[syslinux] problem with PXElinux and security of local LAN - readonly double boot idea
H. Peter Anvin
hpa at zytor.com
Tue Dec 20 11:29:59 PST 2005
Richard L. James wrote:
> Hi,
>
> Firstly rather than a harddisk why not boot from a
> read-only USB key or even read-only CD-ROM drive?
> Some USB keys come with a hardware write protect
> switch. You could locate the USB key inside the PC
> itself. If being truely paranoid superglue works
> wonders to ensure things stay write protected or in
> place, e.g. when 100% happy with the boot just glue
> the USB protect tab to lock or in the case of a
> CD-drive glue over the eject button etc.
>
Ultimately, to be able to do secure boot you need a key that's stored
somewhere on each computer. Once that's done, one could use something
like a custom Etherboot or BIS to control what's there.
There is another way to do this, which is in the network: program your
switches to eat DHCP packets that don't come from the authorized DHCP
server.
-hpa
More information about the Syslinux
mailing list