[ipxe-devel] [gPXE] Server verification

Floris Bos / Maxnet bos at je-eigen-domein.nl
Tue Mar 20 11:02:13 UTC 2012


On Monday 19 Mar 2012 19:46:36 Paul Kuntke wrote:
>> I would like to use PXE-Booting in our PC-pool to choose remotely which OS
>> should be booted. Since it would be quite easy to set up an own DHCP-Server
>> and thus to bring in an own OS illegally, I would like to know if it is
>> possible to verify if the TFTP (or something else) Server is the right one.
>>
>> I've seen in the mailinglist that there's been an patch by David Michael on
>> Jul, 9th 2010. This patch seems to be just what I want, but I don't know
>> how to embed an Signature to the lkrn-Image.

Be aware that only makes sense if you are booting iPXE directly (e.g. 
from USB stick, or flashed to the bios/nic)
If you plan to let the computer PXE boot from the network using its own 
native bootloader, and then chainload iPXE, that will not offer you 
protection, as its own bootloader doesn't know anything about signatures.


Might be easier to just get a more sophisticated managed Ethernet switch 
that can protect against rogue DHCP servers by filtering the DHCP 
traffic for you.
DHCP snooping: 
http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-11-Protection.pdf

-- 
Yours sincerely,

Floris Bos





More information about the ipxe-devel mailing list