gPXE Secure Network Booting Project Proposal

At the moment gPXE has no security in the bootstrap process. This project aims to deliver security and verifiability to bootstrapping. This project has two big parts. One is creating a secure network connection, over which files can be downloaded. The second part is the ability to verify that the retrieved files have not been modified. One goal is to separate these two parts as much as possible, to allow the use of other secure protocols in the future.

Benefits to the community
This project will allow the safe booting of machines on non-secure networks, as well as the possibility of booting from a server not within the local network. It will also allow the transmission of private information that needs to be protected. This project could also open up the ability to easily add other protocols to gPXE.

From the user end:

  • The ability to select the protocol when creating an image.
  • Specifying a user name and password for the server.
  • Selecting the ability to verify the loaded files.
  • Define the decryption key for the hash file. (If this path in development is take)

From the code side:

  • Support for a secure network protocol.
  • Ability to retrieve a file with hash values for the loaded files.
  • Hashing and comparing each file with their hash value.
  • Halting the boot process if there is a hash mismatch.

Project Details
Currently gPXE uses an insecure network connection and does not do any verification of the files it loads. Because there is no security in the boot process, it is possible for someone to modify or hijack the bootstrap process. This project aims to stop this type of possibility. When loading the needed files, the bootstrap loader will utilize a secure network connection. This can be achieved in several ways. One way is to use a secure protocol, like sftp, to transmit the files. Another way is to wrap a non-secure protocol, like tftp, in a SSH tunnel. The last way is to create a new protocol, such as stftp, which builds in security. The first two ideas will require the creation of a user account of the file server, which could be a problem in some setups. After the files are transfered, securely or not, the boot loader will then verify that the files have not been modified. This can be accomplished easily with a hash function, like MD5. The problem with this step is how to get the hashes securely. Putting the hashes in the bootstrap loader is not practical. Retrieving them from the server works fine with a secure connection. With an insecure connection the hashes could also be modified. Either we can leave this problem as is, and expect a secure connection, or we can use some form of encryption to protect the hashes. One example is we could use public key encryption; encrypting the hashes with the private key and giving the bootstrap loader the public key to unlock the hash file.

Some of the major milestones for the project are:

  • Deciding which path to take in creating a secure connection, and create a detailed design.
  • Adding support to gPXE for the new protocol.
  • Adding the ability to select the new protocol when creating a boot image.
  • Flushing out design details for verifying the loaded files.
  • Adding support for hashing the loaded files and checking them against the given hash value.
  • Adding support for decryption of the hash file, if that development path is take.
  • Adding the ability to have the image to verify the files, and specify the decryption key.

QR Code
QR Code soc:derekpryor-proposal (generated for current page)