UEFI boot doesn't work in Rocky 9.3 installer using mkksiso


I have a HP EliteDesk 800 G1 TWR that I wish to install Rocky Linux too in a automatic way using kickstart files and mkksiso. BIOS boot works fine but UEFI throws this error:

Invalid image
Failed to read header: Unsupported
Failed to load image: Unsupported
start_image() returned Unsupported

This is thrown in the base minimal image and also the modified one. I can boot up other distros’ images so I don’t have a suitable solution. I’ve also tried to use Ventoy, which boots, but it removes the LABEL from the mounted image, breaking the offline minimal install I require. I’m using the following script to create the image:


set -euo pipefail # if something goes wrong exit immediately

if ! command -v docker &> /dev/null
    echo "In order to run this script you need to have 'docker' installed on your machine."
    exit 1

curl https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.3-x86_64-minimal.iso -C - -o rocky.iso

rm -rf ninux.iso

docker build . -t ninux-make-iso

docker run -v .:/vol ninux-make-iso mkksiso /vol/ks.cfg /vol/rocky.iso /vol/ninux.iso

The docker image is based of Rocky but with Lorax installed.

Kickstart file:

# Generated by Anaconda
# Generated by pykickstart v3.32
# Use text install
# Use CDROM installation media

%addon com_redhat_kdump --enable --reserve-mb='auto'


# Keyboard layouts
keyboard --xlayouts='pt'
# System language
lang en_US.UTF-8



# by default configure dhcp on all interfaces
network --bootproto dhcp 
# Run the Setup Agent on first boot
firstboot --enable

# Generated using Blivet version 3.6.0
# Partition clearing information
clearpart --all --drives=sda --initlabel
autopart --nohome


timesource --ntp-disable
# System timezone
timezone Europe/Lisbon --utc

#Root password
rootpw --lock
user --groups=wheel --name=ni --password=<redacted> --iscrypted --gecos="NI"

reboot --eject


mkdir -p /home/ni/.ssh  

echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsKR9mYAnehjbCFWLYX+OKUUr1tS6qV/rlg+ax4kbcG bootstrap@unsecure' > /home/ni/.ssh/authorized_keys

systemctl enable sshd

if [ "$(arch)" = "x86_64" ]; then
  dnf install grub2-pc-modules grub2-pc -y
  grub2-install --target=i386-pc /dev/sda

# Make ni run sudo passwordless, it's secure because ni will be only be accessed in cluster installations
#  or upgrades
install \
    -o root -g root -m400 \
    <(echo -e 'ni\tALL=(ALL)\tNOPASSWD:\tALL') \

# vagrant needs temporary files on the etc folder so in order to solve them we add the /etc
# TODO: fix this in the ansible side later
chmod +x /etc


Thanks ^^

See also my recent post:

Thanks for heading me in, what seems, the right direction:

It seems to be a Shim issue, already fixed in the upstream versions of Shim. As per this forum post, it seems that they are trying to update the version but because it needs to be signed by Microsoft, therefore there isn’t an ETA on this:

I will work on a workaround fix, in the next few days, while they get this sorted out to ensure full compatibility on EFI systems, by building an unsigned shim from the source. It’s not great, but I think that it’s better to have UEFI than to resort to Legacy Boot.

In the short term, can you try the Fedora shim, to see if it makes the slightest difference to the error?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.