Post

iPXE & HTTP(s) Secure Booting

Posted
By John Hannan (MoreThanHidden)
2 min read

Introduction

Thought I’d write my first blog post on how PXE and HTTP(s) Booting works, research online has been a bit hit-and-miss, lets get started!

What is PXE?

PXE stands for Preboot Execution Environment, it allows you to boot a computer over the network.

How does PXE work?

  • Computer boots up and sends a DHCP request (With the Vendor Class Identifier set to PXEClient)
  • DHCP server responds with an IP address and a TFTP server address (Option 66) and a boot file (Option 67)
  • Computer downloads the boot file from the TFTP server and boots up

What is UEFI HTTP(s) Booting?

Similar to PXE booting, but instead of downloading the boot file from a TFTP server, it downloads the boot file from a HTTP(s) server.

How does UEFI HTTP(s) Booting work?

  • Computer boots up and sends a DHCP request (With the Vendor Class Identifier set to HTTPClient)
  • DHCP server responds with an IP address and a HTTP(s) boot file address (Option 67)
    Note: Dells implementation of HTTP(s) booting requires Option 60 to return HTTPClient
  • Computer downloads the boot file from the HTTP(s) server and boots up

What is iPXE?

iPXE is an open-source implementation and boot menu for PXE, it allows you to boot from a variety of sources such as HTTP, HTTPS, iSCSI etc. As TFTP is a bit slow especially over Layer 3 with a MTU Size of 1500, iPXE allows you to boot from HTTP(s) which is much faster

iPXE UEFI Secure Boot

iPXE can be signed with a certificate to allow UEFI Secure Boot, this allows you to boot from iPXE with Secure Boot enabled Commercial options are available such as

Broadcom’s ipxe.efi file is available from them, and is signed with a Microsoft certificate: https://knowledge.broadcom.com/external/article/280113/updated-64bit-ipxeefi-ipxe-v1211-binarie.html

This file can be used to boot iPXE with Secure Boot enabled but does expect a iPXE menu file at:
http://[Boot-Server-IP]:4433/Altiris/iPXE/GetPxeScript.aspx

What is Wimboot?

Wimboot is a bootloader for Windows Imaging Format (WIM) files, it allows you to boot Windows PE over the network using HTTP(s) instead of TFTP and is signed by Microsoft.

Conclusion

PXE and HTTP(s) Booting is a great way to boot computers over the network, especially for imaging or in a home lab environment using prebuilt iPXE solutions such as Netboot.xyz where you can boot a variety of linux distros or Windows PE over the network.

And secure boot isn’t as impossible as it seems, with a signed copy of iPXE you can boot from Wimboot or other signed efi files without adjusting bios settings to disable secure boot.

I’ll be writing a follow-up post on DHCP Configuration for PXE on both Windows Server DHCP & DNSMasq so stay tuned!

Contact me on Twitter or email in the footer of the left sidebar if you have any questions or feedback.

networking, server
pxe ipxe wimboot secure-boot
This post is licensed under CC BY 4.0 by the author.