2.4 ISO image breaks EFI partition needed by older hardware that Oracle Linux ISO has

[DannyBoyk]

Version

2.4.200

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

20

RAM

512 GB

Storage for /

300 GB

Storage for /nsm

3.7 TB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I'm trying to install the latest SO in a distributed way, using a Dell R630 as a sensor node and a Dell R730 as our manager search node. I know they're older machines, but it's what I was given to work with for this proof of concept. The UEFI support isn't as advanced on these machines as modern day ones, and they still need an EFI partition in the ISO to correct boot from them.

From looking at the fdisk -l output for the latest Security Onion ISO vs the latest Oracle Linux ISO, it appears that the Security Onion ISO generation process is condensing everything to a single partition of type Hidden HPFS/NTFS vs the two partitions an Oracle Linux ISO has of types Empty and EFI (FAT-12/16/32). I stumbled onto this while trying to figure out what the possible issue might be with the R630 refusing to boot from a USB written with BalenaEtcher with the SO image, but working fine with a Ubuntu image. I pulled an Oracle Linux ISO just now to confirm it has the same partition layout as the Ubuntu image, the Empty and EFI partitions.

Would Security Onion be able to change it's ISO generation process to maintain these two partitions? Older hardware (but not ancient) still needs the EFI partition to boot properly.

~Dan

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

What error(s) are you seeing when attempting to boot from the Security Onion ISO?

Did you verify the hash / signature before flashing your USB?

Have you tried using a different software to flash the USB or if Dell iDrac is available mounting the ISO as a virtual drive directly?

[DannyBoyk]

The error message Dell displays is supremely unhelpful. Just "Boot failed" and asks if I want to retry the boot process.

Yes, I verified the hash and signature on the ISO file itself and Balena Etcher verified the flash after flashing. I also tried just using dd rather than Balena Etcher, but it's exactly the same.

The Dell iDrac complains that the image file is not valid when I tried to load it as a virtual drive through the web interface. I think I've read that it has an 8GB hard limit.

Important to note that the USB stick works just fine in newer computer systems. The Dell R630 firmware's UEFI handling appears to only support older UEFI standards that require the EFI partition be present. We are on the newest version that's available for the R630. Newer UEFI firmware appears to handle searching the main partition for the EFI files, but not the R630.

Images that have the EFI parition seem to work fine.

~Dan

[DannyBoyk]

I was able to fix the USB drive to boot on the R630 by creating an EFI partition. Do do so, I did the following:

# Step 1: Write the ISO to USB
sudo dd if=~/Downloads/securityonion-2.4.201-20260114.iso of=/dev/sdX bs=4M status=progress oflag=sync

# Step 2: Add an EFI partition in the free space after the ISO
sudo fdisk /dev/sdX
# p        (print — confirm partition 1 ends around sector 30435327)
# n        (new partition)
# p        (primary)
# 2
# [accept default first sector]
# +64M
# t        (change type)
# 2
# ef       (EFI System)
# w        (write and exit)

# Step 3: Format the EFI partition
sudo mkfs.vfat -F32 /dev/sdX2

# Step 4: Mount the ISO and copy EFI files to the new partition
sudo mount -o loop ~/Downloads/securityonion-2.4.201-20260114.iso /mnt
sudo mkdir -p /tmp/esp
sudo mount /dev/sdX2 /tmp/esp
sudo cp -r /mnt/EFI /tmp/esp/
sudo umount /tmp/esp
sudo umount /mnt