UEFI boot doesn't work in Rocky 9.3 installer using mkksiso

Greetings,

I have a HP EliteDesk 800 G1 TWR that I wish to install Rocky Linux too in a automatic way using kickstart files and mkksiso. BIOS boot works fine but UEFI throws this error:

Invalid image
Failed to read header: Unsupported
Failed to load image: Unsupported
start_image() returned Unsupported

This is thrown in the base minimal image and also the modified one. I can boot up other distros’ images so I don’t have a suitable solution. I’ve also tried to use Ventoy, which boots, but it removes the LABEL from the mounted image, breaking the offline minimal install I require. I’m using the following script to create the image:

#!/bin/bash

set -euo pipefail # if something goes wrong exit immediately

if ! command -v docker &> /dev/null
then
    echo "In order to run this script you need to have 'docker' installed on your machine."
    exit 1
fi

curl https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.3-x86_64-minimal.iso -C - -o rocky.iso

rm -rf ninux.iso

docker build . -t ninux-make-iso

docker run -v .:/vol ninux-make-iso mkksiso /vol/ks.cfg /vol/rocky.iso /vol/ninux.iso

The docker image is based of Rocky but with Lorax installed.

Kickstart file:

# Generated by Anaconda 34.25.3.8
# Generated by pykickstart v3.32
#version=RHEL9
# Use text install
text
# Use CDROM installation media
cdrom

%addon com_redhat_kdump --enable --reserve-mb='auto'

%end

# Keyboard layouts
keyboard --xlayouts='pt'
# System language
lang en_US.UTF-8

%packages
@^minimal-environment
@standard

%end

# by default configure dhcp on all interfaces
network --bootproto dhcp 
# Run the Setup Agent on first boot
firstboot --enable

# Generated using Blivet version 3.6.0
# Partition clearing information
clearpart --all --drives=sda --initlabel
autopart --nohome

bootloader

timesource --ntp-disable
# System timezone
timezone Europe/Lisbon --utc

#Root password
rootpw --lock
user --groups=wheel --name=ni --password=<redacted> --iscrypted --gecos="NI"

reboot --eject

%post

mkdir -p /home/ni/.ssh  

echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsKR9mYAnehjbCFWLYX+OKUUr1tS6qV/rlg+ax4kbcG bootstrap@unsecure' > /home/ni/.ssh/authorized_keys

systemctl enable sshd

if [ "$(arch)" = "x86_64" ]; then
  dnf install grub2-pc-modules grub2-pc -y
  grub2-install --target=i386-pc /dev/sda
fi

# Make ni run sudo passwordless, it's secure because ni will be only be accessed in cluster installations
#  or upgrades
install \
    -o root -g root -m400 \
    <(echo -e 'ni\tALL=(ALL)\tNOPASSWD:\tALL') \
    /etc/sudoers.d/freewheelers

# vagrant needs temporary files on the etc folder so in order to solve them we add the /etc
# TODO: fix this in the ansible side later
chmod +x /etc

%end

Thanks ^^

See also my recent post:

Thanks for heading me in, what seems, the right direction:

It seems to be a Shim issue, already fixed in the upstream versions of Shim. As per this forum post, it seems that they are trying to update the version but because it needs to be signed by Microsoft, therefore there isn’t an ETA on this:

I will work on a workaround fix, in the next few days, while they get this sorted out to ensure full compatibility on EFI systems, by building an unsigned shim from the source. It’s not great, but I think that it’s better to have UEFI than to resort to Legacy Boot.

In the short term, can you try the Fedora shim, to see if it makes the slightest difference to the error?