Thread: Re: [Etherboot-developers] Securing bootup
Brought to you by:
marty_connor,
stefanhajnoczi
Menu
▾
▴
etherboot-developers
|
From: <ke...@us...> - 2003-03-27 23:05:48
|
>An idea struck me today as I was thinking about a way to more securely Hope it wasn't too painful. :-) >verify that the client that is booting via Etherboot is actually >downloading the kernel/code that you really want it to. Use a preshared >key built into the Etherboot code that is flashed onto the bootrom to >validate the kernel image/code. So, in order for the client to >successfully boot, the image it downloads has to be digitally signed and >that signature has to match when signed by the clients Etherboot key. >Otherwise the client refuses to boot. There could be a number of ways >to go about this, from having a default "Etherboot" maintained key and >signature to a site-by-site basis where the administrator/deployer would >build there own version of Etherboot to embed their own key for their >own thin client workstations. Or a key in a USB dongle. There is/was a uni project working on secure booting in general, don't have the URL handy, Eric has it. Eric's got a hook in 5.1 that verifies download integrity using a checksum over the image. Verifying a signature is an obvious extension. >Another possibility that this presents is to not only authenticate the >connection but also be able to create an encrypted tunnel using >Diffie-Hellman key exchange. This may be a rather involved process just >to get a secure boot layer, but it may open up the doors to a larger >audience and wider acceptance of Etherboot. Tunnels are much harder. Etherboot only implements UDP. >What do you all think? Great idea, looking forward to seeing your code soon. :-) But seriously, it's a good idea worth developing further, but as always implementation depends on someone keen enough to contribute some time to do it. |
|
From: <ke...@us...> - 2003-03-27 23:24:31
|
>Does Etherboot initialize USB and read this key? No, that would be another project on the wishlist. :-) >Perfect! IPSec implements key exchanges on UDP port 500. Don't you need TCP for data transfers? |
|
From: Jason A. P. <pat...@pc...> - 2003-03-28 00:11:21
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Yap wrote: >>Does Etherboot initialize USB and read this key? > > > No, that would be another project on the wishlist. :-) > > >>Perfect! IPSec implements key exchanges on UDP port 500. > > > Don't you need TCP for data transfers? Hmm. I think so. However, the encrypted tunnel would be using packets on protocols 50 and 51 (ESP/AH), which then get converted to TCP or UDP packets inside the kernel. - -- Jason A. Pattie pat...@xp... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+g5MauYsUrHkpYtARAqNiAJ9x96jL3xhFFVDHAxqiD1a6OPqSXACePYdK 6ZEU4jEvHNc6cuoQF2okoNs= =FMep -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
|
From: <ebi...@ln...> - 2003-03-28 02:31:00
|
"Jason A. Pattie" <pat...@pc...> writes: > Ken Yap wrote: > >>Does Etherboot initialize USB and read this key? > > > > > > No, that would be another project on the wishlist. :-) > > > > > >>Perfect! IPSec implements key exchanges on UDP port 500. > > > > > > Don't you need TCP for data transfers? > > Hmm. I think so. However, the encrypted tunnel would be using packets > on protocols 50 and 51 (ESP/AH), which then get converted to TCP or UDP > packets inside the kernel. As I understand encryption most encryption techniques fail to be effective about disguising a message if you send the same message over and over again. With network booting this is the case. Loading an image that was authenticated at some point in time is a reasonable problem. Beyond that the code is complicated and it really does not help. Eric |
|
From: Jason A. P. <pat...@pc...> - 2003-03-28 15:21:30
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric W. Biederman wrote: > As I understand encryption most encryption techniques fail to > be effective about disguising a message if you send the same > message over and over again. With network booting this is the > case. Loading an image that was authenticated at some point > in time is a reasonable problem. Beyond that the code is complicated > and it really does not help. So, you would see signing a kernel+initial ramdisk package 'a good thing' so that the client will always boot authenticated code. So even if a hacker were to send it anything, they would have to send the client the exact same code, which would hopefully help to prevent them from succeeding in their attempt or making it much more difficult. - -- Jason A. Pattie pat...@xp... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+hGhtuYsUrHkpYtARAmLeAJ9cPN/6VGsorpw1My0lcJU8hQ4MwgCeJ1kf yDHO8aWwrxNVHmVjUext5OE= =6QOp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
