UEFI HTTPBoot Server Setup

1. 介绍

HTTPBoot 自 UEFI SPEC 2.5 起被添加，旨在取代 PXE 并提供更多功能。 实际上，HTTPBoot 的概念类似于 PXE。HTTP Boot 结合了 DHCP、DNS 和 HTTP， 它从 DHCP 服务器的 HTTP URL 开始，并使用 HTTP 协议获取数据。 此外，HTTPBoot 还支持 DNS。 使用 DNS可以从本地网络之外的服务器快速传输大文件，例如 Linux 内核和根文件系统，而 tftp (PXE) 仅适用于本地网络。 本章介绍如何配置 UEFI HTTPBoot和HTTPsBoot服务器。

2. 准备工作

• Server
  HTTPBoot 服务器必须至少安装以下软件包：dhcp-server、httpd 和 dnsmasq。

  注意：本文使用centos7.6 作为server端OS，httpboot 引导使用的suse15p1 iso中shim (bootx64.efi)
  IP 子网 192.168.0.0/26 (v4) 和 2001:db8:f00f:cafe::/64 (v6) 并假设服务器 IP 地址为 192.168.0.5(v4) 和 2001:db8:f00f:cafe::1/64 (v6)。如有冲突，请调整相关设置。
  

• Client
  在Client BIOS固件中启用 HTTPBoot。请参考主板或机器的说明书进行Enabled httpboot。

3. HTTPBOOT服务器配置

3.1 DNS 配置（Optional)

DNS 是可选的，但最好为您的服务器提供一个众所周知的名称。 要设置 DNS 服务器，请将以下行添加到 /etc/dnsmasq.conf

interface=eth0
addn-hosts=/etc/hosts.conf

在/etc/hosts.conf中创建IP地址的域名映射

192.168.0.5 www.httpboot.local
2001:db8:f00f:cafe::1 www.httpboot.local

启动dns server

systemctl start dnsmasq

NOTE: 由于 UEFI 2.7 中的更改，我们建议使用 suse15 或更高版本的 shim 引导加载程序，以避免额外的 DNS 节点导致的潜在错误。

3.2 DHCPv4 服务配置

3.2.1 指定DHCP服务网络接口

在 /etc/sysconfig/dhcpd 中指定DHCP网络接口， 加入如下内容，这样，DHCP 服务器只在 eth0 接口上提供服务。

DHCPD_INTERFACE="eth0"
DHCPD6_INTERFACE="eth0"

3.2.2 修改DHCPv4 配置文件

为 PXE 引导和 HTTP 引导设置 DHCPv4 服务器，请将以下配置添加到 /etc/dhcp/dhcpd.conf 文件：

option arch code 93 = unsigned integer 16;
option domain-name-servers 192.168.0.5;
default-lease-time 14400;
ddns-update-style none;

subnet 192.168.0.0 netmask 255.255.255.192 {
        range 192.168.0.40 192.168.0.60;
        option routers 192.168.0.39;
        next-server 192.168.0.5;
        default-lease-time 14400;
        max-lease-time 172800;

  class "pxeclients" {
    match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
    option vendor-class-identifier "PXEClient";
    next-server 192.168.0.5;
    if option arch = 00:07 or option arch = 00:09 {
            filename "/uefi/shim.efi";
            #filename "BOOTX64.efi";
    } else {
            filename "pxelinux.0";
    }
  }
  class "httpclients" {
    match if substring (option vendor-class-identifier, 0, 10) = "HTTPClient";
    option vendor-class-identifier "HTTPClient";
    filename "http://www.httpboot.local/httpboot/bootx64.efi";
    # filename "https://www.httpboot.local/httpboot/bootx64.efi";
    #if option arch = 00:10 {
    #       option vendor-class-identifier "HTTPClient";
    #       filename "http://www.httpboot.local/httpboot/bootx64.efi";
    #}

  }
}

NOTE: DHCPv4服务器必须使用HTTPClient参数作为供应商类ID，因为客户机使用该参数来标识HTTP引导服务。

3.2.3 启动DHCPv4 服务

systemctl start dhcpd

3.3 DHCPv6 服务配置

3.3.1 修改DHCPv6 配置文件

请将以下配置添加到 /etc/dhcp/dhcpd6.conf：

option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};
subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
        option dhcp6.bootfile-url "http://www.httpboot.local/httpboot/bootx64.efi";
        option dhcp6.name-servers 2001:db8:f00f:cafe::1;
        option dhcp6.vendor-class 0 10 "HTTPClient";
}

