Gitiles
Code Review Sign In
gerrit.opencord.org / ipxe-build / 09b4f4a24f02fc85827a49ecfbc8e4403c0e4a89
commit09b4f4a24f02fc85827a49ecfbc8e4403c0e4a89[log] [tgz]
authorZack Williams <zdw@opennetworking.org>Wed May 18 11:11:21 2022 -0700
committerZack Williams <zack.williams@intel.com>Wed May 18 11:53:59 2022 -0700
treeaa0b9ab44af887e8fef21b44bf11e91e6368085e
parent4a695fedf08194bc29b00a402667ce24cf123a8a [diff]
Add SNP targets for EFI network boot

Change to github git repo, as git.ipxe.org is no more

Configurable TMP_DIR for copying output, to avoid permission issues

Change-Id: Icf5eecbc81822c359c3c31562ab8e4b821c5d467
2 files changed
tree: aa0b9ab44af887e8fef21b44bf11e91e6368085e
  1. .gitignore
  2. .reuse/
  3. Dockerfile
  4. LICENSES/
  5. Makefile
  6. README.md
  7. VERSION
  8. chain.ipxe
  9. patches/
README.md

iPXE Build

This repo builds an iPXE payload that can be used for USB or network booting of systems.

Docker is used to build iPXE, wrapping all build dependencies in the Dockerfile, An embedded script (chain.ipxe) is added which will chainload another iPXE script from a remote HTTP(S) server and continue the boot process.

The chainloaded iPXE script which has the menu, OS files, and Debian preseed config is in the pxeboot ansible role.

Requirements

  • git
  • make
  • Docker

Usage

Run make image, artifacts will be created in out. By default it will build:

  • undionly.kxpe - Can be served by a DHCP server and chainloads with the NIC's built in PXE UNDI network driver implementation

  • ipxe.usb - write to a USB stick with dd if=bin/ipxe.usb of=/dev/<rawdevice>. There are also 32 and 64 bit EFI versions of this payload.

  • ipxe.pdisk - padded to floppy size, useful for some LOM implementations

  • ipxe.iso - ISO image for writing to optical discs, and some other tools.

  • EFI32/EFI64 USB and snponly images

See also build targets.

Chainloading

Chainloading can be accomlished by modifying the chain.ipxe file with the URL of the target webserver, then embedding a script when building images:

make COPY_FILES="chain.ipxe" OPTIONS="EMBED=chain.ipxe" image

Mutual TLS

Mutual TLS can be used secure the connection between the iPXE payload and and images.

Using mTLS requires cryptography support to be added to the generated binaries. A patch is included that enables HTTPS Support.

To use this support, the CA key, and public/private client certificates must copied and built into the iPXE artifacts. As the private client certs are embedded, care must be taken with the resulting artifacts as they contain those client certs.

Steps:

  1. Modify the chain.ipxe file to use the mTLS HTTPS URL

  2. Put the CA public key (ca.pem), Client public key (client.pem) and private key (client.key) in the same directory

  3. Build the artifacts incorporating all these files using Makefile options:

    make COPY_FILES="chain.ipxe onfca.pem client.pem client.key"
    OPTIONS="EMBED=chain.ipxe CERT=onfca.pem,client.pem TRUST=onfca.pem PRIVKEY=client.key"
    image