[ipxe-devel] True security? Re: Problem "Invalid Magic Sighature"

Michael Brown mbrown at fensystems.co.uk
Tue Aug 7 19:23:11 UTC 2012


On Tuesday 07 Aug 2012 19:31:25 Oliver Rath wrote:
> If i load ipxe via undionly.kpxe (per tftp), the certificate could
> be read by each who is able to sniff the network, so imho https is only
> senseful if i burn ipxe into nic-rom. Do I see this right?

Sort of.  Being able to read the certificate isn't a problem; certificates are 
by definition public information anyway.  The problem is that the initial TFTP 
transfer isn't secured in any way, so an attacker with access to your LAN 
could inject a malicious image.

If you use undionly.kpxe then you are effectively declaring that the local 
network is trusted.  You can still sensibly exploit the security offered by 
HTTPS to download over a WAN.  For example, you may trust your local network 
but want to boot over the (untrusted) Internet: in this scenario it is still 
useful to utilise undionly.kpxe with HTTPS.

If you have iPXE in ROM, then all of these issues go away, and you don't need 
to trust anything on your local network.

> So, for true security - if i dont burn ipxe into nic-rom - the
> certificate should be stored into the computer who uses pxe. Is there a
> possibility for this? I.e. CMOS, BISO or a kind of TPM-Chip?

That wouldn't help.  The initial TFTP download would still be untrusted.

Michael



More information about the ipxe-devel mailing list