[gPXE-devel] Trusted boot for gPXE
Stefan Hajnoczi
stefanha at gmail.com
Thu Jun 3 18:09:51 EDT 2010
On Thu, Jun 3, 2010 at 10:14 PM, Alessandro Salvatori <sandr8 at gmail.com> wrote:
>> What use cases does this design satisfy? For example, how can a NIC vendor
>> ship a trusted boot enabled gPXE in ROM? I'm hoping that the main use cases
>> can use this design.
>>
>> Weaknesses/holes in this design:
>> * initramfs/initrd and multiboot modules are currently not verified,
>> easy to fix
>> * trusted SAN boot not supported
>
> to me it looks like appending a signature to the kernel image and
> storing the public key with gpxe would allow to satisfy the
> requirements many more use cases. And would require far less
> maintenance: there would be no need to go and store the individual
> image checksums in each script...
Signing a Linux kernel image (possibly with an embedded initramfs) is
a solution for Linux. gPXE supports other image formats, such as
multiboot (Solaris, VMware ESX), PXE NBP, SYSLINUX COMBOOT, and gPXE
scripts. It also supports SAN boot protocols like iSCSI and
ATA-over-Ethernet where a block device is booted via a boot sector.
All of these boot methods need to be secured so I think restricting
ourselves to Linux images does not cover enough use cases.
> it would be nice to have a similiar patch in grub, so that we'd have
> the same guarantee upon a local boot.
Following standards would be nice. It's something that has been
mentioned in off-list feedback, too. The demo I posted was something
I cooked up from scratch in a day. Fully thinking this through
involves investigating executable signing standards and if other
software already has a solution that we can interoperate with.
Thanks for sharing your ideas, I hope we can get a secure booting
solution in gPXE in the future :).
Stefan
More information about the gPXE-devel
mailing list