Correct procedure to make a custom centos stream 8 iso UEFI bootable

[MustafaKamaal]

Hi everyone,

I've been trying to make a UEFI bootable iso image from the latest CentOS Stream DVD, but seems that it only boots in Legacy BIOS mode.
I've tried giving the following command for repackaging the iso:

xorriso -as mkisofs -o ../UEFI_USB.iso -V "CentOS-Stream-8-x86_64-dvd" -c isolinux/boot.cat -b isolinux/isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table -eltorito-alt-boot -e images/efiboot.img -no-emul-boot -isohybrid-mbr /usr/share/syslinux/isohdpfx.bin -isohybrid-gpt-basdat .

I'm taking the

/usr/share/syslinux/isohdpfx.bin

file from a vm that I have with CentOS Stream installed. Not sure if that's the one I should use.

I'm using

images/efiboot.img

file from the same ISO that I extracted it from.

Is there anything wrong I'm doing here? Any flags I need to add or remove?

I don't mind not having the Legacy BIOS option and just the UEFI option but if possible to do both, I would gladly take the option.

[scdbackup]

Hi,

the options of the xorriso -as mkisofs run look ok.

What do you get from these runs

Code: Select all

iso="...path.to.../UEFI_USB.iso"
xorriso -indev "$iso" -report_el_torito plain -report_system_area plain
iso="...path.to.original.ISO..."
xorriso -indev "$iso" -report_el_torito plain -report_system_area plain

On what kind of medium do you present the ISO to EFI ?
What is the reaction of EFI on the ISO ?
Does it perhaps have to do with Secure Boot ?
(What did you change in the ISO content ?)

The options which are in charge for EFI booting are

Code: Select all

-e images/efiboot.img -no-emul-boot -isohybrid-gpt-basdat

The choice of isohdpfx.bin should not matter, because it is for legacy
BIOS only. (I propose to copy the first 432 bytes of the original ISO
for that purpose.)

Have a nice day

Thomas

[MustafaKamaal]

Hi Thomas,

Thanks for the quick response.

I've collected the output for the command

Code: Select all

xorriso -indev "$iso" -report_el_torito plain -report_system_area plain

This was the output for the custom ISO:

Code: Select all

xorriso 1.4.8 : RockRidge filesystem manipulator, libburnia project.

xorriso : NOTE : Loading ISO image tree from LBA 0
xorriso : UPDATE : 8208 nodes read in 1 seconds
xorriso : NOTE : Detected El-Torito boot information which currently is set to be discarded
Drive current: -indev 'UEFI_USB.iso'
Media current: stdio file, overwriteable
Media status : is written , is appendable
Boot record  : El Torito , MBR isohybrid cyl-align-off GPT
Media summary: 1 session, 5506176 data blocks, 10.5g data, 14.7g free
Volume id    : 'CentOS-Stream-8-x86_64-dvd'
El Torito catalog  : 697  1
El Torito cat path : /isolinux/boot.catalogue
El Torito images   :   N  Pltf  B   Emul  Ld_seg  Hdpt  Ldsiz         LBA
El Torito boot img :   1  BIOS  y   none  0x0000  0x00      4        6170
El Torito boot img :   2  UEFI  y   none  0x0000  0x00  21888         698
El Torito img path :   1  /isolinux/isolinux.bin
El Torito img opts :   1  boot-info-table isohybrid-suitable
El Torito img path :   2  /images/efiboot.img
System area options: 0x00000202
System area summary: MBR isohybrid cyl-align-off GPT
ISO image size/512 : 22024704
Partition offset   : 0
MBR heads per cyl  : 0
MBR secs per head  : 0
MBR partition table:   N Status  Type        Start       Blocks
MBR partition      :   1   0x80  0x00            0     22024704
MBR partition      :   2   0x00  0xef         2792        21888
MBR partition path :   2  /images/efiboot.img
GPT                :   N  Info
GPT disk GUID      :      7a6dbe5500bdd547bb570b8f88e7b412
GPT entry array    :      2  248  overlapping
GPT lba range      :      64  22024640  22024703
GPT partition name :   1  490053004f00480079006200720069006400
GPT partname local :   1  ISOHybrid
GPT partition GUID :   1  7a6dbe5500bdd547bb560b8f88e7b412
GPT type GUID      :   1  a2a0d0ebe5b9334487c068b6b72699c7
GPT partition flags:   1  0x1000000000000001
GPT start and size :   1  0  22024640
GPT partition name :   2  490053004f004800790062007200690064003100
GPT partname local :   2  ISOHybrid1
GPT partition GUID :   2  7a6dbe5500bdd547bb550b8f88e7b412
GPT type GUID      :   2  a2a0d0ebe5b9334487c068b6b72699c7
GPT partition flags:   2  0x1000000000000001
GPT start and size :   2  2792  21888
GPT partition path :   2  /images/efiboot.img

