Heinrich Schuchardt | af9a8c8 | 2018-12-01 10:07:10 +0100 | [diff] [blame] | 1 | # iSCSI booting with U-Boot and iPXE |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 2 | |
Heinrich Schuchardt | af9a8c8 | 2018-12-01 10:07:10 +0100 | [diff] [blame] | 3 | ## Motivation |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 4 | |
| 5 | U-Boot has only a reduced set of supported network protocols. The focus for |
| 6 | network booting has been on UDP based protocols. A TCP stack and HTTP support |
| 7 | are expected to be integrated in 2018 together with a wget command. |
| 8 | |
| 9 | For booting a diskless computer this leaves us with BOOTP or DHCP to get the |
| 10 | address of a boot script. TFTP or NFS can be used to load the boot script, the |
| 11 | operating system kernel and the initial file system (initrd). |
| 12 | |
| 13 | These protocols are insecure. The client cannot validate the authenticity |
| 14 | of the contacted servers. And the server cannot verify the identity of the |
| 15 | client. |
| 16 | |
| 17 | Furthermore the services providing the operating system loader or kernel are |
| 18 | not the ones that the operating system typically will use. Especially in a SAN |
| 19 | environment this makes updating the operating system a hassle. After installing |
| 20 | a new kernel version the boot files have to be copied to the TFTP server |
| 21 | directory. |
| 22 | |
| 23 | The HTTPS protocol provides certificate based validation of servers. Sensitive |
| 24 | data like passwords can be securely transmitted. |
| 25 | |
| 26 | The iSCSI protocol is used for connecting storage attached networks. It |
| 27 | provides mutual authentication using the CHAP protocol. It typically runs on |
| 28 | a TCP transport. |
| 29 | |
| 30 | Thus a better solution than DHCP/TFTP/NFS boot would be to load a boot script |
| 31 | via HTTPS and to download any other files needed for booting via iSCSI from the |
| 32 | same target where the operating system is installed. |
| 33 | |
| 34 | An alternative to implementing these protocols in U-Boot is to use an existing |
Heinrich Schuchardt | bafe162 | 2018-07-29 13:50:50 +0200 | [diff] [blame] | 35 | software that can run on top of U-Boot. iPXE[1] is the "swiss army knife" of |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 36 | network booting. It supports both HTTPS and iSCSI. It has a scripting engine for |
| 37 | fine grained control of the boot process and can provide a command shell. |
| 38 | |
| 39 | iPXE can be built as an EFI application (named snp.efi) which can be loaded and |
| 40 | run by U-Boot. |
| 41 | |
Heinrich Schuchardt | af9a8c8 | 2018-12-01 10:07:10 +0100 | [diff] [blame] | 42 | ## Boot sequence |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 43 | |
| 44 | U-Boot loads the EFI application iPXE snp.efi using the bootefi command. This |
| 45 | application has network access via the simple network protocol offered by |
| 46 | U-Boot. |
| 47 | |
| 48 | iPXE executes its internal script. This script may optionally chain load a |
| 49 | secondary boot script via HTTPS or open a shell. |
| 50 | |
| 51 | For the further boot process iPXE connects to the iSCSI server. This includes |
| 52 | the mutual authentication using the CHAP protocol. After the authentication iPXE |
| 53 | has access to the iSCSI targets. |
| 54 | |
| 55 | For a selected iSCSI target iPXE sets up a handle with the block IO protocol. It |
| 56 | uses the ConnectController boot service of U-Boot to request U-Boot to connect a |
| 57 | file system driver. U-Boot reads from the iSCSI drive via the block IO protocol |
| 58 | offered by iPXE. It creates the partition handles and installs the simple file |
Heinrich Schuchardt | bafe162 | 2018-07-29 13:50:50 +0200 | [diff] [blame] | 59 | protocol. Now iPXE can call the simple file protocol to load GRUB[2]. U-Boot |
| 60 | uses the block IO protocol offered by iPXE to fulfill the request. |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 61 | |
Heinrich Schuchardt | bafe162 | 2018-07-29 13:50:50 +0200 | [diff] [blame] | 62 | Once GRUB is started it uses the same block IO protocol to load Linux. Via |
| 63 | the EFI stub Linux is called as an EFI application:: |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 64 | |
Heinrich Schuchardt | bafe162 | 2018-07-29 13:50:50 +0200 | [diff] [blame] | 65 | +--------+ +--------+ |
| 66 | | | Runs | | |
| 67 | | U-Boot |========>| iPXE | |
| 68 | | EFI | | snp.efi| |
| 69 | +--------+ | | DHCP | | |
| 70 | | |<===|********|<========| | |
| 71 | | DHCP | | | Get IP | | |
| 72 | | Server | | | Address | | |
| 73 | | |===>|********|========>| | |
| 74 | +--------+ | | Response| | |
| 75 | | | | | |
| 76 | | | | | |
| 77 | +--------+ | | HTTPS | | |
| 78 | | |<===|********|<========| | |
