[arch-releng] iPXE HTTPS
David Manouchehri
david at davidmanouchehri.com
Mon Dec 14 21:04:23 UTC 2015
If the netboot stuff is ever redone, we should look into using
dm-verity on the root partition and signing the kernel. Both of those
require a custom iPXE build. By signing everything, it's perfectly
safe to use any mirror or protocol.
dm-verity is probably a good idea to include even in the LiveUSB/CD.
The CoreOS team has a lot of neat stuff done with dm-verity if you
want to take a look.
https://github.com/coreos/scripts/blob/master/build_library/grub_install.sh
GRUB2 is used as a "shim" for dm-verity support. There's no option
(that I know of) to use PGP with dm-verity.
The netboot process would look like this:
iPXE (unsigned BIOS or signed EFI using X.509) -> GRUB2 (signed BIOS
or EFI using X.509) -> Kernel (signed using PGP)
Or
iPXE (unsigned BIOS or signed EFI using X.509) -> GRUB2 (signed BIOS
or EFI using X.509) -> Kernel and / (signed with X.509)
More information about the arch-releng
mailing list