[Info-vax] grey screen of death
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Sun May 24 15:34:32 EDT 2015
On 2015-05-24 18:36:25 +0000, John Reagan said:
> On Sunday, May 24, 2015 at 11:19:43 AM UTC-4, Stephen Hoffman wrote:
>
>> Whether VSI and Nemonix decide to implement Internet-remote InfoServer
>> boot via EFI as an option on their x86-64 servers? Probably not.
>> (Nice value-add if they did, though.)
>
> One, you'd certainly want something like Secure Boot to protect against
> some man-in-the-middle attack to slip something into the boot path.
Y'all are in a position to decide whether you want to get your
bootstraps signed by the folks at Microsoft or to get your own hardware
keys loaded into the target servers, for use with systems where Secure
Boot is enabled. Once the bootstrap is signed, it and the pieces
downstream may or may not be coded to check subsequent signatures.
IIRC, some of the signed Linux bootstraps do not check subsequent signatures.
Related: Old shim boot discussion:
<http://mjg59.dreamwidth.org/20303.html> Old Secure Boot write-up:
<https://www.linuxfoundation.org/sites/main/files/lf_uefi_secure_boot_open_platforms.pdf>.)
The remote connection would certainly best involve using certificate
authentication of the binaries acquired, and what certificate-related
support is presently implemented within OpenVMS is rather old and not
particularly widely integrated — but there are checks in OpenVMS that
do attempt to check for signed binaries as part of PCSI, and have been
for a while.
> Two, the protocol used by InfoServer today isn't IP routable. I
> suspect PXE or iPXE support would have to be added.
Interesting. I'd thought at least some parts of PXE were already
implemented and working? That was part of supporting Itanium
bootstraps with InfoServer? Now the DHCP request or some other
request would obviously have to be routed remotely, and not simply
broadcast to the local segment. Now whether that request first goes
to some VSI "InfoServer", or first tries some central "InfoServer" at
the customer site?
It is clearly possible to implement Internet boot, as working examples
do exist.
> Seems like a perfect DOS attack just waiting to happen.
Denial of Service? That's possible, certainly. Interceptions and
attempted spoofing, maybe. Checking binaries for signatures is a
problem that's been solved before, and even OpenVMS has some support
for that with CDSA and PCSI and VMSINSTAL. Given the MOP path and NI
SCS are wide open and unencrypted on the local networks and given some
of the HP OpenVMS documentation in this area is now referencing
encrypting links as typical — I'd also wonder whether the current IP
SCS support is vulnerable to ARP-level routing attacks, given there do
not appear to be any certificate keys registered, but I digress —
there's certainly room to upgrade the connection-related security of
OpenVMS here, too. IPSec is what would be used on various platforms
to protect the transports.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list