Downloaded 122 times
More Related Content
![[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-aifortheunderdogsinnovationforsmallbusinesses-251124030839-72a599a4-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels](https://cdn.slidesharecdn.com/ss_thumbnails/md-exploringappleson-devicefoundationmodels-251124030840-d690542c-thumbnail.jpg?width=640&height=640&fit=bounds)
UEFI HTTP/HTTPS Boot
- 1. UEFI HTTP/HTTPS Boot LinuxConChina 2017 Keng-Yu Lin <kengyu@hpe.com> June 20, 2017
- 2. Agenda • UEFI HTTP(s)Boot introduction • HPE UEFI HTTP Boot PoC based on GRUB2 • Share obstacles • Open discussion 2
- 3. UEFI HTTP(s) BootModes Corporate Environment Home Environment 3 DHCP Server with HTTPBoot Extension * Analogous to PXE with TFTP replaced by HTTP(s) Standard DHCP Server * User inputs a URL of a UEFI bootloader and then the system boot from there.
- 4. Comparison 4 UEFI HTTP(s) BootPXE IPv4 & IPv6 IPv4 only UEFI 2.5 plus + DHCP extension + HTTP server UEFI or legacy BIOS + DHCP extension + TFTP server Standard DNS setup dnsmasq as the DNS forwarder HTTP server has a variety of access control TFTP has no access control Both UEFI firmware & the bootloader use HTTP Many bootloaders have supported HTTP. TFTP looks redundant 1. PXE-enabled BIOS to load the bootloader (aka Network Bootstrap Program, NBP) 2. HTTP-enabled bootloader loads kernel+initrd via HTTP SSL/TLS support (HTTPS) N/A
- 5. Example 5 Linux HTTP(s) client server kernel NBP DHCPOFFER with NBPlocation info Request for the NBP HTTP(s) NBPUEFI HTTPserver Request for loading the Linux kernel and initrd initrd HTTP(s) DHCPDISCOVERY DHCPserver (screenshot from EDK2/OVMF)
- 6. UEFI HTTP ProtocolUsage 6 • Application-level API • No socket/TCP/UDP • Standard HTTP usage • Standard UEFI usage
- 7. GRUB2 Modular Architecture 7 efihttp.mod kernel.img net.mod efinet.mod crypto.mod http.mod normal.mod terminal.mod extcmd.mod execute load mmap.mod echo.mod load loadload load load load load load load load load GRUB2 is not a single binary. It contains a lot of separate modules and they are only loaded when needed.
- 8. Software-Based Implementation - Patches*from HPE & SuSE - Only use http.mod from GRUB2 - Obstacles of HTTPS - No https.mod in GRUB2 - GRUB2 to use openssl or GnuTLS is error-prone - Saving the certificates in software is dangerous - UEFI already provides good and simple APIs to use. - Disadvantages: only works on UEFI-enabled machines 8 * https://lists.gnu.org/archive/html/grub-devel/2016-08/msg00000.html https://lists.gnu.org/archive/html/grub-devel/2016-12/msg00088.html (screenshot from EDK2/OVMF) SSL certificate in x.509 or PEM format
- 9. UEFI-Based HTTP Implementation -HPE PoC works on OVMF/QEMU - Preliminary test works on HPE ProLiant Gen10 servers - RFC patchset sent to the GRUB2 upstream - GRUB2 maintainers’ comments: • Prefers the software-based solution with GnuTLS library • Works on non-UEFI arches • Need MNP NIC driver rather than SNP for UEFI HTTP(s) protocols 9 * http://lists.gnu.org/archive/html/grub-devel/2017-01/msg00016.html
- 10. Obstacle of NICDriver in GRUB2 – SNP & MNP – Simple Network Protocol, SNP (UEFI 2.6 spec. 23.1) – “This protocol can be used to as a building block in a full UDP and TCP/IP implementation that can produce a variety of application level network interface” – Managed Network Protocol, MNP (UEFI 2.6 spec. 24.1) – “MNP provides raw (unformatted) asynchronous network packet I/O services. The services make it possible for multiple-event-driven drivers and applications to access and use the system network interfaces at the same time.” – In short – GRUB2 only implements SNP network driver – SNP has no “multiplex access” ability – HTTP(s) are an application-level protocols – If GRUB2 and UEFI firmware issue HTTP requests at the same time, there could be race conditions 10 NBP (GRUB2) Software Firmware MNP driver N/A
- 11. Interactive Source LevelGRUB2 / OVMF Co-Debugging 11 QEMU w/ gdbserver OVMF Debug Build * GRUB2 Debug Build ** Load / Execute Load / Execute * http://feishare.com/efimail/messages/20140619-0534-_edk2__source_level_debugging_of_OVMF_with_gdb-Laszlo_Ersek.html ** http://wjhowto.googlepages.com/grub2-r2300-2340-elfgdb.patch ** http://svnweb.mageia.org/packages/cauldron/grub2/current/SOURCES/10005-Make-a-gdb-dprintf-that-tells-us-load-addresses.patch GDB Client Connect 1 Load Symbol Address2 Load Symbol Address3 Source Level Debug Session4
- 12. Summary – Works onHPE ProLiant Gen10 servers & EDK2/OVMF + QEMU – HPE is the major contributor of UEFI HTTP(s) Boot in EDK2 – HPE is driving the support in Linux bootloaders 12
- 13.