此配置定义引导 URL 的类型、供应商类和其他必需选项。 与 DHCPv4 设置类似，需要提供引导 URL，该 URL 必须具有 IPv6 地址。 还需要指定供应商类别选项。 在 DHCPv6 中，它由企业号和供应商类别数据（长度和内容）组成。 由于HTTP Boot驱动忽略了企业号，可以设置为0。vendor类数据的内容必须是HTTPClient； 否则，客户将忽略该提议。

较旧的 HTTP Boot 实现不遵循 RFC 3315，需要不同的配置：

option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = string;
        subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
        option dhcp6.bootfile-url "http://www.httpboot.local/httpboot/bootx64.efi";
        option dhcp6.name-servers 2001:db8:f00f:cafe::1;
        option dhcp6.vendor-class "HTTPClient";
}

3.3.2 同时支持PXE引导和HTTP引导配置

使用一下配置，可以为PXE引导和HTTP引导配置DHCPv6服务器

• 方法一

# /etc/dhcp/dhcp6.conf
allow booting;
allow bootp;
option dhcp6.bootfile-url code 59 = string;
option dhcp6.client-arch-type code 61 = array of unsigned integer 16;
option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};


subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
        option dhcp6.name-servers 2001:db8:f00f:cafe::1;
        option dhcp6.domain-search "httpboot.com";

  if option dhcp6.client-arch-type = 00:07 or option dhcp6.client-arch-type = 00:09 {
          option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/uefi/shim.efi";
          #option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/uefi/grubx64.efi";
  }
  else {
          option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/pxelinux.0";
  }
  if option dhcp6.client-arch-type = 00:10 {
          option dhcp6.bootfile-url "http://www.httpboot.local/httpboot/bootx64.efi";
          #option dhcp6.bootfile-url "https://www.httpboot.local/httpboot/bootx64.efi";
          #option dhcp6.name-servers 2001:db8:f00f:cafe::1;
          option dhcp6.vendor-class 0 10 "HTTPClient";
  }
}

• 方法二

# /etc/dhcp/dhcp6.conf
option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};

subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
        option dhcp6.name-servers 2001:db8:f00f:cafe::1;
        option dhcp6.domain-search "httpboot.com";

        class "PXEClient" {
	        match substring (option dhcp6.vendor-class, 6, 9);
	}

        subclass "PXEClient" "PXEClient" {
	        option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/uefi/shim.efi";
	        #option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/uefi/grubx64.efi";
	}

	class "HTTPClient" {
	        match substring (option dhcp6.vendor-class, 6, 10);
	}

	subclass "HTTPClient" "HTTPClient" {
			option dhcp6.bootfile-url "http://www.httpboot.local/httpboot/bootx64.efi";
			#option dhcp6.bootfile-url "https://www.httpboot.local/httpboot/bootx64.efi";
			#option dhcp6.name-servers 2001:db8:f00f:cafe::1;
			option dhcp6.vendor-class 0 10 "HTTPClient";
	}
}

它还可以进一步匹配不同架构的供应商级别。 如下所示

class "HTTPClient" {
        match substring (option dhcp6.vendor-class, 6, 21);
	}

subclass "HTTPClient" "HTTPClient:Arch:00016" {
		option dhcp6.bootfile-url "http://www.httpboot.local/httpboot/bootx64.efi";
		#option dhcp6.bootfile-url "https://www.httpboot.local/httpboot/bootx64.efi";
		option dhcp6.name-servers 2001:db8:f00f:cafe::1;
		option dhcp6.vendor-class 0 10 "HTTPClient";
}

在示例中，"HTTPClient:Arch:00016”指的是x86_64 HTTPBoot用户端，这种配置允许服务器同时为不同的架构提供服务。
Reference: https://www.mail-archive.com/edk2-devel@lists.01.org/msg14683.html

3.3.3 启动DHCPv6服务.

systemctl start dhcpd6

3.4 防火墙配置

如果 DHCPv6 数据包被防火墙中的 RP 过滤器丢弃，请检查其日志。 如果它包含 rpfilter_DROP 条目，请使用 /etc/firewalld/firewalld.conf 中的以下配置禁用过滤器：

