Hi, Assume you are in hostile environment, as in you can't trust the DHCP serversss nor the TFTP/HTTP server. So you would want a checksum on kernel and initrd. Which checksum algoritme is available in pxelinux.0? Which checksum algoritme could be integrate into pxelinux.0? In other words: Please advice what could be done to verify what pxelinux.0 did download. Cheers Geert Stappers -- leven en laten leven
> Assume you are in hostile environment,> as in you can't trust the DHCP serversss nor the TFTP/HTTP server. > So you would want a checksum on kernel and initrd. > > Which checksum algoritme is available in pxelinux.0? > Which checksum algoritme could be integrate into pxelinux.0? > > In other words: Please advice what could be done > to verify what pxelinux.0 did download.Chicken and Egg squared. How do you trust the pxelinux.0 that came from the same source? EFI does provide a solution. Take a lot of coffee and google for Secure Boot.
On Aug 18, 2015 4:42 AM, "Oscar Roozen via Syslinux" <syslinux at zytor.com> wrote:> > > Assume you are in hostile environment, > > > as in you can't trust the DHCP serversss nor the TFTP/HTTP server. > > So you would want a checksum on kernel and initrd. > > > > Which checksum algoritme is available in pxelinux.0? > > Which checksum algoritme could be integrate into pxelinux.0? > > > > In other words: Please advice what could be done > > to verify what pxelinux.0 did download. > > Chicken and Egg squared. How do you trust the pxelinux.0 that came > from the same source?There are tools with MD5 and I think SHA1 but what's stopping me, the malicious boot environment operator, from having the tools report the known and trusted hash but modifying the files at some point? If the scenario was that everyone is trustworthy but there was occasionally an error in transmission, such tools could help though the compression algorithms can also pick up the error but that'd result in a reboot rather than allowing an attempt to redownload.> EFI does provide a solution. Take a lot of coffee and google for SecureBoot. The basics are the firmware has public keys and verifies the payload before execution. --Gene
<<< Hi, Assume you are in hostile environment, as in you can't trust the DHCP serversss nor the TFTP/HTTP server. So you would want a checksum on kernel and initrd. Which checksum algoritme is available in pxelinux.0? Which checksum algoritme could be integrate into pxelinux.0? In other words: Please advice what could be done to verify what pxelinux.0 did download. Cheers Geert Stappers -->>>For preventing the actions of a security compromised PXE server you have the PXE companion protocol BIS (Boot Integrity Services) ftp://download.intel.com/design/archives/wfm/downloads/bisspec.pdf (BIOS) or the newer EFI_BIS_PROTOCOL (EFI). In both cases the corresponding APIs are located within PC's FW (considered secure) In the EFI world you also have Secure Boot. While Secure Boot requires the NBP signature embedded within the NBP the BIS protocol relies on additional DHCP/MTFTP transactions for net retrieving the NBP credentials. The topic is not simple and FW APIs are a must; checksum/hash/signatures handling within syslinux binaries is not secure because you would have the source available to make a malicious pxelinux.0 validating what ever you want... Best, Patrick