Rollback protection for network bootingNetwork booting a Mac OS install imagePXE booting standard...

How to use of "the" before known matrices

Can I use USB data pins as power source

How to make healing in an exploration game interesting

How to terminate ping <dest> &

Have researchers managed to "reverse time"? If so, what does that mean for physics?

If curse and magic is two sides of the same coin, why the former is forbidden?

Why do passenger jet manufacturers design their planes with stall prevention systems?

My Graph Theory Students

An inequality of matrix norm

A sequence that has integer values for prime indexes only:

Should we release the security issues we found in our product as CVE or we can just update those on weekly release notes?

Interplanetary conflict, some disease destroys the ability to understand or appreciate music

Why is the President allowed to veto a cancellation of emergency powers?

Are all passive ability checks floors for active ability checks?

The difference between「N分で」and「後N分で」

Do the common programs (for example: "ls", "cat") in Linux and BSD come from the same source code?

Happy pi day, everyone!

PTIJ: Who should I vote for? (21st Knesset Edition)

Use of undefined constant bloginfo

How to use deus ex machina safely?

Why Choose Less Effective Armour Types?

How difficult is it to simply disable/disengage the MCAS on Boeing 737 Max 8 & 9 Aircraft?

Do I need life insurance if I can cover my own funeral costs?

Professor being mistaken for a grad student



Rollback protection for network booting


Network booting a Mac OS install imagePXE booting standard images?Booting off windows image through networkMulti-booting a secure-boot enabled Windows 8 laptopDRBL hangs after bootingWhen LAN booting is engaging?Booting an ISO over network with linuxPreLoader.efi: What's wrong with my Secure Boot settings?Network/PXE booting a split filesystemPXELINUX network booting an ISO file













0















I am interested in secure network booting. UEFI Secure Boot, combined with a signing key I control, ensures that no unauthorized code can run. However, it doesn’t provide rollback protection: an attacker can cause an earlier version of the OS to run.



Is there a way to prevent this? The first one that comes to mind is:




  • The initramfs compares the running kernel version (uname -r) and its own version with values stored in EFI variables.

  • If the values in EFI are newer, boot is aborted.

  • Otherwise, the values are written to the EFI variables.









share



























    0















    I am interested in secure network booting. UEFI Secure Boot, combined with a signing key I control, ensures that no unauthorized code can run. However, it doesn’t provide rollback protection: an attacker can cause an earlier version of the OS to run.



    Is there a way to prevent this? The first one that comes to mind is:




    • The initramfs compares the running kernel version (uname -r) and its own version with values stored in EFI variables.

    • If the values in EFI are newer, boot is aborted.

    • Otherwise, the values are written to the EFI variables.









    share

























      0












      0








      0








      I am interested in secure network booting. UEFI Secure Boot, combined with a signing key I control, ensures that no unauthorized code can run. However, it doesn’t provide rollback protection: an attacker can cause an earlier version of the OS to run.



      Is there a way to prevent this? The first one that comes to mind is:




      • The initramfs compares the running kernel version (uname -r) and its own version with values stored in EFI variables.

      • If the values in EFI are newer, boot is aborted.

      • Otherwise, the values are written to the EFI variables.









      share














      I am interested in secure network booting. UEFI Secure Boot, combined with a signing key I control, ensures that no unauthorized code can run. However, it doesn’t provide rollback protection: an attacker can cause an earlier version of the OS to run.



      Is there a way to prevent this? The first one that comes to mind is:




      • The initramfs compares the running kernel version (uname -r) and its own version with values stored in EFI variables.

      • If the values in EFI are newer, boot is aborted.

      • Otherwise, the values are written to the EFI variables.







      pxe secure-boot





      share












      share










      share



      share










      asked 2 mins ago









      DemiDemi

      4181718




      4181718






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1414473%2frollback-protection-for-network-booting%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1414473%2frollback-protection-for-network-booting%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

          Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

          VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...