[ipxe-devel] [gPXE] Server verification
Floris Bos / Maxnet
bos at je-eigen-domein.nl
Tue Mar 20 11:02:13 UTC 2012
On Monday 19 Mar 2012 19:46:36 Paul Kuntke wrote:
>> I would like to use PXE-Booting in our PC-pool to choose remotely which OS
>> should be booted. Since it would be quite easy to set up an own DHCP-Server
>> and thus to bring in an own OS illegally, I would like to know if it is
>> possible to verify if the TFTP (or something else) Server is the right one.
>>
>> I've seen in the mailinglist that there's been an patch by David Michael on
>> Jul, 9th 2010. This patch seems to be just what I want, but I don't know
>> how to embed an Signature to the lkrn-Image.
Be aware that only makes sense if you are booting iPXE directly (e.g.
from USB stick, or flashed to the bios/nic)
If you plan to let the computer PXE boot from the network using its own
native bootloader, and then chainload iPXE, that will not offer you
protection, as its own bootloader doesn't know anything about signatures.
Might be easier to just get a more sophisticated managed Ethernet switch
that can protect against rogue DHCP servers by filtering the DHCP
traffic for you.
DHCP snooping:
http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-11-Protection.pdf
--
Yours sincerely,
Floris Bos
More information about the ipxe-devel
mailing list