This is the output of the original iso:

Code: Select all

xorriso 1.4.8 : RockRidge filesystem manipulator, libburnia project.

xorriso : NOTE : Loading ISO image tree from LBA 0
xorriso : UPDATE : 8265 nodes read in 1 seconds
xorriso : NOTE : Detected El-Torito boot information which currently is set to be discarded
Drive current: -indev 'CentOS-Stream-8-x86_64-latest-dvd1.iso'
Media current: stdio file, overwriteable
Media status : is written , is appendable
Boot record  : El Torito , MBR isohybrid cyl-align-off GPT
Media summary: 1 session, 5515109 data blocks, 10.5g data, 4309m free
Volume id    : 'CentOS-Stream-8-x86_64-dvd'
El Torito catalog  : 1313  1
El Torito cat path : /isolinux/boot.cat
El Torito images   :   N  Pltf  B   Emul  Ld_seg  Hdpt  Ldsiz         LBA
El Torito boot img :   1  BIOS  y   none  0x0000  0x00      4      438394
El Torito boot img :   2  UEFI  y   none  0x0000  0x00  21916        6551
El Torito img path :   1  /isolinux/isolinux.bin
El Torito img opts :   1  boot-info-table isohybrid-suitable
El Torito img path :   2  /images/efiboot.img
System area options: 0x00000202
System area summary: MBR isohybrid cyl-align-off GPT
ISO image size/512 : 22060436
Partition offset   : 0
MBR heads per cyl  : 0
MBR secs per head  : 0
MBR partition table:   N Status  Type        Start       Blocks
MBR partition      :   1   0x80  0x00            0     22061056
MBR partition      :   2   0x00  0xef        26204        21916
MBR partition path :   2  /images/efiboot.img
GPT                :   N  Info
GPT disk GUID      :      42855c5509db7343ae4ea15519b2e0c7
GPT entry array    :      2  128  overlapping
GPT lba range      :      34  22061022  22061055
GPT partition name :   1  490053004f004800790062007200690064002000490053004f00
GPT partname local :   1  ISOHybrid ISO
GPT partition GUID :   1  ccf94322c3f79e4c85d7412985db3b44
GPT type GUID      :   1  a2a0d0ebe5b9334487c068b6b72699c7
GPT partition flags:   1  0x0000000000000000
GPT start and size :   1  0  5283220
GPT partition name :   2  490053004f00480079006200720069006400
GPT partname local :   2  ISOHybrid
GPT partition GUID :   2  4053653effba954abdd50e136e7cb5ae
GPT type GUID      :   2  a2a0d0ebe5b9334487c068b6b72699c7
GPT partition flags:   2  0x0000000000000000
GPT start and size :   2  26204  21916
GPT partition path :   2  /images/efiboot.img

On what kind of medium do you present the ISO to EFI ?

I'm trying to make a bootable USB from the iso using balenaEtcher tool to load it in my laptop.

What is the reaction of EFI on the ISO ?

If you mean when loading the iso as a virtual media to a server, I do get the option to load it as EFI.

Does it perhaps have to do with Secure Boot ?

I did disable secure boot on my laptop for trying the USB.

What did you change in the ISO content ?

I've not changed much from the original, just added some tar files and a kickstart and the necessary changes to trigger the kickstart.

I first format the USB using rufus and make it "non bootable" with exFAT partition table. Next, I use balenaEtcher for making the bootable USB drive as rufus has it's limitations.
Is there any other tool which would be recommended for making bootable USB in this case?

