Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

UEFI HTTP/HTTPS Boot

4,981 views

Published on

Presentation delivered at LinuxCon China 2016

UEFI HTTP/HTTPS Boot is a new feature of UEFI 2.5+. In the meantime, this feature is not yet implemented in any Linux bootloader. This Birds of a Feather session will give an introduction to UEFI HTTP/HTTPS Boot, and share a proof-of-concept implementation based on grub2 that works on both the emulator (QEMU/OVMF) and HPE ProLiant Gen10 servers.

For HTTPS, the experience and comparison will be shared between the purely software-based and UEFI-based implementations in the aspects of ease of implementation, security strength, and limitation.

Published in: Technology
  • Dating for everyone is here: ❤❤❤ http://bit.ly/369VOVb ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❤❤❤ http://bit.ly/369VOVb ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

UEFI HTTP/HTTPS Boot

  1. 1. UEFI HTTP/HTTPS Boot LinuxCon China 2017 Keng-Yu Lin <kengyu@hpe.com> June 20, 2017
  2. 2. Agenda • UEFI HTTP(s) Boot introduction • HPE UEFI HTTP Boot PoC based on GRUB2 • Share obstacles • Open discussion 2
  3. 3. UEFI HTTP(s) Boot Modes Corporate Environment Home Environment 3 DHCP Server with HTTPBoot Extension * Analogous to PXE with TFTP replaced by HTTP(s) Standard DHCP Server * User inputs a URL of a UEFI bootloader and then the system boot from there.
  4. 4. Comparison 4 UEFI HTTP(s) Boot PXE IPv4 & IPv6 IPv4 only UEFI 2.5 plus + DHCP extension + HTTP server UEFI or legacy BIOS + DHCP extension + TFTP server Standard DNS setup dnsmasq as the DNS forwarder HTTP server has a variety of access control TFTP has no access control Both UEFI firmware & the bootloader use HTTP Many bootloaders have supported HTTP. TFTP looks redundant 1. PXE-enabled BIOS to load the bootloader (aka Network Bootstrap Program, NBP) 2. HTTP-enabled bootloader loads kernel+initrd via HTTP SSL/TLS support (HTTPS) N/A
  5. 5. Example 5 Linux HTTP(s) client server kernel NBP DHCPOFFER with NBP location info Request for the NBP HTTP(s) NBPUEFI HTTPserver Request for loading the Linux kernel and initrd initrd HTTP(s) DHCPDISCOVERY DHCPserver (screenshot from EDK2/OVMF)
  6. 6. UEFI HTTP Protocol Usage 6 • Application-level API • No socket/TCP/UDP • Standard HTTP usage • Standard UEFI usage
  7. 7. GRUB2 Modular Architecture 7 efihttp.mod kernel.img net.mod efinet.mod crypto.mod http.mod normal.mod terminal.mod extcmd.mod execute load mmap.mod echo.mod load load load load load load load load load load load GRUB2 is not a single binary. It contains a lot of separate modules and they are only loaded when needed.
  8. 8. Software-Based Implementation - Patches* from HPE & SuSE - Only use http.mod from GRUB2 - Obstacles of HTTPS - No https.mod in GRUB2 - GRUB2 to use openssl or GnuTLS is error-prone - Saving the certificates in software is dangerous - UEFI already provides good and simple APIs to use. - Disadvantages: only works on UEFI-enabled machines 8 * https://lists.gnu.org/archive/html/grub-devel/2016-08/msg00000.html https://lists.gnu.org/archive/html/grub-devel/2016-12/msg00088.html (screenshot from EDK2/OVMF) SSL certificate in x.509 or PEM format
  9. 9. UEFI-Based HTTP Implementation - HPE PoC works on OVMF/QEMU - Preliminary test works on HPE ProLiant Gen10 servers - RFC patchset sent to the GRUB2 upstream - GRUB2 maintainers’ comments: • Prefers the software-based solution with GnuTLS library • Works on non-UEFI arches • Need MNP NIC driver rather than SNP for UEFI HTTP(s) protocols 9 * http://lists.gnu.org/archive/html/grub-devel/2017-01/msg00016.html
  10. 10. Obstacle of NIC Driver in GRUB2 – SNP & MNP – Simple Network Protocol, SNP (UEFI 2.6 spec. 23.1) – “This protocol can be used to as a building block in a full UDP and TCP/IP implementation that can produce a variety of application level network interface” – Managed Network Protocol, MNP (UEFI 2.6 spec. 24.1) – “MNP provides raw (unformatted) asynchronous network packet I/O services. The services make it possible for multiple-event-driven drivers and applications to access and use the system network interfaces at the same time.” – In short – GRUB2 only implements SNP network driver – SNP has no “multiplex access” ability – HTTP(s) are an application-level protocols – If GRUB2 and UEFI firmware issue HTTP requests at the same time, there could be race conditions 10 NBP (GRUB2) Software Firmware MNP driver N/A
  11. 11. Interactive Source Level GRUB2 / OVMF Co-Debugging 11 QEMU w/ gdbserver OVMF Debug Build * GRUB2 Debug Build ** Load / Execute Load / Execute * http://feishare.com/efimail/messages/20140619-0534-_edk2__source_level_debugging_of_OVMF_with_gdb-Laszlo_Ersek.html ** http://wjhowto.googlepages.com/grub2-r2300-2340-elfgdb.patch ** http://svnweb.mageia.org/packages/cauldron/grub2/current/SOURCES/10005-Make-a-gdb-dprintf-that-tells-us-load-addresses.patch GDB Client Connect 1 Load Symbol Address2 Load Symbol Address3 Source Level Debug Session4
  12. 12. Summary – Works on HPE ProLiant Gen10 servers & EDK2/OVMF + QEMU – HPE is the major contributor of UEFI HTTP(s) Boot in EDK2 – HPE is driving the support in Linux bootloaders 12
  13. 13. Open Discussion 13

×