UEFI supports new kind of booting workflow via HTTP instead of traditional (slow and clunky) TFTP. Implementing this in Foreman is possible with relatively small amount of changes.
Motivation
Foreman already supports iPXE HTTP booting which is used for booting virtual machines with iPXE firmware built-in and UEFI HTTP Boot feature will be essentially the same. The feature can enable both UEFI HTTP and iPXE HTTP booting as the implementation requires only two main steps described below.
Detailed design
-
I propose to implement a simple HTTP/HTTPS service as a foreman-proxy plugin serving all files from TFTP directory. Only regular files are supported, listing of directories will be disabled.
-
New feature called “HTTPBOOT” and smart proxy association must be created which will help to determine smart proxy hostname to use for the HTTP URL.
-
New set of PXELoader options will be available: PXELinux EFI HTTP, PXEGrub EFI HTTP, PXEGrub2 EFI HTTP and they will provide DHCP filename options in a form of
http://proxy_hostname/path/to/tftp/file/grub2.efi
-
For unknown hosts and discovery support, we need to modify our
dhcpd.conf
file deployed by our puppet installer:option arch code 93 = unsigned integer 16; # RFC4578 # support for UEFI HTTP Boot on Intel architectures class "httpclients" { match if substring (option vendor-class-identifier, 0, 9) = "HTTPClient"; if option arch = 00:0F { filename "https://foreman.proxy.example.com:8443/grub2/bootia32.efi"; } else if option arch = 00:10 { filename "https://foreman.proxy.example.com:8443/grub2/bootx64.efi"; } } class "pxeclients" { match if substring (option vendor-class-identifier, 0, 9) = "PXEClient"; next-server 10.0.0.1; if exists user-class and option user-class = "iPXE" { filename "https://foreman.example.com:443/unattended/iPXE"; } else if option arch = 00:06 { filename "grub2/bootia32.efi"; } else if option arch = 00:07 { filename "grub2/bootx64.efi"; } else { filename "pxelinux.0"; } }
Drawbacks
First, this is all theory, I haven’t tried and it can happen that grub2 bootloader will not be able to search files on HTTP. It is also possible that upstream version implemented this but version from RHEL7 won’t support this for now.
Exposing PXE configurations via HTTP/HTTPS adds new attack vector, but since the files are already readable by TFTP and we won’t provide directory listings, the attacker chances to read existing loader configuration are the same. We need to make sure we only read regular files (not symlinks) and only read from the root directory.
Links