[syslinux] problem with PXElinux and security of local LAN

Jason Keltz jas at cs.yorku.ca
Tue Dec 20 06:24:14 PST 2005 

I have two new thoughts on solving this problem, but I'm not sure 
whether either is doable with PXELinux/syslinux..

1) I've been doing some web searching.  It seems like Intel has a BIS 
(Boot Integrity Service) spec that is included in the PXE 2.0 spec.  The 
code, I believe, is open source - http://sourceforge.net/projects/bis.
I don't see anything in the PXELinux code about handling BIS.  If 
PXELinux could handle BIS, it seems like this would completely solve my 
problem.  I could authenticate the code that the PXE server receives! 
(On the other hand, it's not clear if I could authenticate the 
configuration file, but I guess that would only make sense).  If 
PXELinux could handle BIS, it seems like it work in a lot of situations 
(like mine) where people have recommended not using PXE.  Maybe Peter 
can comment on the feasibility of adding this functionality to a future 
PXElinux?

2) It is "possible" that I could do what I want to do now with syslinux 
in a different way.  The question is, is it possible for syslinux to 
probe a DHCP server for a value and then to act based on that value?  I 
don't see anything about DHCP in the syslinux page, and the network code 
may not even be available to syslinux.  This is a bit like the idea that 
Murali had.  Our machines are supposed to boot either directly into 
linux, directly into Windows, or present a boot menu.  Before, I was 
handling the configuration file change on the server and using PXELinux. 
  By changing the symlink to the configuration file, I could change the 
options available to the users.  Basically, my idea is this -- syslinux 
probes the DHCP server for an option that determines how it proceeds. 
It might be something like:
value of 1 indicates boot directly to linux
value of 2 indicates boot directly to windows
value of 3 indicates to present a boot menu.
syslinux would then either boot directly to linux/windows/present a 
menu.  There are a couple of problems with this:
   1) (again) I'm not sure I can probe a DHCP server in syslinux,
   2) I'm not sure a syslinux configuration file could act based on the 
condition received in 1.
   3) In order to install syslinux on the hard disk, it needs to be 
installed into a FAT16 partition.  However, by doing this, as far as I 
understand it, there would be no security on the FAT16 partition when 
users boot Windows XP, and hence users could mess with or disable the 
syslinux configuration.

If someone might be able to help me with 2, that would be great.
If option 1 is magically available and hiding from my sight, it would be 
great if someone could help me figure out how to use it..

Thanks a bunch..

Jas.

More information about the Syslinux mailing list