Clean up README, move licensing to dep5 file

Change-Id: Ibb71bd6d86604a7bf300832f30e75935d95ffa9e
3 files changed
tree: ad6fc24d1f11a1c909693f775d831b5fb5e92c6b
  1. .gitignore
  2. .reuse/
  3. Dockerfile
  4. LICENSES/
  5. Makefile
  6. README.md
  7. VERSION
  8. chain.ipxe
  9. patches/
README.md

iPXE Build

This repo builds an iPXE payload that can be used for USB or network booting of systems.

Docker is used to build iPXE, wrapping all build dependencies in the Dockerfile, An embedded script (chain.ipxe) is added which will chainload another iPXE script from a remote HTTP(S) server and continue the boot process.

The chainloaded iPXE script which has the menu, OS files, and Debian preseed config is in the pxeboot ansible role.

Requirements

  • git
  • make
  • Docker

Usage

Run make image, artifacts will be created in out. By default it will build:

  • undionly.kxpe - Can be served by a DHCP server and chainloads with the NIC's built in PXE UNDI network driver implementation

  • ipxe.usb - write to a USB stick with dd if=bin/ipxe.usb of=/dev/<rawdevice>. There are also 32 and 64 bit EFI versions of this payload.

  • ipxe.pdisk - padded to floppy size, useful for some LOM implementations

  • ipxe.iso - ISO image for writing to optical discs, and some other tools.

See also build targets.

Mutual TLS

Mutual TLS can be used secure the connection between the iPXE payload and and images.

Using mTLS requires cryptography support to be added to the generated binaries. A patch is included that enables HTTPS Support.

To use this support, the CA key, and public/private client certificates must copied and built into the iPXE artifacts. As the private client certs are embedded, care must be taken with the resulting artifacts as they contain those client certs.

Steps:

  1. Modify the chain.ipxe file to use the mTLS HTTPS URL

  2. Put the CA public key (ca.pem), Client public key (client.pem) and private key (client.key) in the same directory

  3. Build the artifacts incorporating all these files using Makefile options:

    make COPY_FILES="chain.ipxe onfca.pem client.pem client.key"
    OPTIONS="EMBED=chain.ipxe CERT=onfca.pem,client.pem TRUST=onfca.pem PRIVKEY=client.key"
    image