Thanks again, have a great day

[scdbackup]

Hi,

the comparison of both xorriso reports yields no significant difference
in the result of the boot options which were used on both ISOs.
Each boot image and partition of the original ISO has its counterpart
in your UEFI_USB.iso .

Somewhat suspicious is a size difference between the files named
/images/efiboot.img
In the original ISO it has 21916 * 512 bytes (10958 KiB) whereas in
UEFI_USB.iso it has 21888 * 512 bytes (10944 KiB).

In the smaller CentOS-Stream-8-x86_64-latest-boot.iso the file has the
same size as in CentOS-Stream-8-x86_64-latest-dvd1.iso: 11,220,992 bytes.
When mounting it at /mnt/iso and repacking it by

Code: Select all

xorriso -as mkisofs -o test.iso \
  -V "CentOS-Stream-8-x86_64-dvd" \
  -c isolinux/boot.cat \
  -b isolinux/isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table \
  -eltorito-alt-boot \
  -e images/efiboot.img -no-emul-boot \
  -isohybrid-mbr \
    --interval:local_fs:0s-15s:zero_mbrpt,zero_gpt:'CentOS-Stream-8-x86_64-latest-boot.iso'
  -isohybrid-gpt-basdat \
  /mnt/iso

i get the original size of /images/efiboot.img .

So something must have happended to that file while it was extracted on
hard disk.


> If you mean when loading the iso as a virtual media to a server, I do get the option to load it as EFI.

Since you report that it only boots in Legacy BIOS mode, how does it fail
to boot further than that ?


> I first format the USB using rufus and make it "non bootable" with exFAT
> partition table.

So you are doing this on a MS-Windows system ? (I fail to find Rufus for
running on Linux.)


> Next, I use balenaEtcher for making the bootable USB drive as rufus
> has it's limitations.

Well, the CentOS ISOs are designed to get copied flatly onto the USB stick
(or to be burnt onto DVD). On Linux i would use program dd or some wrapper
around it.
So i guess the Rufus run is not needed before a balenaEtcher run, unless
Etcher would copy the files and directories from the ISO to a filesystem
on the USB stick.


> Is there any other tool which would be recommended for making bootable USB in this case?

Towards users of MS-Windows i usually advise the "dd"-mode of Rufus for
the task of putting a bootable ISO image onto a USB stick.

For Linux i provide as part of libisoburn/xorriso a shell script as wrapper
around "dd":
https://wiki.debian.org/XorrisoDdTarget ... afe_enough
(The main risk with dd on Linux is that the permissions which are needed for
raw overwriting to the USB stick also suffice for raw overwriting of the
system disk.)

------------------------------------------------------------------------
Next questions:

If you can plug the USB stick into a Linux machine with xorriso, what do
you get from inspection by xorriso. E.g. with the USB stick being /dev/sdc

Code: Select all

iso=/dev/sdc
xorriso -indev "$iso" -report_el_torito plain -report_system_area plain

It should report nearly the same as with "UEFI_USB.iso", except the
"Drive current:" line.
If it does not, then copying to USB stick did not what CentOS expects to
be done with the ISO.

Do you have any idea how the size change of /images/efiboot.img happened ?
If not:
If you inspect the content of the two ISOs: Are there other unexplainable
changes of data file sizes ?

Have a nice day

Thomas

[MustafaKamaal]

Hi Thomas,

Apologies for the confusions.
I'll explain a few things on what exactly I'm doing.
My laptop is running windows 10 and I'm running vagrant client to launch a centos stream vm through which I'm performing all the xorriso commands.
Once built, I just take it out of the vm using WinSCP, into my windows machine to make the bootable iso. Hence the use of windows tools like Rufus and balenaEtcher.

I don't use Rufus because the size of the ISO is 10.5/11GB and Rufus has only 2 filesystems that it supports. FAT32 which has a cap of 4.5GB and NTFS which won't be recognizable by linux systems even if I went ahead with dd mode.

You could be right about something going wrong while extracting the iso content.
I just mount the iso file to a location (/mnt/iso/) inside the centos vm and use "cp -r /mnt/iso /root/iso_extract" to extract it. Maybe some hidden files or such got missed.

>Since you report that it only boots in Legacy BIOS mode, how does it fail
>to boot further than that ?
When I say it failed to load in UEFI I meant as a bootable USB media. EFI boot works when the iso is used as a virtual media/PXE install.
The challenge is getting a USB to be bootable in the same EFI mode.

