Changes in Tianocore’s UEFI HTTP[S] Boot

January 12, 2017 ~ hucktech ~ Leave a comment

After UEFI HTTP Boot was added to spec, HTTP support was added to the public Tianocore EDK2 tree. But initially there was no HTTPS support. Fast forward through a bunch of other branches and work, and now it looks like there’s nearly ready to have HTTPS in the EDK2 tree, given below patch. If you are using UEFI HTTP Boot withOUT httpS support, ask your vendor for an update!

Subject: [edk2] [Patch 0/2] Enable the HTTP switch
If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the “http://” and “https://” schemes are acceptable. Otherwise, HTTP is disabled. The “http://” scheme will be denied.

More info:
https://lists.01.org/mailman/listinfo/edk2-devel

More Info on UEFI 2.5 HTTP Boot Implementations

June 10, 2015June 11, 2015 ~ hucktech ~ 1 Comment

Earlier, I made this blog post on UEFI 2.5’s new HTTP Boot feature. At that time, I was unaware of some details, like if this feature will be implemented in TianoCore, or only in commercial products. HP gave a talk at the Spring UEFI Forum on UEFI 2.5 HTTP Boot (to replace PXE) and DMTF Redfish (to replace IPMI), so I presume some new HP products will have these new features soon, if not already. On the EFI development list, I asked a question about Tianocore and vendor support of UEFI HTTP boot, as well as DMTF Redfish, and got 2 replies, one from Intel and one from HP.

Ye Ting of Intel replied and said:

“Intel is working on implementation of UEFI 2.5 HTTP boot support.”

Samer El-Haj-Mahmoud of HP also replied, and said:

“Both HTTP Boot and Redfish are very new standards. HTTP Boot got standardized as part of UEFI 2.5 in March. Redfish is still not even 1.0 (last published spec is 0.96.0a, with a target 1.0 spec sometime this month according to DMTF). It is expected that implementation will take some time to catch up to the spec. At the same time, PXE and IPMI have been there for quite some time, are implemented across the board on servers (and many clients), and are already in wide use. I do not expect them to go away anytime soon. But the goal is to switch over to HTTP and Redfish/REST over time, especially as they enable new use cases and capabilities that were not possible (or easy to do) before. The first step though is to get the specs implemented. As Ting explained, Intel is working on UEFI 2.5 HTTP Boot implementation (that I expect will show up in EDK2. I see the header files submitted already). DMTF is also working on a Redfish mockup/simulator that can be used to exercise clients. HP ProLiant Gen9 servers already support proprietary flavors of both HTTP Boot (or “Boot from URL”) and Redfish (or the “HP RESTful API”). I do not know of any other servers that implement such technologies at this time.”

So, it sounds like HP is the only vendor that supports UEFI HTTP Boot at the moment, and Intel is working on an implementation. If Intel’s implementation is part of TianoCore, other vendors may use it.

I’m looking forward to a TianoCore implementation, as well as DMTF’s Redfish simulator.

Thanks to Ye Ting and Samer El-Haj-Mahmoud for the answers!

New UEFI HTTP Boot support in UEFI 2.5

May 9, 2015 ~ hucktech ~ 1 Comment

One of the new features in UEFI 2.5 is the use of the HTTP protocol for network booting. Previously, UEFI booted remotely, using IPv4 or IPv6, starting with DHCP, then finishing using TFTP, “PXE-based”. This new UEFI 2.5 change defines new DHCP options to specify URI-based pointers to the “Network Boot Program (NBP)”, the binary image to download and run, which can be used using HTTP instead of TFTP. DHCP Servers will need to support this new HTTPBoot extension, if the DHCP type code for x86 is 0x0F and 0x10 for x64. For example, inside a corporate enterprise, with an URL like:
http://examplebootserver/boot/boot.efi

HTTP aside, the new spec hints of future URI-based network protocol support, such as FTP or NFS, in the future.

AFAICT, this presumes HTTP, not HTTPS. Most of the spec says HTTP. Only in one place did I see a reference to TLS and HTTPS, see Figure 72. But TLS and the S in HTTPS were in red, unlike all else, unclear what this means, if it is not public feature only in commercial UEFI products, etc. Speak up if you know.

The spec mentions both enterprise and home use of this protocol, and they mention usage of this protocol across across networks (via the public Internet), not just internal home/corporate network use.

Refer to section 23.7 of the UEFI v2.5 specification for more details.
http://www.uefi.org/specsandtesttools

I’ve yet to locate this code in the public TianoCore EDK-II trunk; either I’ve missed it, it hasn’t yet been checked in, or the code is part of a non-open source codebase. It would answer the HTTPS/TLS question, as well. Speak up if you know the answer!

UEFI systems’s updates can incorporate new features, so this feature may show up in your system the next time your vendor issues an update. So, DNS, DHCP, and HTTP are all network attack vectors for network UEFI booting. Is your firewall/router ready for UEFI HTTP Booting?