[syslinux] problem with PXElinux and security of local LAN

Murali Krishnan Ganapathy gmurali at cs.uchicago.edu
Tue Dec 20 07:48:51 PST 2005 

Yet another approach. This does not use PXELINUX! Install the Windows 
and Linux images on two partitions of your hard disk (so with this 
solution changing the boot image will not be very easy). But it requires 
two boots everytime instead of one.

The boot cycle is as follows

(1) Machine boots locally into COMBOOT code
(2) Code checks local machine for boot instructions.
(3) If instructions not found it boots a small linux image
(4)     small linux goes online and finds out what the state of this 
machine should be (Windows only/Linux Only/Boot Menu)
(5)     Stores this information somewhere on the hard disk and reboots 
so that COMBOOT code can find this info during next boot
(6) If instructions found, it follows instructions and acts accordingly.

This requires the local machine to have a Windows installation and a 
Linux installation which the users can use, and another small linux + 
initrd.
As soon as you boot into the small linux, you go online (in one of the 
init scripts) somewhere you trust (local webserver perhaps) and download 
a small file which says what the next boot image should be 
(LINUX/WINDOWS/MENU). The script then writes this information on sector 
N of the local hard disk (which is not used for any other thing). The 
COMBOOT code checks sector 6 for this information and when found boots 
into the appropriate image directly.

Good Things:
 (a) Uses things which already exist, i.e. linux code to write this info 
to sector N and COMBOOT code to read this info already exist. (see 
http://gui.mahamurali.net and click on Autobooting)
 (b) No PXELINUX. No TFTP server, so bad guy cannot give you a kernel to 
boot from
 (c) A change in your local webserver, will affect all clients the next 
time they boot. Infact if your logic of (Windows/Linux/Boot Menu) is 
simple, this logic can be put as a cgi script on your webserver. So you 
dont need to change anything in the webserver at all!!!

Bad Things:
  (a) You need to an extra reboot everytime you boot
  (b) If you need to change the boot image, you need to change it on 
every machine
       or setup another image you can boot into on the local machine 
(which requires a password) and use that image to help automate the 
change of boot image.

Good/Bad:
   (a) Machine retains state between reboots, (i.e. local files on machine)

- Murali

Jason Keltz wrote:
> I have two new thoughts on solving this problem, but I'm not sure 
> whether either is doable with PXELinux/syslinux..
>
> 1) I've been doing some web searching.  It seems like Intel has a BIS 
> (Boot Integrity Service) spec that is included in the PXE 2.0 spec.  
> The code, I believe, is open source - 
> http://sourceforge.net/projects/bis.
> I don't see anything in the PXELinux code about handling BIS.  If 
> PXELinux could handle BIS, it seems like this would completely solve 
> my problem.  I could authenticate the code that the PXE server 
> receives! (On the other hand, it's not clear if I could authenticate 
> the configuration file, but I guess that would only make sense).  If 
> PXELinux could handle BIS, it seems like it work in a lot of 
> situations (like mine) where people have recommended not using PXE.  
> Maybe Peter can comment on the feasibility of adding this 
> functionality to a future PXElinux?
>
> 2) It is "possible" that I could do what I want to do now with 
> syslinux in a different way.  The question is, is it possible for 
> syslinux to probe a DHCP server for a value and then to act based on 
> that value?  I don't see anything about DHCP in the syslinux page, and 
> the network code may not even be available to syslinux.  This is a bit 
> like the idea that Murali had.  Our machines are supposed to boot 
> either directly into linux, directly into Windows, or present a boot 
> menu.  Before, I was handling the configuration file change on the 
> server and using PXELinux.  By changing the symlink to the 
> configuration file, I could change the options available to the 
> users.  Basically, my idea is this -- syslinux probes the DHCP server 
> for an option that determines how it proceeds. It might be something 
> like:
> value of 1 indicates boot directly to linux
> value of 2 indicates boot directly to windows
> value of 3 indicates to present a boot menu.
> syslinux would then either boot directly to linux/windows/present a 
> menu.  There are a couple of problems with this:
>   1) (again) I'm not sure I can probe a DHCP server in syslinux,
>   2) I'm not sure a syslinux configuration file could act based on the 
> condition received in 1.
>   3) In order to install syslinux on the hard disk, it needs to be 
> installed into a FAT16 partition.  However, by doing this, as far as I 
> understand it, there would be no security on the FAT16 partition when 
> users boot Windows XP, and hence users could mess with or disable the 
> syslinux configuration.
>
> If someone might be able to help me with 2, that would be great.
> If option 1 is magically available and hiding from my sight, it would 
> be great if someone could help me figure out how to use it..
>
> Thanks a bunch..
>
> Jas.
>
> _______________________________________________
> SYSLINUX mailing list
> Submissions to SYSLINUX at zytor.com
> Unsubscribe or set options at:
> http://www.zytor.com/mailman/listinfo/syslinux
> Please do not send private replies to mailing list traffic.
>
>

More information about the Syslinux mailing list