IPv6_rpfilter=no

3.5 TFTP 服务配置（可选）

如果需要支持 PXE ，则需要一个 tftp 服务器。并将引导所需的BootLoader及pxeboot vmlinuz、initrd拷贝到tftp共享目录。

3.5.1 安装tftp 包

yum install tftp-server xinetd

3.5.2 修改tftp配置文件

vim /etc/xinetd.d/tftp 

# default: off
# description: The tftp server serves files using the trivial file transfer \
#       protocol.  The tftp protocol is often used to boot diskless \
#       workstations, download configuration files to network-aware printers, \
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd  
        server_args             = -s /var/lib/tftpboot # tftp 目录
        disable                 = no  # 开启tftp只需要改为no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

TFTP是由xinetd这个super daemon所管理的，因此设定好TFTP之后，要启动的是xinetd;

3.5.3 启动tftp服务

systemctl restart tftp
systemctl enable tftp
systemctl restart xinetd
systemctl enable xinetd

3.5.4 服务验证

netstat -untlp | grep :69
udp        0      0 0.0.0.0:69              0.0.0.0:*                           6857/xinetd 

3.6 http 服务配置

3.6.1 安装http

```sh
yum install httpd
```

3.6.2 开启http服务

```sh
systemctl restart httpd
systemctl enable httpd
```

3.7 系统镜像拷贝

将系统 ISO 映像的全部内容复制到 /var/www/html/pxeimg 目录。

[root@server ~]# mount -o loop CentOS-7.6-x86_64-DVD-1810.iso /mnt
mount: /dev/loop0 is write-protected, mounting read-only
[root@server ~]# cp -fr /mnt/* /var/www/html/pxeimg/centos/7.6/os/x86_64/
[root@server ~]# mount -o loop SLE-15-SP1-Full-x86_64-GM-Media1.iso /mnt
mount: /dev/loop0 is write-protected, mounting read-only
[root@server ~]# cp -fr /mnt/* /pxeimg/15sp1/
[root@server ~]# cd /var/www/html
[root@server html]# tree -L 2  pxeimg
pxeimg
├── 15sp1
│   ├── ARCHIVES.gz
│   ├── boot
│   ├── CD2
│   ├── ChangeLog
│   ├── CHECKSUMS
│   ├── CHECKSUMS.asc
│   ├── COPYRIGHT
│   ├── COPYRIGHT.de
│   ├── docu
│   ├── EFI
│   ├── gpg-pubkey-307e3d54-5aaa90a5.asc
│   ├── gpg-pubkey-39db7c82-5847eb1f.asc
│   ├── gpg-pubkey-50a3dd1c-50f35137.asc
│   ├── INDEX.gz
│   ├── ls-lR.gz
│   ├── media.1
│   ├── noarch
│   ├── README
│   ├── repodata
│   ├── suse_ptf_key.asc
│   └── x86_64
└── centos
   └── 7.6

3.8 BootLoader文件准备

本文使用的httpboot BootLoader为suse15p1 iso中提取的，挂载suse15p1 iso并将EFI/BOOT/*拷贝到/var/www/html/httpboot/ 目录

[root@server ~]# cp /var/www/html
[root@server html]# mkdir httpboot
[root@server html]# cp /var/www/html/pxeimg/15sp1/EFI/BOOT/* /var/www/html/httpboot/
[root@server html]# tree httpboot/
httpboot/
├── bootx64.efi
├── grub.cfg
├── grub.efi
├── locale
│   └── en.mo
└── MokManager.efi

3.9 引导菜单grub.cfg配置

• grub.cfg文件配置

 [root@server ~]# vim /var/www/html/htttboot/grub.cfg 
 timeout=60
 default=1

 ################################### IPv4 ##################################################
 menuentry 'Installation suse15p1 via httpboot[ipv4]' --class opensuse --class gnu-linux --class gnu --class os {
   set gfxpayload=keep
   echo 'Loading kernel ...'
   linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://www.httpboot.local/pxeimg/15sp1
   echo 'Loading initial ramdisk ...'
   initrdefi /pxeimg/15sp1/boot/x86_64/loader/initrd
 }

 menuentry 'Installation centos7.6 via httpboot[ipv4]' --class opensuse --class gnu-linux --class gnu --class os {
   set gfxpayload=keep
   echo 'Loading kernel ...'
   linuxefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/vmlinuz repo=http://www.httpboot.local/pxeimg/centos/7.6/os/x86_64 ip=dhcp dhcptimeout=300
   echo 'Loading initial ramdisk ...'
   initrdefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/initrd.img
 }

