On Thu, Jun 3, 2010 at 10:14 PM, Alessandro Salvatori <[email protected]> wrote: >> What use cases does this design satisfy? For example, how can a NIC vendor >> ship a trusted boot enabled gPXE in ROM? I'm hoping that the main use cases >> can use this design. >> >> Weaknesses/holes in this design: >> * initramfs/initrd and multiboot modules are currently not verified, >> easy to fix >> * trusted SAN boot not supported > > to me it looks like appending a signature to the kernel image and > storing the public key with gpxe would allow to satisfy the > requirements many more use cases. And would require far less > maintenance: there would be no need to go and store the individual > image checksums in each script...
Signing a Linux kernel image (possibly with an embedded initramfs) is a solution for Linux. gPXE supports other image formats, such as multiboot (Solaris, VMware ESX), PXE NBP, SYSLINUX COMBOOT, and gPXE scripts. It also supports SAN boot protocols like iSCSI and ATA-over-Ethernet where a block device is booted via a boot sector. All of these boot methods need to be secured so I think restricting ourselves to Linux images does not cover enough use cases. > it would be nice to have a similiar patch in grub, so that we'd have > the same guarantee upon a local boot. Following standards would be nice. It's something that has been mentioned in off-list feedback, too. The demo I posted was something I cooked up from scratch in a day. Fully thinking this through involves investigating executable signing standards and if other software already has a solution that we can interoperate with. Thanks for sharing your ideas, I hope we can get a secure booting solution in gPXE in the future :). Stefan _______________________________________________ gPXE-devel mailing list [email protected] http://etherboot.org/mailman/listinfo/gpxe-devel
