[arch-releng] iPXE HTTPS

David Manouchehri david at davidmanouchehri.com
Mon Dec 14 21:04:23 UTC 2015


If the netboot stuff is ever redone, we should look into using
dm-verity on the root partition and signing the kernel. Both of those
require a custom iPXE build. By signing everything, it's perfectly
safe to use any mirror or protocol.

dm-verity is probably a good idea to include even in the LiveUSB/CD.
The CoreOS team has a lot of neat stuff done with dm-verity if you
want to take a look.

https://github.com/coreos/scripts/blob/master/build_library/grub_install.sh

GRUB2 is used as a "shim" for dm-verity support. There's no option
(that I know of) to use PGP with dm-verity.

The netboot process would look like this:

iPXE (unsigned BIOS or signed EFI using X.509) -> GRUB2 (signed BIOS
or EFI using X.509) -> Kernel (signed using PGP)

Or

iPXE (unsigned BIOS or signed EFI using X.509) -> GRUB2 (signed BIOS
or EFI using X.509) -> Kernel and / (signed with X.509)


More information about the arch-releng mailing list