 ################################### IPv6 ##################################################
 menuentry 'Installation suse15p1 via httpboot[ipv6]' --class opensuse --class gnu-linux --class gnu --class os {
   set gfxpayload=keep
   echo 'Loading kernel ...'
   linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://www.httpboot.local/pxeimg/15sp1 ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed
   echo 'Loading initial ramdisk ...'
   initrdefi /pxeimg/15sp1/boot/x86_64/loader/initrd
 }

 menuentry 'Installation centos7.6 via httpboot[ipv6]' --class opensuse --class gnu-linux --class gnu --class os {
   set gfxpayload=keep
   echo 'Loading kernel ...'
   linuxefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/vmlinuz repo=http://www.httpboot.local/pxeimg/centos/7.6/os/x86_64 ip=dhcp6
   echo 'Loading initial ramdisk ...'
   initrdefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/initrd.img
 }

4. HTTPs服务配置 (Optional)

TLS协议从UEFISpec 2.5开始被写入其中，本节提供有关设置 UEFI HTTP over TLS (HTTPS) 引导的环境部署。

4.1 安装依赖包

# yum install mod_ssl openssl

4.2 创建证书

# openssl req -newkey rsa:4096 -nodes -keyout server.key -x509 -days 365 -out server.crt
Generating a 4096 bit RSA private key
........................................++
................................................++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:IEC
Organizational Unit Name (eg, section) []:FAE
Common Name (eg, your name or your server's hostname) []:*.httpboot.local
Email Address []:

由于我们选择“.httpboot.local”作为域名，请使用“.httpboot.local”作为“Common Name”。

将证书转换为客户端的DER格式：

openssl x509 -in server.crt -outform der -out server.der

4.3 修改ssl.conf

# vim -n /etc/httpd/conf.d/ssl.conf
60 ServerName www.httpboot.local:443 #Edit ServerName
 ...
100 SSLCertificateFile /etc/pki/tls/certs/server.crt #change the private key
107 SSLCertificateKeyFile /etc/pki/tls/private/server.key #change the certificate

4.4 将证书拷贝到配置文件中路径相对应的目录

# cp server.crt /etc/pki/tls/crets/
# cp server.key /etc/pki/tls/private/

4.5 重启Apache服务

# systemctl restart httpd

4.6 修改dhcp配置文件

将dhcpd.conf/dhcpd6.conf中的“http://”前缀替换为“https://”，然后重新启动dhcp服务器。

# sed -i "s/http/https/g" /etc/dhcp/dhcpd.conf
# sed -i "s/http/https/g" /etc/dhcp/dhcpd.conf
# systemctl restart dhcpd
# systemctl restart dhcpd6

4.7 修改grub.cfg配置文件

将grub.conf中的“http://”前缀替换为“https://”，然后重新启动dhcp服务器。
由于我们为 HTTPS 服务器创建了自签名证书，因此如果我们在 grub.cfg 中指定 HTTPS url， 安装系统可能无法验证证书并拒绝从我们的 HTTPS 服务器下载文件。
可以使用一下方案尝试解决

1. 添加 ssl.certs=0 以禁用证书验证。例如：
   linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://www.httpboot.local/pxeimg/15sp1 ssl.certs=0

# /var/www/html/httpboot/grub.cfg
  menuentry 'Installation suse15p1 via httpsboot[ipv4]' --class opensuse --class gnu-linux --class gnu --class os {
    set gfxpayload=keep
    echo 'Loading kernel ...'
    linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://www.httpboot.local/pxeimg/15sp1  ssl.certs=0
    echo 'Loading initial ramdisk ...'
    initrdefi /pxeimg/15sp1/boot/x86_64/loader/initrd
  }

  menuentry 'Installation centos7.6 via httpsboot[ipv4]' --class opensuse --class gnu-linux --class gnu --class os {
    set gfxpayload=keep
    echo 'Loading kernel ...'
    linuxefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/vmlinuz repo=http://www.httpboot.local/pxeimg/centos/7.6/os/x86_64 ip=dhcp dhcptimeout=300  ssl.certs=0
    echo 'Loading initial ramdisk ...'
    initrdefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/initrd.img
  }

