On 02/02/2021 12:48, Peter Robinson wrote:
On Mon, Feb 1, 2021 at 8:28 PM Heinrich Schuchardt <[email protected]> wrote:

On 2/1/21 8:56 PM, Grant Likely wrote:
[...]
On 29/01/2021 20:17, Heinrich Schuchardt wrote:
On 1/29/21 8:21 PM, Grant Likely wrote:

* - EFI_PXE_BASE_CODE_PROTOCOL
    - Booting via the Preboot Execution Environment (PXE) is insecure.
      Loading via PXE is typically executed before launching the first
      UEFI application.

I don't think PXE should be a requirement, as Heinrich mentions it's
insecure. We should be requiring a secure protocol for a new spec, not
an old one that's being EOLed. I believe vendors are moving to remove
it in favour of HTTPS boot which also has the advantage it's more
flexible, and it much better places for IoT/Edge deployments which use
CDNs and the life extensively and it will generally work with
firewalls etc. If we're going to require something for network
installs, if the device has a capable network interface, it should be
HTTPS Boot.

Peter

Unfortunately we've got a functionality gap. U-Boot doesn't yet support TCP, HTTP, or TLS. All that functionality needs to be written or ported from somewhere.

I would really like to require a secure network boot mechanism, but I think it needs to be left out until U-Boot can do TCP and TLS.

g.

_______________________________________________
boot-architecture mailing list
[email protected]
https://lists.linaro.org/mailman/listinfo/boot-architecture

Reply via email to