Verify boot files when downloading from boot.3mdeb.com

[marmarek]

The problem you're addressing (if any)

Downloading over plain HTTP is prone to relatively simple MitM attacks.

Describe the solution you'd like

Use either HTTPS or (better) detached signatures (https://www.ipxe.net/cmd/imgverify)

Where is the value to a user, and who might that user be?

Better boot security when booting Dasharo Tools Suite

Describe alternatives you've considered

Additional context

[pietrushnic]

@marmarek thanks for reporting.

@miczyg1 I guess this is trivial to enable. Question is if we plan it for v1.1.1 or v1.2.0 (I'm thinking about setting up such milestones and start gathering interest) ?

[miczyg1]

Yes, it should be trivial...

[wessel-novacustom]

This has been integrated, right? @miczyg1

[miczyg1]

1. We switched from boot.3mdeb.com to boot.dasharo.com
2. We use HTTPS now indeed.
3. But there is still no verification here: https://boot.dasharo.com/dts/dts.ipxe (need to utilize imgverify: https://ipxe.org/cmd/imgverify)

When point 3 is done, then we can close

[BeataZdunczyk]

But there is still no verification here: https://boot.dasharo.com/dts/dts.ipxe (need to utilize imgverify: https://ipxe.org/cmd/imgverify)

Isn't the remaining scope from this issue a duplicate of https://github.com/Dasharo/dasharo-issues/issues/54? Could you confirm @artur-rs , @TomaszAIR ?

[macpijan]

I started investigating it here: https://github.com/Dasharo/meta-dts/blob/main/scripts/generate-ipxe-menu.sh#L18 some time ago

[macpijan]

@BeataZdunczyk it is not a duplicate. The issue you linked should be closed (I already have closed it).

[macpijan]

@marmarek We have the HTTPS enabled, but still looking into this feature. Do you suggest that we enable the imgtrust --permanent in the embedded script in firmware? I think only this way we can ensure that this is always enabled, as if we consider MITM, we cannot hope for an adversary to enable this imgstrust trust option in their ipxe menu.

Doesn't it limit other use-cases, though, such as booting stuff via netboot.xyz, or others, if they do not provide signatures and imgverify commands in their menus?

[marmarek]

First of all, you can enable it only for DTS boot entry, no?

But also, IIUC imgtrust applies to chain too, so even if you use just imgtrust (without --permanent), only a signed script will be able to disable it again.

[m-iwanicki]

We could add imgtrust --permanent here https://github.com/Dasharo/dasharo-blobs/blob/3f879073f4567590977eec477034e50dbd458545/dasharo/dasharo.ipxe#L21 Or if we can verify ipxe script then use imgtrust before dhcp and imgtrust --allow before goto MENU so we aren't stuck with imgtrust in case booting fails.