gPXE Secure Network Booting Project Proposal

Synopsis
At the moment gPXE has no security in the bootstrap process. This project aims to deliver security and verifiability to bootstrapping. This project has two big parts. One is creating a secure network connection, over which files can be downloaded. The second part is the ability to verify that the retrieved files have not been modified. One goal is to separate these two parts as much as possible, to allow the use of other secure protocols in the future.

Benefits to the community
This project will allow the safe booting of machines on non-secure networks, as well as the possibility of booting from a server not within the local network. It will also allow the transmission of private information that needs to be protected. This project could also open up the ability to easily add other protocols to gPXE.

Deliverables
From the user end:

From the code side:

Project Details
Currently gPXE uses an insecure network connection and does not do any verification of the files it loads. Because there is no security in the boot process, it is possible for someone to modify or hijack the bootstrap process. This project aims to stop this type of possibility. When loading the needed files, the bootstrap loader will utilize a secure network connection. This can be achieved in several ways. One way is to use a secure protocol, like sftp, to transmit the files. Another way is to wrap a non-secure protocol, like tftp, in a SSH tunnel. The last way is to create a new protocol, such as stftp, which builds in security. The first two ideas will require the creation of a user account of the file server, which could be a problem in some setups. After the files are transfered, securely or not, the boot loader will then verify that the files have not been modified. This can be accomplished easily with a hash function, like MD5. The problem with this step is how to get the hashes securely. Putting the hashes in the bootstrap loader is not practical. Retrieving them from the server works fine with a secure connection. With an insecure connection the hashes could also be modified. Either we can leave this problem as is, and expect a secure connection, or we can use some form of encryption to protect the hashes. One example is we could use public key encryption; encrypting the hashes with the private key and giving the bootstrap loader the public key to unlock the hash file.

Some of the major milestones for the project are: