does any image format mind if you append a few extra "signature" bytes beyond the end of the image?
i guess in most cases it might be safe to assume no... thanks! -Alessandro On Thu, Jun 3, 2010 at 15:09, Stefan Hajnoczi <[email protected]> wrote: > On Thu, Jun 3, 2010 at 10:14 PM, Alessandro Salvatori <[email protected]> > wrote: >>> What use cases does this design satisfy? For example, how can a NIC vendor >>> ship a trusted boot enabled gPXE in ROM? I'm hoping that the main use cases >>> can use this design. >>> >>> Weaknesses/holes in this design: >>> * initramfs/initrd and multiboot modules are currently not verified, >>> easy to fix >>> * trusted SAN boot not supported >> >> to me it looks like appending a signature to the kernel image and >> storing the public key with gpxe would allow to satisfy the >> requirements many more use cases. And would require far less >> maintenance: there would be no need to go and store the individual >> image checksums in each script... > > Signing a Linux kernel image (possibly with an embedded initramfs) is > a solution for Linux. gPXE supports other image formats, such as > multiboot (Solaris, VMware ESX), PXE NBP, SYSLINUX COMBOOT, and gPXE > scripts. It also supports SAN boot protocols like iSCSI and > ATA-over-Ethernet where a block device is booted via a boot sector. > All of these boot methods need to be secured so I think restricting > ourselves to Linux images does not cover enough use cases. > >> it would be nice to have a similiar patch in grub, so that we'd have >> the same guarantee upon a local boot. > > Following standards would be nice. It's something that has been > mentioned in off-list feedback, too. The demo I posted was something > I cooked up from scratch in a day. Fully thinking this through > involves investigating executable signing standards and if other > software already has a solution that we can interoperate with. > > Thanks for sharing your ideas, I hope we can get a secure booting > solution in gPXE in the future :). > > Stefan > _______________________________________________ gPXE-devel mailing list [email protected] http://etherboot.org/mailman/listinfo/gpxe-devel