|
From: <ebi...@ln...> - 2003-03-31 20:11:33
|
"Jason A. Pattie" <pat...@pc...> writes: > Eric W. Biederman wrote: > > As I understand encryption most encryption techniques fail to > > be effective about disguising a message if you send the same > > message over and over again. With network booting this is the > > case. Loading an image that was authenticated at some point > > in time is a reasonable problem. Beyond that the code is complicated > > and it really does not help. > > So, you would see signing a kernel+initial ramdisk package 'a good > thing' so that the client will always boot authenticated code. So even > if a hacker were to send it anything, they would have to send the client > the exact same code, which would hopefully help to prevent them from > succeeding in their attempt or making it much more difficult. Correct. If you want to proceed down that direction feel free. Eric |
|
From: Jason A. P. <pat...@pc...> - 2003-03-27 23:19:04
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Yap wrote: >>An idea struck me today as I was thinking about a way to more securely > > Hope it wasn't too painful. :-) Just fried a few brain cells... :D >>verify that the client that is booting via Etherboot is actually >>downloading the kernel/code that you really want it to. Use a preshared >>key built into the Etherboot code that is flashed onto the bootrom to >>validate the kernel image/code. So, in order for the client to >>successfully boot, the image it downloads has to be digitally signed and >>that signature has to match when signed by the clients Etherboot key. >>Otherwise the client refuses to boot. There could be a number of ways >>to go about this, from having a default "Etherboot" maintained key and >>signature to a site-by-site basis where the administrator/deployer would >>build there own version of Etherboot to embed their own key for their >>own thin client workstations. > > > Or a key in a USB dongle. Does Etherboot initialize USB and read this key? > There is/was a uni project working on secure booting in general, don't > have the URL handy, Eric has it. > > Eric's got a hook in 5.1 that verifies download integrity using a > checksum over the image. Verifying a signature is an obvious extension. > > >>Another possibility that this presents is to not only authenticate the >>connection but also be able to create an encrypted tunnel using >>Diffie-Hellman key exchange. This may be a rather involved process just >>to get a secure boot layer, but it may open up the doors to a larger >>audience and wider acceptance of Etherboot. > > > Tunnels are much harder. Etherboot only implements UDP. Perfect! IPSec implements key exchanges on UDP port 500. >>What do you all think? > > > Great idea, looking forward to seeing your code soon. :-) > > But seriously, it's a good idea worth developing further, but as always > implementation depends on someone keen enough to contribute some time to > do it. Heh. I haven't even looked at the source code in any serious way for Etherboot. And definitely not any of the later versions. I usually go to Rom-o-Matic.net to download one whenever I need an image. - -- Jason A. Pattie pat...@xp... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+g4bZuYsUrHkpYtARAuHGAJ9D/WGqZng9CRIKRuPQ1d5JD9eBGgCeIKlR IqHyhBnVKYyDtsiqTqxcTGo= =pAEG -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
|
From: Sam L. <sa...@er...> - 2003-03-28 23:16:46
|
> There is/was a uni project working on secure booting in general, don't
> have the URL handy, Eric has it.
google "secure bootstrap" leads you quickly to the answer(s). I suspect
you're thinking of Bill Arbaugh's work but there's also been stuff going on
at CITI to use smartcards.
Sam
|
|
From: <ebi...@ln...> - 2003-03-31 20:10:30
|
"Sam Leffler" <sa...@er...> writes: > > There is/was a uni project working on secure booting in general, don't > > have the URL handy, Eric has it. > > google "secure bootstrap" leads you quickly to the answer(s). I suspect > you're thinking of Bill Arbaugh's work but there's also been stuff going on > at CITI to use smartcards. Right as Bill and the people working with him have already expressed some interest in LinuxBIOS and etherboot. Eric |
