To enable support for the HTTPS protocol, you must enable the DOWNLOAD_PROTO_HTTPS build configuration option. PXE also supports code signing, which allows you to verify the authenticity and integrity of files downloaded crypto signature iPXE. The exact list of supported cipher suites is RSA_WITH_AES_256_CBC_SHA256, RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA, and RSA_WITH_AES_128_CBC_SHA.
If you want more control over the chain of trust, then you can generate your own private root certificate ca. For example, to trust your private root certificate ca. This will create a custom version of the iPXE binary ipxe. You can specify multiple root certificates to trust. Certificates must be in PEM format. The full root certificates are generally too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints will be included by default.
You must also create a minimal CA configuration file ca. This will create a cross-signed certificate startcom-cross. This allows you to extend the trust from your private root certificate to include certificates signed by startcom. You can generate a new code-signing certificate codesign. You can now use this certificate to sign a binary that will then be trusted by iPXE.
This will create the signature file vmlinuz. This embedded script would refuse to boot unless the downloaded version of vmlinuz could be successfully verified using the signature file vmlinuz. The certificate and key must both be in PEM format. Note that the private key is stored unencrypted within the iPXE binary.
You should therefore treat the iPXE binary as being confidential information. References to “iPXE” may not be altered or removed. NET book to highlight many challenges, misperceptions, and false assumptions of producing secure, implementationally correct . However, while recognizing the pitfalls of .