endpoints exist in endpoints.yml for the selected
version and architecture, keeping the flow unchanged for non-LTS
releases.
Ref: netbootxyz/ubuntu-squash#8
Use genfsimg with the -e (shim) and -s (script) flags to generate
Secure Boot ISO and USB images, matching the approach used by the
iPXE project's own build workflow. The images contain the signed
shim as BOOTX64/BOOTAA64.EFI, the signed iPXE binary, and the
netboot.xyz autoexec.ipxe boot script.
Output files:
- netboot.xyz-sb.iso / netboot.xyz-sb.img (x86_64)
- netboot.xyz-sb-arm64.iso / netboot.xyz-sb-arm64.img (ARM64)
Ref #1745
Replace deprecated top-level ansible_* fact variables with the
ansible_facts[] dictionary syntax to silence deprecation warnings
from ansible-core and prepare for removal in ansible-core 2.24.
- generate_disks_base.yml: ansible_distribution, ansible_os_family,
ansible_distribution_version, ansible_distribution_major_version
- generate_checksums.yml: ansible_os_family
Ref #1745
Downloads pre-built Microsoft-signed iPXE Secure Boot binaries from
the iPXE v2.0.0 release (ipxeboot.tar.gz) and packages them with a
templated autoexec.ipxe that chains into the netboot.xyz menu system.
Boot flow: UEFI firmware validates iPXE shim (Microsoft-signed) which
loads iPXE (signed by iPXE Secure Boot CA) which auto-loads
autoexec.ipxe (text script, no SB validation needed) which chains to
https://boot.netboot.xyz/menu.ipxe.
Changes:
- New generate_disks_secureboot.yml task to download and package
signed iPXE binaries for x86_64 and ARM64
- New autoexec.ipxe.j2 template with DHCP, failsafe menu, and
HTTPS/HTTP fallback chain to boot.netboot.xyz
- Bootloader entries and index.html sections for Secure Boot binaries
served from ipxe/secureboot-x86_64/ and ipxe/secureboot-arm64/
- Checksum generation updated to handle subdirectories
- Debian menu template updated with shim command for Secure Boot
kernel validation (no-op on non-SB systems)
- Production overrides enable Secure Boot generation
Closes#1745