Having http as an alternative to tftp is a nice win. The range of things that can run an http server is much bigger than tftp
reply>Additionally, adding the TLS layer brings back the missing integrity and confidentiality guarantees and thus paves the way to move critical boot components out of the trusted network, possibly even to a remote location/Cloud.
Doesn't secure boot already provide this or am I misunderstanding something? I suppose secure boot only provides integrity but not confidentiality although I'm not sure how much confidentiality matters given we're just talking about the kernel here
To what extent is this possible for actual metal hardware? I'm sure lots of us are running PXE/TFTP systems and HTTP would be a heck of a lot simpler.
replyThere's still the tftp->ipxe->http->??? path. TFTP only needs to serve a 300kb file which can then switch to more robust transport like http for the kernel/OS
replyYou could bypass that by shipping iPXE on USB tho
On metal you also commonly have a BMC so generally that lets you attach an ISO or other storage you can boot from to bypass UEFI primitive PXE. This is probably the biggest one--use BMC functionality instead of UEFI PXE
You can use iPXE https://ipxe.org/
reply