[ipxe-devel] True security? Re: Problem "Invalid Magic Sighature"
Michael Brown
mbrown at fensystems.co.uk
Tue Aug 7 19:23:11 UTC 2012
On Tuesday 07 Aug 2012 19:31:25 Oliver Rath wrote:
> If i load ipxe via undionly.kpxe (per tftp), the certificate could
> be read by each who is able to sniff the network, so imho https is only
> senseful if i burn ipxe into nic-rom. Do I see this right?
Sort of. Being able to read the certificate isn't a problem; certificates are
by definition public information anyway. The problem is that the initial TFTP
transfer isn't secured in any way, so an attacker with access to your LAN
could inject a malicious image.
If you use undionly.kpxe then you are effectively declaring that the local
network is trusted. You can still sensibly exploit the security offered by
HTTPS to download over a WAN. For example, you may trust your local network
but want to boot over the (untrusted) Internet: in this scenario it is still
useful to utilise undionly.kpxe with HTTPS.
If you have iPXE in ROM, then all of these issues go away, and you don't need
to trust anything on your local network.
> So, for true security - if i dont burn ipxe into nic-rom - the
> certificate should be stored into the computer who uses pxe. Is there a
> possibility for this? I.e. CMOS, BISO or a kind of TPM-Chip?
That wouldn't help. The initial TFTP download would still be untrusted.
Michael
More information about the ipxe-devel
mailing list