| 79 | | HTTPS | | | Load | | |
| 80 | | Server | | | Script | | |
| 81 | | |===>|********|========>| | |
| 82 | +--------+ | | | | |
| 83 | | | | | |
| 84 | | | | | |
| 85 | +--------+ | | iSCSI | | |
| 86 | | |<===|********|<========| | |
| 87 | | iSCSI | | | Auth | | |
| 88 | | Server |===>|********|========>| | |
| 89 | | | | | | | |
| 90 | | | | | Loads | | |
| 91 | | |<===|********|<========| | +--------+ |
| 92 | | | | | GRUB | | Runs | | |
| 93 | | |===>|********|========>| |======>| GRUB | |
| 94 | | | | | | | | | |
| 95 | | | | | | | | | |
| 96 | | | | | | | Loads | | |
| 97 | | |<===|********|<========|********|<======| | +--------+ |
| 98 | | | | | | | Linux | | Runs | | |
| 99 | | |===>|********|========>|********|======>| |=====>| Linux | |
| 100 | | | | | | | | | | | |
| 101 | +--------+ +--------+ +--------+ +--------+ | | |
| 102 | | | |
| 103 | | | |
| 104 | | ~ ~ ~ ~| |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 105 | |
Heinrich Schuchardt | af9a8c8 | 2018-12-01 10:07:10 +0100 | [diff] [blame] | 106 | ## Security |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 107 | |
| 108 | The iSCSI protocol is not encrypted. The traffic could be secured using IPsec |
| 109 | but neither U-Boot nor iPXE does support this. So we should at least separate |
| 110 | the iSCSI traffic from all other network traffic. This can be achieved using a |
| 111 | virtual local area network (VLAN). |
| 112 | |
Heinrich Schuchardt | af9a8c8 | 2018-12-01 10:07:10 +0100 | [diff] [blame] | 113 | ## Configuration |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 114 | |
Heinrich Schuchardt | af9a8c8 | 2018-12-01 10:07:10 +0100 | [diff] [blame] | 115 | ### iPXE |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 116 | |
Heinrich Schuchardt | bafe162 | 2018-07-29 13:50:50 +0200 | [diff] [blame] | 117 | For running iPXE on arm64 the bin-arm64-efi/snp.efi build target is needed:: |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 118 | |
| 119 | git clone http://git.ipxe.org/ipxe.git |
| 120 | cd ipxe/src |
| 121 | make bin-arm64-efi/snp.efi -j6 EMBED=myscript.ipxe |
| 122 | |
| 123 | The available commands for the boot script are documented at: |
| 124 | |
| 125 | http://ipxe.org/cmd |
| 126 | |
| 127 | Credentials are managed as environment variables. These are described here: |
| 128 | |
| 129 | http://ipxe.org/cfg |
| 130 | |
| 131 | iPXE by default will put the CPU to rest when waiting for input. U-Boot does |
| 132 | not wake it up due to missing interrupt support. To avoid this behavior create |
Heinrich Schuchardt | bafe162 | 2018-07-29 13:50:50 +0200 | [diff] [blame] | 133 | file src/config/local/nap.h:: |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 134 | |
| 135 | /* nap.h */ |
| 136 | #undef NAP_EFIX86 |
| 137 | #undef NAP_EFIARM |
| 138 | #define NAP_NULL |
| 139 | |
| 140 | The supported commands in iPXE are controlled by an include, too. Putting the |
Heinrich Schuchardt | bafe162 | 2018-07-29 13:50:50 +0200 | [diff] [blame] | 141 | following into src/config/local/general.h is sufficient for most use cases:: |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 142 | |
| 143 | /* general.h */ |
| 144 | #define NSLOOKUP_CMD /* Name resolution command */ |
| 145 | #define PING_CMD /* Ping command */ |
| 146 | #define NTP_CMD /* NTP commands */ |
| 147 | #define VLAN_CMD /* VLAN commands */ |
| 148 | #define IMAGE_EFI /* EFI image support */ |
| 149 | #define DOWNLOAD_PROTO_HTTPS /* Secure Hypertext Transfer Protocol */ |
| 150 | #define DOWNLOAD_PROTO_FTP /* File Transfer Protocol */ |
| 151 | #define DOWNLOAD_PROTO_NFS /* Network File System Protocol */ |
| 152 | #define DOWNLOAD_PROTO_FILE /* Local file system access */ |
| 153 | |
Heinrich Schuchardt | af9a8c8 | 2018-12-01 10:07:10 +0100 | [diff] [blame] | 154 | ### Open-iSCSI |
| 155 | |
| 156 | When the root file system is on an iSCSI drive you should disable pings and set |
| 157 | the replacement timer to a high value [3]: |
| 158 | |
| 159 | node.conn[0].timeo.noop_out_interval = 0 |
| 160 | node.conn[0].timeo.noop_out_timeout = 0 |
| 161 | node.session.timeo.replacement_timeout = 86400 |
| 162 | |
| 163 | ## Links |
Heinrich Schuchardt | 123b90b | 2018-01-28 15:26:02 +0100 | [diff] [blame] | 164 | |
Heinrich Schuchardt | bafe162 | 2018-07-29 13:50:50 +0200 | [diff] [blame] | 165 | * [1](https://ipxe.org) https://ipxe.org - iPXE open source boot firmware |
| 166 | * [2](https://www.gnu.org/software/grub/) https://www.gnu.org/software/grub/ - |
Heinrich Schuchardt | af9a8c8 | 2018-12-01 10:07:10 +0100 | [diff] [blame] | 167 | GNU GRUB (Grand Unified Bootloader) |
| 168 | * [3](https://github.com/open-iscsi/open-iscsi/blob/master/README) |
| 169 | https://github.com/open-iscsi/open-iscsi/blob/master/README - |
| 170 | Open-iSCSI README |