[arch-releng] iPXE HTTPS
On the Arch netboot page, several of the scripts are using HTTP. iPXE supports HTTPS, so I believe there's no reason to use HTTP. https://releng.archlinux.org/pxeboot/arch_text.ipxe Feel free to chime in if I'm missing something. -- David Manouchehri F0FE 0296 14EA 35BC 9E4FF 9768 A6EC FD0C 4083 9755 https://keybase.io/manouchehri/key.asc
After looking into it a bit more, iPXE has to be compiled with DOWNLOAD_PROTO_HTTPS (which is oddly enough not a default). https://ipxe.org/download#choosing_what_to_build https://ipxe.org/buildcfg/download_proto_https
Am 12.12.2015 um 15:48 schrieb David Manouchehri:
On the Arch netboot page, several of the scripts are using HTTP. iPXE supports HTTPS, so I believe there's no reason to use HTTP.
https://releng.archlinux.org/pxeboot/arch_text.ipxe
Feel free to chime in if I'm missing something.
The whole netboot stuff needs lots of love still. Over two years ago, I wrote patches to integrate it into the regular website, which have not been finished and merged yet. The problem with https, last time I checked, was the lack of support for wildcard certificates. I did not evaluate this recently.
If the netboot stuff is ever redone, we should look into using dm-verity on the root partition and signing the kernel. Both of those require a custom iPXE build. By signing everything, it's perfectly safe to use any mirror or protocol. dm-verity is probably a good idea to include even in the LiveUSB/CD. The CoreOS team has a lot of neat stuff done with dm-verity if you want to take a look. https://github.com/coreos/scripts/blob/master/build_library/grub_install.sh GRUB2 is used as a "shim" for dm-verity support. There's no option (that I know of) to use PGP with dm-verity. The netboot process would look like this: iPXE (unsigned BIOS or signed EFI using X.509) -> GRUB2 (signed BIOS or EFI using X.509) -> Kernel (signed using PGP) Or iPXE (unsigned BIOS or signed EFI using X.509) -> GRUB2 (signed BIOS or EFI using X.509) -> Kernel and / (signed with X.509)
participants (2)
-
David Manouchehri
-
Thomas Bächler