iSCSI booting with U-Boot and iPXE

U-Boot has only a reduced set of supported network protocols. A major gap is the lack of a TCP stack.

For booting a diskless computer this leaves us with BOOTP or DHCP to get the address of a boot script. TFTP can be used to load the boot script and the operating system kernel and initial file system (initrd).

These protocols are insecure. The client cannot validate the authenticity of the contacted servers. And the server cannot verify the identity of the client.

Furthermore the services providing the operating system loader or kernel are not the ones that the operation system will use. Especially in a SAN environment this makes updating the operating system a hassle. After installing a new kernel version the boot files have to be copied to the TFTP server directory.

The HTTPS protocol provides certificate based validation of servers. Sensitive data like passwords can be securely transmitted.

The iSCSI protocol is used for connecting storage attached networks. It provides mutual authentication using the CHAP protocol. It typically runs on a TCP transport.

Thus a better solution than DHCP/TFTP boot would be to load a boot script via HTTPS and to download any other files needed for booting via iSCSI.

An alternative to implementing these protocols in U-Boot is to use an existing software that can run on top of U-Boot. iPXE is the "swiss army knife" of network booting. It supports both HTTPS and iSCSI. It has a script engine for fine grained control of the boot process and can provide a command shell.

iPXE can be built as an EFI application (named snp.efi) which can be loaded and run by U-Boot. Read more