[syslinux] checksum on what was downloaded

Patrick Masotta masottaus at yahoo.com
Tue Aug 18 06:04:41 PDT 2015


 <<<
 Hi,
 
 Assume you are in hostile environment,
 as in you can't trust the DHCP serversss nor the TFTP/HTTP
 server.
 So you would want a checksum on kernel and initrd.
 
 Which checksum algoritme is available in pxelinux.0?
 Which checksum algoritme could be integrate into
 pxelinux.0?
 
 In other words: Please advice what could be done
 to verify what pxelinux.0 did download.
 
 
 Cheers
 Geert Stappers
 -- 
>>> 

For preventing the actions of a security compromised PXE server you have
the PXE companion protocol BIS (Boot Integrity Services)
ftp://download.intel.com/design/archives/wfm/downloads/bisspec.pdf (BIOS)
or the newer EFI_BIS_PROTOCOL (EFI).
In both cases the corresponding APIs are located within PC's FW (considered secure)

In the EFI world you also have Secure Boot.

While Secure Boot requires the NBP signature embedded within the NBP the BIS 
protocol relies on additional DHCP/MTFTP transactions for net retrieving the NBP 
credentials.

The topic is not simple and FW APIs are a must; checksum/hash/signatures handling within
syslinux binaries is not secure because you would have the source available to make
a malicious pxelinux.0 validating what ever you want...

Best,
Patrick 





More information about the Syslinux mailing list