>If you can plug the USB stick into a Linux machine with xorriso, what do
>you get from inspection by xorriso. E.g. with the USB stick being /dev/sdc

I couldn't get the output immediately of the usb stick connected to the vagrant vm as I have to figure out how to redirect it.
But I agree that the way I "extract" could be an issue.
It could also be because I extracted the content from the custom iso and repackaged it multiple times depending on changes I needed at the time.

I will retry with the latest iso image and freshly start with the official ISO.

What method to extract the official iso would you recommend?

Thank you

[TrevorH]

What method to extract the official iso would you recommend?

From a CentOS POV we don't recommend you do it at all. It shoud be an absolute last restort after you've exhausted all alternative methods of achieving whatever your goal is.

[scdbackup]

Hi,

> I don't use Rufus because the size of the ISO is 10.5/11GB
> and Rufus has only 2 filesystems that it supports.

That would be the unpacking mode of Rufus (don't know its official name).
But with a hybrid ISO like the CentOS which you build, you don't need
a hosting filesystem. The ISO should get written directly to the USB
stick device (which seems to be not easy on MS-Windows).
There it will stand as ISO 9660 filesystem

Thus i propose the "dd"-mode of Rufus.
(I have no hands-on experience with Rufus or balenaEtcher. So i can only
forward what others reported about success with Rufus "dd"-mode.)


There remains the riddle of the changed size of /images/efiboot.img.

> You could be right about something going wrong while extracting the iso content.
> I just mount the iso file to a location (/mnt/iso/) inside the centos vm
> and use "cp -r /mnt/iso /root/iso_extract" to extract it. Maybe some
> hidden files or such got missed.

efiboot.img is supposed to be a FAT filesystem image. Mountable in CentOS by

Code: Select all

mount /root/iso_extract/images/efiboot.img /mnt/fat_on_disk
mount /mnt/iso/images/efiboot.img /mnt/fat_in_iso

You could then compare the files of the mount points /mnt/fat_on_disk
and /mnt/fat_in_iso to learn about possible differences. Like:

Code: Select all

diff -r /mnt/fat_in_iso /mnt/fat_on_disk 2>&1 | less

------------------------------------------------------------------------

> What method to extract the official iso would you recommend?

Maybe "cp -a" is better suited than "cp -r". It provides more fidelity.

I myself would use xorriso for that:

Code: Select all

xorriso -osirrox on -indev CentOS-Stream-8-x86_64-latest-dvd1.iso \
        extract / /root/iso_extract

I guess that in both cases you will have to do the copying as superuser
to get the foreign user ids and group ids

Code: Select all

-rwx------    1 0        1010      1005672 Aug  1  2020 '/EFI/BOOT/BOOTIA32.EFI'
-rwx------    1 0        1010      1244496 Aug  1  2020 '/EFI/BOOT/BOOTX64.EFI'

With xorriso the fidelity is high enough that you have afterwards to give
write-permissions to /root/iso_extract and some of its its sub-directories
before you can manipulate files in there.

Any problems with permissions and ownership can be avoided if you let
xorriso load and manipulate the original ISO before writing it as a new
ISO image:

Code: Select all

xorriso \
  -indev CentOS-Stream-8-x86_64-latest-dvd1.iso \
  -outdev UEFI_USB.iso \
  -rm ...paths.in.the.ISO.which.shall.be.deleted... -- \
  ...maybe.more.-rm.commands... \
  -map /...file.from.disk... /...path.for.it.in.the.ISO... \
  ...maybe.more.map.commands... \
  -boot_image any replay \
  -compliance no_emul_toc \
  -padding included

The -rm commands remove files from the loaded ISO filesystem model.
-rm takes multiple file paths and thus needs to be ended by "--" so that
xorriso knows that the next argument is a command.

The -map commands put exactly one file or one directory tree from the
hard disk into the ISO filesystem model. Use as many of them as you need
to shape your new ISO.

"-boot_image any replay" will apply the necessary xorriso commands to
set up the boot equipment for -outdev like it was detected with -indev.
(Let me hope that 5 year old xorriso-1.4.8 does a good job.)

