[Etherboot-developers] Securing bootup
Brought to you by:
marty_connor,
stefanhajnoczi
Menu
▾
▴
[Etherboot-developers] Securing bootup
|
From: Jason A. P. <pat...@pc...> - 2003-03-27 21:54:58
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I haven't looked through the archives, yet, but wanted to throw an idea out to see what everyone thinks. An idea struck me today as I was thinking about a way to more securely verify that the client that is booting via Etherboot is actually downloading the kernel/code that you really want it to. Use a preshared key built into the Etherboot code that is flashed onto the bootrom to validate the kernel image/code. So, in order for the client to successfully boot, the image it downloads has to be digitally signed and that signature has to match when signed by the clients Etherboot key. Otherwise the client refuses to boot. There could be a number of ways to go about this, from having a default "Etherboot" maintained key and signature to a site-by-site basis where the administrator/deployer would build there own version of Etherboot to embed their own key for their own thin client workstations. Another possibility that this presents is to not only authenticate the connection but also be able to create an encrypted tunnel using Diffie-Hellman key exchange. This may be a rather involved process just to get a secure boot layer, but it may open up the doors to a larger audience and wider acceptance of Etherboot. What do you all think? - -- Jason A. Pattie pat...@xp... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+g3MguYsUrHkpYtARApPUAJ4zPzMp8WrBK/g5hwdXwX454D5I/wCeNq08 XtAWPTZcZltj0u4Z4/h7GIw= =8QF4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