  menuentry 'Installation suse15p1 via httpsboot[ipv6]' --class opensuse --class gnu-linux --class gnu --class os {
    set gfxpayload=keep
    echo 'Loading kernel ...'
    linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://www.httpboot.local/pxeimg/15sp1 ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed ssl.certs=0
    echo 'Loading initial ramdisk ...'
    initrdefi /pxeimg/15sp1/boot/x86_64/loader/initrd
  }

  menuentry 'Installation centos7.6 via httpsboot[ipv6]' --class opensuse --class gnu-linux --class gnu --class os {
    set gfxpayload=keep
    echo 'Loading kernel ...'
    linuxefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/vmlinuz repo=http://www.httpboot.local/pxeimg/centos/7.6/os/x86_64 ip=dhcp6 ssl.certs=0
    echo 'Loading initial ramdisk ...'
    initrdefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/initrd.img
  }

4.7 将服务器证书注册到客户端固件

在使用HTTPS引导之前，您必须在客户端注册服务器证书（server.der），否则客户端将无法连接到服务器。
要将服务器证书注册到物理机器中，可以通过插入包含证书文件的U盘，然后进入BIOS Setup 页面手动注册。一些产品可以支持通过Redfish远程注册证书。有关注册证书的详细信息，请参阅特定硬件的文档,以下步骤仅供参考

1. Copy server.crt 证书到U盘，并将USB接入SUT

2. 进入BIOS Setup Enabled httpboot 并保存重启
   

3. 重启后再次进入BIOS Setup导入证书:
   In BIOSsetup: Advanced ->Tls Auth Configuration -> Server CA Configuration, select Enroll Cert and Enrol Cert Using File

4. 输入cert guid 并选择 “Commit Changes and Exit”
   

Note: https://www.guidgenerator.com/online-guid-generator.aspx can be used to generate random guid.
6. 到 “Save & Exit” 页面选择 “Save Changes and Reset”.
7. 重启后按F12 选择从networking boot.

5. KickStart自动安装配置

5.1 kickstart 文件制作

省略，请参考同系列文章“PXE Server Setup” 中的Kickstart配置章节

将制作好的kickstart 拷贝到http server目录/var/www/html/kickstart下,并命名为“osname-ver-ks.cfg",如:centos-7.6-ks.cfg

5.2 grub.cfg 菜单更新

[root@server ~]# vim /var/www/html/htttboot/grub.cfg 
timeout=60
default=1

################################### IPv4 ##################################################
menuentry 'Installation suse15p1 via httpboot[ipv4]' --class opensuse --class gnu-linux --class gnu --class os {
  set gfxpayload=keep
  echo 'Loading kernel ...'
  linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://192.168.0.5/pxeimg/15sp1
  echo 'Loading initial ramdisk ...'
  initrdefi /pxeimg/15sp1/boot/x86_64/loader/initrd
}

menuentry 'Installation centos7.6 httpboot[ipv4]' --class opensuse --class gnu-linux --class gnu --class os {
  set gfxpayload=keep
  echo 'Loading kernel ...'
  linuxefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/vmlinuz ks=http://www.httpboot.local/kickstart/centos-7.6-ks.cfg ip=dhcp dhcptimeout=300
  echo 'Loading initial ramdisk ...'
  initrdefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/initrd.img
}

################################### IPv6 ##################################################
menuentry 'Installation suse15p1 via httpboot[ipv6]' --class opensuse --class gnu-linux --class gnu --class os {
  set gfxpayload=keep
  echo 'Loading kernel ...'
  linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://[2001:db8:ffff:100::10]/pxeimg/15sp1 ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed
  echo 'Loading initial ramdisk ...'
  initrdefi /pxeimg/15sp1/boot/x86_64/loader/initrd
}

menuentry 'Installation centos7.6 via httpboot[ipv6]' --class opensuse --class gnu-linux --class gnu --class os {
  set gfxpayload=keep
  echo 'Loading kernel ...'
  linuxefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/vmlinuz ks=http://www.httpboot.local/kickstart/centos-7.6-ks.cfg  ip=dhcp6
  echo 'Loading initial ramdisk ...'
  initrdefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/initrd.img
}

6. 测试

6.1 IPV4 httpboot测试

• UEFI httpboot

6.2 IPV6 httpboot测试

• UEFI httpboot
  
  

7. 参考文献

https://en.opensuse.org/UEFI_HTTPBoot_Server_Setup
https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-deployment-prep-uefi-httpboot.html
https://lenovopress.lenovo.com/lp1584.pdf
https://lenovopress.lenovo.com/lp0736.dpf