-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I haven't looked through the archives, yet, but wanted to throw an idea
out to see what everyone thinks.
An idea struck me today as I was thinking about a way to more securely
verify that the client that is booting via Etherboot is actually
downloading the kernel/code that you really want it to. Use a preshared
key built into the Etherboot code that is flashed onto the bootrom to
validate the kernel image/code. So, in order for the client to
successfully boot, the image it downloads has to be digitally signed and
that signature has to match when signed by the clients Etherboot key.
Otherwise the client refuses to boot. There could be a number of ways
to go about this, from having a default "Etherboot" maintained key and
signature to a site-by-site basis where the administrator/deployer would
build there own version of Etherboot to embed their own key for their
own thin client workstations.
Another possibility that this presents is to not only authenticate the
connection but also be able to create an encrypted tunnel using
Diffie-Hellman key exchange. This may be a rather involved process just
to get a secure boot layer, but it may open up the doors to a larger
audience and wider acceptance of Etherboot.
What do you all think?
- --
Jason A. Pattie
pat...@xp...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+g3MguYsUrHkpYtARApPUAJ4zPzMp8WrBK/g5hwdXwX454D5I/wCeNq08
XtAWPTZcZltj0u4Z4/h7GIw=
=8QF4
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
|
