[Info-vax] grey screen of death

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Sun May 24 15:34:32 EDT 2015


On 2015-05-24 18:36:25 +0000, John Reagan said:

> On Sunday, May 24, 2015 at 11:19:43 AM UTC-4, Stephen Hoffman wrote:
> 
>> Whether VSI and Nemonix decide to implement Internet-remote InfoServer 
>> boot via EFI as an option on their x86-64 servers?  Probably not.
>> (Nice value-add if they did, though.)
> 
> One, you'd certainly want something like Secure Boot to protect against 
> some man-in-the-middle attack to slip something into the boot path.

Y'all are in a position to decide whether you want to get your 
bootstraps signed by the folks at Microsoft or to get your own hardware 
keys loaded into the target servers, for use with systems where Secure 
Boot is enabled.   Once the bootstrap is signed, it and the pieces 
downstream may or may not be coded to check subsequent signatures.

IIRC, some of the signed Linux bootstraps do not check subsequent signatures.

Related: Old shim boot discussion: 
<http://mjg59.dreamwidth.org/20303.html>  Old Secure Boot write-up: 
<https://www.linuxfoundation.org/sites/main/files/lf_uefi_secure_boot_open_platforms.pdf>.) 


The remote connection would certainly best involve using certificate 
authentication of the binaries acquired, and what certificate-related 
support is presently implemented within OpenVMS is rather old and not 
particularly widely integrated — but there are checks in OpenVMS that 
do attempt to check for signed binaries as part of PCSI, and have been 
for a while.

> Two, the protocol used by InfoServer today isn't IP routable.  I 
> suspect PXE or iPXE support would have to be added.

Interesting.  I'd thought at least some parts of PXE were already 
implemented and working?   That was part of supporting Itanium 
bootstraps with InfoServer?   Now the DHCP request or some other 
request would obviously have to be routed remotely, and not simply 
broadcast to the local segment.   Now whether that request first goes 
to some VSI "InfoServer", or first tries some central "InfoServer" at 
the customer site?

It is clearly  possible to implement Internet boot, as working examples 
do exist.

> Seems like a perfect DOS attack just waiting to happen.

Denial of Service?   That's possible, certainly.  Interceptions and 
attempted spoofing, maybe.   Checking binaries for signatures is a 
problem that's been solved before, and even OpenVMS has some support 
for that with CDSA and PCSI and VMSINSTAL.   Given the MOP path and NI 
SCS are wide open and unencrypted on the local networks and given some 
of the HP OpenVMS documentation in this area is now referencing 
encrypting links as typical — I'd also wonder whether the current IP 
SCS support is vulnerable to ARP-level routing attacks, given there do 
not appear to be any certificate keys registered, but I digress — 
there's certainly room to upgrade the connection-related security of 
OpenVMS here, too.   IPSec is what would be used on various platforms 
to protect the transports.



-- 
Pure Personal Opinion | HoffmanLabs LLC




More information about the Info-vax mailing list