However it became unusable when more networks started being enabled with dualstack (ipv4 and ipv6) out of the box. I ran into this long standing issue: https://github.com/netbootxyz/netboot.xyz/issues/283 due to ipv6. I hope it gets fixed at some point.
I have a ipxe script burned onto most of the Intel nics in my house that boot directly to netboot.xyz for the last two or three years. I use it off and on when I’m to lazy to find my ventoy based thumb drive. It’s great in a pinch. This is the very basic script I have running on my cards.
Look, PKI/the CA cabal clearly isn’t perfect. In fact it’s extremely flawed, especially if you aren’t enforcing Certificate Transparency which presumably iPXE isn’t. But I think it’s really silly to imply that HTTPS doesn’t raise the bar for the attacker? At minimum they now have to actually compromise a CA instead of being able to just set up an ordinary HTTP proxy and serve malicious images.
PKI is scary enough that nobody dares to even touch it, but one
person at each department/company/whatever who Is The PKI Guy who
everybody expects to know everything and fix everything remotely
related to PKI. (at least from my experience)
I think many, many other security measures will fail before lack
of TLS will be an issue. But it is still very cool that it’s
even possible!
I’m surprised how the quick-start and getting-started sections don’t really cover what shell or config file it is currently discussing. I am vaguely interested in setting up a iPXE environment, but I have no clue where to start.
This is a really cool project!
However it became unusable when more networks started being enabled with dualstack (ipv4 and ipv6) out of the box. I ran into this long standing issue: https://github.com/netbootxyz/netboot.xyz/issues/283 due to ipv6. I hope it gets fixed at some point.
https://github.com/ventoy/Ventoy ended up being what I use today
Venoy seems to create bootable USB medium and not an netboot solution. Or am I missing something?
Correct theres no netbooting, only “sneakernet”. But it fits the need of being able to dump numerous isos and images and load them from a menu.
I have a ipxe script burned onto most of the Intel nics in my house that boot directly to netboot.xyz for the last two or three years. I use it off and on when I’m to lazy to find my ventoy based thumb drive. It’s great in a pinch. This is the very basic script I have running on my cards.
This script loads code over plaintext HTTP and then uses that untrusted code to boot. That seems… very sketchy.
Why not at least use HTTPS? (Is this an iPXE limitation?)
Which CAs would you trust in that case? A local, or ALL of the public CAs?
Look, PKI/the CA cabal clearly isn’t perfect. In fact it’s extremely flawed, especially if you aren’t enforcing Certificate Transparency which presumably iPXE isn’t. But I think it’s really silly to imply that HTTPS doesn’t raise the bar for the attacker? At minimum they now have to actually compromise a CA instead of being able to just set up an ordinary HTTP proxy and serve malicious images.
PKI is scary enough that nobody dares to even touch it, but one person at each department/company/whatever who Is The PKI Guy who everybody expects to know everything and fix everything remotely related to PKI. (at least from my experience)
I think many, many other security measures will fail before lack of TLS will be an issue. But it is still very cool that it’s even possible!
Yes, HTTPS is supported
I’m surprised how the quick-start and getting-started sections don’t really cover what shell or config file it is currently discussing. I am vaguely interested in setting up a iPXE environment, but I have no clue where to start.