Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Secure Remote Installation with openSUSE

66 Aufrufe

Veröffentlicht am

Gary Lin's talk in COSCUP 2019

Veröffentlicht in: Software
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Secure Remote Installation with openSUSE

  1. 1. Gary Lin Software Engineer, SUSE Labs glin@suse.com Secure Remote Installation with openSUSE
  2. 2. Remote Installation
  3. 3. Network Booting
  4. 4. PXE?
  5. 5. UEFI UEFI PXE DHCP
  6. 6. UEFI UEFI PXE – Get Network Settings DHCP
  7. 7. UEFI UEFI PXE – Download Bootloaders DHCP shim grub2tftp tftp
  8. 8. UEFI UEFI PXE – Download OS Images DHCP shim grub2 linux initrd tftp
  9. 9. UEFI UEFI PXE – Fetch/Install Packages DHCP shim grub2 linux initrd HTTP
  10. 10. UEFI What’s Wrong? DHCP shim grub2 linux initrd tftp tftp tftp HTTP
  11. 11. UEFI What’s Wrong? DHCP shim grub2 linux initrd tftp tftp tftp HTTP Insecure Unscalable Insecure
  12. 12. How to fix it?
  13. 13. TFTP/HTTP => HTTPS!!!
  14. 14. UEFI UEFI HTTPS Boot DHCP shim grub2 linux initrd HTTPS HTTPS HTTPS HTTPS Icon made by Smashicons from www.flaticon.com
  15. 15. Photo by Kats Weil on Unsplash https://unsplash.com/photos/CLD1i8hp008
  16. 16. But how?
  17. 17. HTTPS Support ● ☐ UEFI ● ☐ shim ● ☐ grub2 ● ☐ Yast2 Installation
  18. 18. HTTPS Support ● ☐ UEFI – UEFI 2.5+ defines UEFI HTTP/TLS protocols
  19. 19. HTTPS Support ● ☑ UEFI ● ☐ shim ● ☐ grub2 ● ☐ Yast2 Installation
  20. 20. HTTPS Support ● ☑ UEFI ● ☐ shim – Shim uses the UEFI network stack directly – Shim supports HTTPS since openSUSE Leap 15.0
  21. 21. HTTPS Support ● ☑ UEFI ● ☑ shim ● ☐ grub2 ● ☐ Yast2 Installation
  22. 22. HTTPS Support ● ☑ UEFI ● ☑ shim ● ☐ grub2 – Grub2 implements its own network stack including HTTP
  23. 23. But...
  24. 24. Grub2 doesn’t implement TLS
  25. 25. HTTPS Support ● ☑ UEFI ● ☑ shim ● ☐ grub2 – Grub2 implements its own network stack – openSUSE grub2 uses UEFI HTTP/TLS protocols when fetching HTTPS files
  26. 26. HTTPS Support ● ☑ UEFI ● ☑ shim ● ☑ grub2 ● ☐ Yast2 Installation
  27. 27. HTTPS Support ● ☑ UEFI ● ☑ shim ● ☑ grub2 ● ☐ Yast2 Installation – It’s already in the Linux environment!
  28. 28. HTTPS Support ● ☑ UEFI ● ☑ shim ● ☑ grub2 ● ☑ Yast2 Installation
  29. 29. HTTPS Boot for openSUSE UEFI shim grub2 Yast2 Installation UEFI Network Stack Linux Network Stack grub2 Network Stack
  30. 30. Are we there yet?
  31. 31. Server Certificate
  32. 32. Enrolling Certificates – UEFI ● Manually enrolling the certificate through the firmware menu ● Using BMC tools/interfaces, e.g. Redfish
  33. 33. Enrolling Certificates – Yast2 Installation ● Using the well-known certificates in the default rootfs ● Appending a supplementary initrd containing the certificate
  34. 34. HTTPS Servers UEFI shim grub2 Yast2 Installation shim.efi grub.efi Linux Kernel initrd Bootloader Server Package Server RPM Packages
  35. 35. Server Certificates UEFI shim grub2 Yast2 Installation UEFI Network Stack Linux Network Stack grub2 Network Stack Bootloader Server Certificate UEFI Variable Package Server Certificate initrd
  36. 36. Photo by Wil Stewart on Unsplash https://unsplash.com/photos/UErWoQEoMrc
  37. 37. Photo by Evan Dennis on Unsplash https://unsplash.com/photos/i--IN3cvEjg
  38. 38. Reference ● UEFI HTTPBoot Server Setup https://en.opensuse.org/UEFI_HTTPBoot_Server_Setup ● UEFI HTTPS Boot https://github.com/tianocore/tianocore.github.io/wiki/HTTPS-Boot ● UEFI HTTP/HTTPS Boot https://www.slideshare.net/LCChina/uefi-httphttps-boot
  39. 39. Join Us at www.opensuse.org
  40. 40. License This slide deck is licensed under the Creative Commons Attribution-ShareAlike 4.0 International license. It can be shared and adapted for any purpose (even commercially) as long as Attribution is given and any derivative work is distributed under the same license. Details can be found at https://creativecommons.org/licenses/by-sa/4.0/ General Disclaimer This document is not to be construed as a promise by any participating organisation to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. openSUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for openSUSE products remains at the sole discretion of openSUSE. Further, openSUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All openSUSE marks referenced in this presentation are trademarks or registered trademarks of SUSE LLC, in the United States and other countries. All third-party trademarks are the property of their respective owners. Credits Template Richard Brown rbrown@opensuse.org Design & Inspiration openSUSE Design Team http://opensuse.github.io/branding- guidelines/

×