Tranquil IT Forum

Hello everyone, I hope you are all doing well.

I'd like to revisit the following topic: viewtopic.php?t=3038.

After some research, I was able to set up the network boot kernels "ipxe.efi" (UEFI) and "undionly.kpxe" (LEGACY) using a self-signed certificate over HTTPS.

Several settings were required in the header files located in ../src/config/*.h before compiling the boot kernels. I'm currently using the ones provided with the FOGProject solution.

Could you tell me about the initial configuration provided by Tranquil-IT for these header files? At a minimum, I imagine it includes language support and HTTPS protocol support...

I found a Python script for compiling the kernels available in /opt/wapt/waptserver/scripts, but it doesn't seem to provide all the necessary details...

Thank you very much. Have

a good day.

david.masson wrote: ↑Sep 21, 2023 - 2:07 PM A number of adjustments were necessary to the header files available in ../src/config/*.h before compiling the boot kernels. I am currently using those provided with the FOGProject solution.

Hello, no changes except for the language

You can see the compilation recipe here:

https://wapt.tranquil.it/store/fr/detai ... PROD.wapt/ In the update_package.py file

Out of curiosity, how did you resolve the issue of insecure distribution of the IPXE file via TFTP?

Simon

Good evening,

thank you for your quick reply.

I'm not sure I fully understand your question; could you elaborate a little (I'm new to the WAPT solution)?

Have a good evening.

Best regards.

Actually, the question isn't specific to Wapt.

The IPXE binary is distributed to the BIOS using the TFTP protocol (which isn't secure).

Verifying the HTTPS certificate with IPXE therefore amounts to putting the certificate directly into the IPXE binary during compilation.

But this means trusting the IPXE binary distributed via TFTP.

Since I don't really have a way to secure this protocol, I was wondering if you had found a solution to this problem.

Hello,

Not at all, I simply added the certificate to the "ipxe.efi" and "undionly.kpxe" binaries during compilation.
I used the arguments "TRUST=cert.pem" and "DEBUG=tls,x509:3" (just to observe the process). The certificate in question wasn't generated automatically but manually because it also includes an alias and is valid for 10 years.

I'm also open to suggestions for securing this exchange because, indeed, the binaries need to be trusted.

I would have preferred a public certificate issued by a recognized certificate authority, but the validity period is too short for the organizations I work with (1 year).

Best regards.