Securing Network-Booting Linux Systems at the Example of bwLehrpool and bwForCluster NEMO

TL;DR

This paper explores security enhancements for network-booted Linux systems in university environments, focusing on trust, integrity, and confidentiality using Secure Boot, iPXE signing, and TPM, with minimal impact on boot performance.

Contribution

It demonstrates how to implement trust and security in network-boot Linux systems using Secure Boot, iPXE signing, and TPM, with practical setup procedures and performance analysis.

Findings

Secure Boot and iPXE signing guarantee boot process integrity.

TPM can ensure client identity and confidentiality.

Minimal delay introduced in the boot process by security measures.

Abstract

The universities of Baden-W\"urttemberg are using stateless system remote boot for services such as computer labs and data centers. It involves loading a host system over the network and allowing users to start various virtual machines. The filesystem is provided over a distributed network block device (dnbd3) mounted read-only. The process raises security concerns due to potentially untrusted networks. The aim of this work is to establish trust within this network, focusing on server-client identity, confidentiality and image authenticity. Using Secure Boot and iPXE signing, the integrity can be guaranteed for the complete boot process. The necessary effort to implement it is mainly one time at the set-up of the server, while the changes necessary once to the client could be done over the network. Afterwards, no significant delay was measured in the boot process for the main technologies, while the technique of integrating the kernel with other files resulted in a small delay measured. TPM can be used to ensure the client's identity and confidentiality. Provisioning TPM is a bigger challenge because as a trade-off has to be made between the inconvenience of using a secure medium and the ease of using an insecure channel once. Additionally, in the data center use case, hardware with TPM might have higher costs, while the additional security gained by changing from the current key storage is only little. After the provisioning is completed, the TPM can then be used to decrypt information with a securely stored key.