Introduction to UEFI HTTP(s) Boot with QEMU/OVMF
29 points
3 hours ago
| 2 comments
| blog.yadutaf.fr
| HN
nijave
50 minutes ago
[-]
Having http as an alternative to tftp is a nice win. The range of things that can run an http server is much bigger than tftp

>Additionally, adding the TLS layer brings back the missing integrity and confidentiality guarantees and thus paves the way to move critical boot components out of the trusted network, possibly even to a remote location/Cloud.

Doesn't secure boot already provide this or am I misunderstanding something? I suppose secure boot only provides integrity but not confidentiality although I'm not sure how much confidentiality matters given we're just talking about the kernel here

reply
LooseMarmoset
54 seconds ago
[-]
Secure boot is designed to verify software signatures. The UEFI bios might support loading software over https, but it isn't part of secure boot.
reply
noodlesUK
32 minutes ago
[-]
To what extent is this possible for actual metal hardware? I'm sure lots of us are running PXE/TFTP systems and HTTP would be a heck of a lot simpler.
reply
nijave
22 minutes ago
[-]
There's still the tftp->ipxe->http->??? path. TFTP only needs to serve a 300kb file which can then switch to more robust transport like http for the kernel/OS

You could bypass that by shipping iPXE on USB tho

On metal you also commonly have a BMC so generally that lets you attach an ISO or other storage you can boot from to bypass UEFI primitive PXE. This is probably the biggest one--use BMC functionality instead of UEFI PXE

At home, I use JetKVM or GL.iNet Comet network KVM to bootstrap commodity hardware without BMC (by attaching an ISO). Probably could make a cheap commodity device with Raspberry Pi Zero that does that same thing at lower cost although at that point you're back to "just use USB storage"

reply
wmf
9 minutes ago
[-]
All recent servers support HTTP boot.
reply
zcw100
26 minutes ago
[-]
You can use iPXE https://ipxe.org/
reply