Post Reply 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Chained iPXE and ISO via http
2014-07-18, 13:59
Post: #1
Chained iPXE and ISO via http
Hi All,

Just started using/experimenting with iPXE. I have it up and running thansk to the great documentation.

Here is what I used to do. I used to boot via my NICs (Intel E1000) PXE ROM my ISO containing my custom operating system (a hobby of mine).

My ISO contains an MBR, bootloader and kernel. All in one. So far, I used MEMDISK PXELinux to transfer my ISO into memory and kick it off.

Now, I'd like to do the same via iPXE and HTTP. I followed which is an absolutely great breakdown of all the configurations you can use with iPXE.

I customized mt entry in /var/www/menu.ipxe to contain

item --key c custom Boot from HTTP

echo Booting Bear from HTTPS for ${initiator-iqn}
sanboot --no-describe || goto failed
goto start

With wireshark, I have observed the network traffic and it seems that the binary is being requested ("GET custom_hdd") and transferred successfully. However, it does not seem to be kicked off as none of my MBR, Bootloader stuff seems to be executed.

Additionally, I tried:
item --key p pxelinux Boot PXELINUX

set 210:string tftp://${next-server}/
chain ${210:string}pxelinux.0 || goto failed
goto start

Which seems to work just fine. I guess I am not understanding as to why the binary/image would not have been kicked off? Could somebody clarify this?

I am trying to get away from MEMDISK as I am particularly interested in iPXEs code signing ability.

Thanks for any help!
Find all posts by this user
Quote this message in a reply
2014-07-21, 10:17
Post: #2
RE: Chained iPXE and ISO via http
Most likely you're dealing with a web server that isn't configured to allow Range-Requests, which is required for sanboot from HTTP to work. Both apache and nginx allow this in the default configuration, but you haven't shared which web server you're using. You can verify that your web-server is actually allowing range-requests using wget or curl. If you specify a range of say 1024 bytes and it actually downloads the entire file, then your web server is not supporting that request properly. If so, figure out how to configure it for it or switch to another web server software.

Also, be aware that sanboot only loads tiny chunks of the file into memory as it is requested, unlike memdisk that reads it all in before the MBR is executed. It shouldn't really make a difference in the end. The only thing that is different is that memdisk mounts your image read-write, while sanboot mounts it read-only. I've noticed this difference using floppy images, but for ISO images it shouldn't really make any difference.

Also, sidenote - any reason why you aren't just loading the kernel directly from iPXE instead of wrapping it in an ISO with an MBR and a bootloader?

Also, if this is a custom Linux "distro", I'm very curious as to how you build it, as I've been thinking about doing this myself for a custom utility I'd like to boot up into a bunch of machines, but I haven't really found a build-tool I like yet. What are you using?

The absolutely last thing I want to mention is that you can use memdisk from iPXE as well. Load memdisk as a kernel and specify the ISO you want to load as the initrd. I believe there is already an example of that in my example script (which you mentioned you have looked at).
Visit this user's website Find all posts by this user
Quote this message in a reply
2014-07-21, 17:48
Post: #3
RE: Chained iPXE and ISO via http
I should have specified. I am using apache2. That being said, apache2 handles range requests out of the box for static content. So that should not be the problem, right?

You mentioned that the image will be read only. That might make a difference. It should be marked also with an x for execute, right? I mean, my bootloader is in memory and I need to actually execute it, not just reading it.

Now, the one part I am not 100% sure of is the ISO part. I am using Linux's loopdevice/fdisk to write my own imagefile containing my kernel.

I can use the file command to see details about my image:
>file hdd_image
>hdd_image: x86 boot sector; partition 1: ID=0xa5, active, starthead 32, startsector 2048, 38912 sectors, code offset 0x31

I am fairly certain that this satisfies ISO requirements.

Now, on to your question why am I not loading my kernel directly. As far as I know at the end of the iPXE routine, the processor is still in 16 bit real mode. My kernel is solely 64 bit. I don't think iPXE jumps to long mode for me, hende I need the bootloader that does the jumping for me.

I have been using memdisk with iPXE but what I really want is the code signing ability from iPXE. As far as I understand, I CANNOT verify neither the memdisk image nor the ISO image that way since I have to use TFTP instead of HTTP! Am I right here?

And lastly, about my toolchain. I have a custom OS, from scratch. No Linux distro or code at all. I am using GCC, LD, loopdevices and fdisk. Nothing fancy or blackmagic. Maybe I can help you with your problem, just need to know some more info.

Find all posts by this user
Quote this message in a reply
2014-07-21, 21:11
Post: #4
RE: Chained iPXE and ISO via http
Trusting code should have nothing to do with whether you're using TFTP or HTTP. You can use memdisk with your content located on an HTTP server. Doing something like this:

kernel http://my.server.tld/memdisk iso raw
initrd http://my.server.tld/custom_os.iso

I'm not sure if you need to use the iso and raw options to memdisk for your ISO. You seem more knowledgeable about it, so check the memdisk docs for the specific details regarding those two options.

I'm not a core developer, so I'm uncertain what ipxe does and does not do before starting the actual kernel. If you use the bzImage format, then I'd recommend looking over the code for that executable format and see what it does.

My problem is not really related then. I'm just trying to decide how to build my custom linux distro that runs purely from initrd/ramdisk for a special utility I want to run in a dedicated environment (with all storage on the network). I've read about two tools, one is using make, which means you'll need to customize makefiles to improve it, and the other one is a bunch of shell scripts. Can't recall the names of either of them, to be honest.
Visit this user's website Find all posts by this user
Quote this message in a reply
2014-07-21, 21:43
Post: #5
RE: Chained iPXE and ISO via http
So I can still use MEMDISK (which I have up and running already) and still trust/sign code? That's great. Is the procedure the same as in the Documentation Guide?
Find all posts by this user
Quote this message in a reply
2014-07-22, 11:52
Post: #6
RE: Chained iPXE and ISO via http
I believe so. If you aren't able to get it working, try to show us the iPXE script you're trying to get working, and we might be able to tell you where you're doing it wrong.
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 

User(s) browsing this thread: 1 Guest(s)