On 26.01.18 20:52, Heinrich Schuchardt wrote: > The appended README explains how U-Boot and iPXE can be used > to boot a diskless system from an iSCSI SAN. > > The maintainer for README.efi and README.iscsi is set. > > Signed-off-by: Heinrich Schuchardt <xypron.g...@gmx.de> > --- > v2 > mention work on TCP and wget > remove VLAN drawing > fix reference of EFI service used by Grub > --- > MAINTAINERS | 2 + > doc/README.iscsi | 159 > ++++++++++++++++++++++++++++++++++++++++++++++ > lib/efi_loader/efi_file.c | 9 +++
I'm quite sure you did not mean to send those changes along as well ;). > 3 files changed, 170 insertions(+) > create mode 100644 doc/README.iscsi > > diff --git a/MAINTAINERS b/MAINTAINERS > index d459153503..6e94cee5d3 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -286,6 +286,8 @@ EFI PAYLOAD > M: Alexander Graf <ag...@suse.de> > S: Maintained > T: git git://github.com/agraf/u-boot.git > +F: doc/README.efi Not sure I want to maintain README.efi in its current state. How about we just leave this part to your other patch? > +F: doc/README.iscsi > F: include/efi* > F: lib/efi*/ > F: test/py/tests/test_efi* > diff --git a/doc/README.iscsi b/doc/README.iscsi > new file mode 100644 > index 0000000000..a731c06feb > --- /dev/null > +++ b/doc/README.iscsi > @@ -0,0 +1,159 @@ > +# iSCSI booting with U-Boot and iPXE > + > +## Motivation > + > +U-Boot has only a reduced set of supported network protocols. The focus for > +network booting has been on UDP based protocols. A TCP stack and HTTP support > +are expected to be integrated in 2018 together with a wget command. > + > +For booting a diskless computer this leaves us with BOOTP or DHCP to get the > +address of a boot script. TFTP or NFS can be used to load the boot script, > the > +operating system kernel and the initial file system (initrd). > + > +These protocols are insecure. The client cannot validate the authenticity > +of the contacted servers. And the server cannot verify the identity of the > +client. > + > +Furthermore the services providing the operating system loader or kernel are > +not the ones that the operating system typically will use. Especially in a > SAN > +environment this makes updating the operating system a hassle. After > installing > +a new kernel version the boot files have to be copied to the TFTP server > +directory. > + > +The HTTPS protocol provides certificate based validation of servers. > Sensitive > +data like passwords can be securely transmitted. > + > +The iSCSI protocol is used for connecting storage attached networks. It > +provides mutual authentication using the CHAP protocol. It typically runs on > +a TCP transport. > + > +Thus a better solution than DHCP/TFTP/NFS boot would be to load a boot script > +via HTTPS and to download any other files needed for booting via iSCSI from > the > +same target where the operating system is installed. > + > +An alternative to implementing these protocols in U-Boot is to use an > existing > +software that can run on top of U-Boot. iPXE is the "swiss army knife" of > +network booting. It supports both HTTPS and iSCSI. It has a scripting engine > for > +fine grained control of the boot process and can provide a command shell. > + > +iPXE can be built as an EFI application (named snp.efi) which can be loaded > and > +run by U-Boot. > + > +## Boot sequence > + > +U-Boot loads the EFI application iPXE snp.efi using the bootefi command. This > +application has network access via the simple network protocol offered by > +U-Boot. > + > +iPXE executes its internal script. This script may optionally chain load a > +secondary boot script via HTTPS or open a shell. > + > +For the further boot process iPXE connects to the iSCSI server. This includes > +the mutual authentication using the CHAP protocol. After the authentication > iPXE > +has access to the iSCSI targets. > + > +For a selected iSCSI target iPXE sets up a handle with the block IO > protocol. It > +uses the ConnectController boot service of U-Boot to request U-Boot to > connect a > +file system driver. U-Boot reads from the iSCSI drive via the block IO > protocol > +offered by iPXE. It creates the partition handles and installs the simple > file > +protocol. Now iPXE can call the simple file protocol to load Grub. U-Boot > uses > +the block IO protocol offered by iPXE to fulfill the request. > + > +Once Grub is started it uses the same block IO protocol to load Linux. Via > +the EFI stub Linux is called as an EFI application. > + > +``` > + +--------+ +--------+ > + | | Runs | | > + | U-Boot |=========>| iPXE | > + | EFI | | snp.efi| > ++--------+ | | DHCP | | > +| |<====|********|<=========| | > +| DHCP | | | Get IP | | > +| Server | | | Adress | | > +| |====>|********|=========>| | > ++--------+ | | Response | | > + | | | | > + | | | | > ++--------+ | | HTTPS | | > +| |<====|********|<=========| | > +| HTTPS | | | Load | | > +| Server | | | Script | | > +| |====>|********|=========>| | > ++--------+ | | | | > + | | | | > + | | | | > ++--------+ | | iSCSI | | > +| |<====|********|<=========| | > +| iSCSI | | | Auth | | > +| Server |====>|********|=========>| | > +| | | | | | > +| | | | Loads | | > +| |<====|********|<=========| | +--------+ > +| | | | Grub | | Runs | | > +| |====>|********|=========>| |=======>| Grub | > +| | | | | | | | > +| | | | | | | | > +| | | | | | Loads | | > +| |<====|********|<=========|********|<=======| | > +--------+ > +| | | | | | Linux | | Runs | > | > +| |====>|********|=========>|********|=======>| |=====>| Linux > | > +| | | | | | | | | > | > ++--------+ +--------+ +--------+ +--------+ | > | > + | > | > + | > | > + | ~ ~ ~ > ~| > +``` > + > +## Security > + > +The iSCSI protocol is not encrypted. The traffic could be secured using IPsec > +but neither U-Boot nor iPXE does not support this. So we should at least neither ... nor ... <positive expression> So in your case "... but neither U-Boot nor iPXE support this". Otherwise LGTM. Alex _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
