[syslinux] checksum on what was downloaded
Gene Cumm
gene.cumm at gmail.com
Tue Aug 18 03:25:06 PDT 2015
On Aug 18, 2015 4:42 AM, "Oscar Roozen via Syslinux" <syslinux at zytor.com>
wrote:
>
> > Assume you are in hostile environment,
>
> > as in you can't trust the DHCP serversss nor the TFTP/HTTP server.
> > So you would want a checksum on kernel and initrd.
> >
> > Which checksum algoritme is available in pxelinux.0?
> > Which checksum algoritme could be integrate into pxelinux.0?
> >
> > In other words: Please advice what could be done
> > to verify what pxelinux.0 did download.
>
> Chicken and Egg squared. How do you trust the pxelinux.0 that came
> from the same source?
There are tools with MD5 and I think SHA1 but what's stopping me, the
malicious boot environment operator, from having the tools report the known
and trusted hash but modifying the files at some point?
If the scenario was that everyone is trustworthy but there was occasionally
an error in transmission, such tools could help though the compression
algorithms can also pick up the error but that'd result in a reboot rather
than allowing an attempt to redownload.
> EFI does provide a solution. Take a lot of coffee and google for Secure
Boot.
The basics are the firmware has public keys and verifies the payload before
execution.
--Gene
More information about the Syslinux
mailing list