"-compliance no_emul_toc" and "-padding included" set two habits which
xorriso normally only shows when emulating mkisofs.

(See man xorriso for details.)

-------------------------------------------------------------------------

If you are exploring the possibilities of this approach, then it might
be worth to exercise it in dialog mode (i do it here with the smaller
"boot.iso"):

Code: Select all

xorriso -dialog on -page 16 80 -abort_on NEVER

You will get prompted to enter commands and their arguments:

Code: Select all

============================
enter option and arguments :
-indev CentOS-Stream-8-x86_64-latest-boot.iso
==============================================================
xorriso : NOTE : Loading ISO image tree from LBA 0
...
Media summary: 1 session, XXX data blocks,  XXXm data,  XXXg free
Volume id    : 'CentOS-Stream-8-x86_64-dvd'
============================
enter option and arguments :
-outdev UEFI_USB.iso
==============================================================
...
Media summary: 0 sessions, 0 data blocks, 0 data,  XXXg free
============================
enter option and arguments :
-lsl /
==============================================================
total 5
dr-xr-xr-x    1 0        0               0 May  3 23:36 'EFI'
-rw-r--r--    1 0        1010        18092 Sep 14  2021 'LICENSE'
-r--r--r--    1 0        0             219 May  3 23:36 'TRANS.TBL'
dr-xr-xr-x    1 0        0               0 May  3 23:36 'images'
drwxrwsr-x    1 0        1010            0 May  3 23:36 'isolinux'
============================
enter option and arguments :
-find / -exec lsdl
==============================================================
dr-xr-xr-x    1 0        0               0 May  3 23:36 '/'
dr-xr-xr-x    1 0        0               0 May  3 23:36 '/EFI'
...
-rwx------    1 0        1010       930152 Aug  1  2020 '/EFI/BOOT/mmia32.efi'

.... [Press Enter to continue. @,Enter avoids further stops. @@@ aborts] ....
@
-rwx------    1 0        1010      1162400 Aug  1  2020 '/EFI/BOOT/mmx64.efi'
-rw-r--r--    1 0        1010        18092 Sep 14  2021 '/LICENSE'
...
-rw-r--r--    1 0        1010        26788 Nov 19  2020 '/isolinux/vesamenu.c32'
-rwxr-xr-x    1 0        1010     10468488 Apr 20 17:47 '/isolinux/vmlinuz'
============================
enter option and arguments :

Apply the desired -rm and -map commands. Finally give the commands

Code: Select all

-boot_image any replay
-compliance no_emul_toc
-padding included
-commit

-commit will cause UEFI_USB.iso to be written and then to be loaded as
-indev for inspection.

When you are done, enter command

Code: Select all

-end

(This would automatically perform -commit if any changes would be pending.)

If you want to abort the xorriso dialog run without writing UEFI_USB.iso
enter command

Code: Select all

-rollback_end

If you have messed up and want to go back to the situation after -indev, enter

Code: Select all

-rollback

Have a nice day

Thomas

[scdbackup]

Hi,

i forgot to mention that in the "-indev ... -outdev ..." use case,
the -outdev file must not exist or be pseudo-blanked.
So either remove UEFI_USB.iso before you give its path to -outdev
(a non-existing file is considered blank) or insert xorriso command

Code: Select all

-blank as_needed

before -commit (or after "-padding included").

Blanking does not make the existing file UEFI_USB.iso smaller. It only
writes a few KiB to its start so that it does not look like an ISO 9660
filesystem. (Actually xorriso is designed to work on optical drives.
Data files or block devices are used like DVD+RW or BD-RE media.)

Have a nice day

Thomas

[bjs]

These are the commands I use in my make ISO scripts for 6-8, which are based on Red Hat Solution 60959 ( https://access.redhat.com/solutions/60959 ).

Code: Select all

$ mkisofs -o "${D}.iso" -b isolinux/isolinux.bin -J -joliet-long -uid 0 -gid 0 -R -l -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -eltorito-alt-boot -e images/efiboot.img -no-emul-boot -graft-points -V "${L}" ./

$ isohybrid --uefi "${D}.iso"

[MustafaKamaal]

Thank you Thomas and Bryan. I will try these methods and reach out again if I face issues.