RE: Security Use Requirements (and security issue with iSCSI bootdeployment)

["Prasenjit Sarkar" <psarkar@almaden.ibm.com>]

One should note that iSCSI-boot does not use PXE during the actual boot
process - PXE may
be used to load the minimum iSCSI initiator software necessary for the boot
process.

The iSCSI booting process, given its raw block access to a disk as opposed
to a specified
image in BOOTP variants, may involved the sequential loading of multiple
images whose
identities are known only at run time. For example, in a PC boot you dont
know whether
the first image you are loading is lilo or ntldr until you examine the boot
disk.

Short of digitally signing every block, a practical way out is to for each
loaded image
to verify the integrity of the subsequent image to be loaded (if any).
Another way may
be Julian's solution but I am unware of the details.

Comments appreciated,

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

>At the least it should be noted in Security Considerations that vendors
>should consider providing a mechanism for vendor-to-booter verification
>of a boot image.

Such a thing already exists. It's part of the PXE specification and
involves storing on the PC a public key that is used to sign the boot
image.

>It would be really nice if iSCSI-boot suggested a mechanism, so that
>it could be built into ROMs by manufacturers that are implementing
>iSCSI-boot and so that the hardware manufacturer could not use the
>mechanism to lock out alternative operating systems.

This capability is already built into PXE-compliant
boot ROMs. In fact, you may already have purchased a NIC that
implements PXE!

I should note that there are some interesting issues that arise when
using PXE to do secure iSCSI boot, but I'll leave that issue to another
discussion.