[syslinux] problem with PXElinux and security of local LAN - readonly double boot idea

[Jason Keltz]

H. Peter Anvin wrote:
> There is another way to do this, which is in the network: program your 
> switches to eat DHCP packets that don't come from the authorized DHCP 
> server.

Unfortunately, this won't do it either.  Imagine the case where a 
student unplugs the lab machine and plugs it into a separate network 
port on their laptop.

Is there absolutely no way through comboot to query the DHCP server (or 
some other server like a web server) for a simple value through 
sys/extlinux is there?  This would just be very ideal.

What I really need is a "middle line" between pxelinux and syslinux 
where I have the menu locally (syslinux with a comboot), but only the 
choice of which menu option to select comes from the network (dhcp 
option).  Murali proposed a two part solution where I first boot to 
syslinux (or extlinux) with a comboot that checks the status of a valid 
on an unused part of the disk along with a timestamp.  If the current 
time has passed the timestamp, I boot into a mini linux distribution, 
and then query a server to determine the required state, write that to 
the machines hard disk, reboot, and then I would boot into that, but I 
know there just has to be a way to figure out the required O/S on the 
first boot without having the extra steps...

jas.