Netbooting Idea

One issue with netbooting computers is that the standard processes --- get a network address, get a bootloader somehow, load a kernel, pull down an image --- are all pretty unauthenticated. You are trusting that the thing answering your dhcp query or the thing supplying you with an image is the thing you want to be talking to. For client machines this is bad enough, but what if you are wanting to deploy simple services? You want some greater degree of assurance.

What if you had some local store into which you could put some sort of credentials, say, a pgp key, or a certificate? It could be simple --- a compact flash plugged into the ide chain, or a usb keydrive plugged into an internal usb port. It could either contain your bootloader, or your firmware bootloader could use that credential to authenticate and encrypt bits of data. So, do a dhcp request, get a network address. Ask for a kernel with an embedded disk image. Take a couple hashes of what you get handed, use the certificate to securely query a service to verify that the hashes match. Start loading stuff. After the kernel boots, it could use that certificate to get other sensative data: pull down kerberos keytabs, ssh keys, etc. etc, from which more conventional methods of getting sensative data can be grabbed.

This seems to solve a few problems with the conventional method of doing netbooting:

  • How do I know I'm not getting trojaned binaries?

    All you are trusting is dhcp. After that, you are verifying what you are getting through secure channels, and even if you use something like, say, nfs for the rest of your stuff, you can use this secure channel to set up ipsec or an ssl tunnel to the file service.

  • How do I even know I'm talking to the correct service to set up that initial channel, get the proper kernel, etc?

    As long as you take reasonable steps to physically lock the machine (padlock the case shut, lock the machine to something, use a sane bios that prevents booting from any other device), there's no place where you could insert anything that would allow you to compromise the credentials. I can see a long chance if you could power up the machine but prevent it from doing anything else you might be able to plug in an external usb device and use the computer basically as an expensive usb hub and steal the credentials. If you limit yourself to the cf-ide solution, or make sure that you are plugged into a usb bus that does not leave the inside of the case, you should be able to limit that.

Ideas? Potential flaws?