Skip to content
/ ipxe-build Public

Docker-based build for creating iPXE images

2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

OpenNetworkingFoundation/ipxe-build

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.reuse
.reuse
 
 
LICENSES
LICENSES
 
 
patches
patches
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
VERSION
VERSION
 
 
chain.ipxe
chain.ipxe
 
 

Repository files navigation

iPXE Build

This repo builds an iPXE payload that can be used for USB or network booting of systems.

Docker is used to build iPXE, wrapping all build dependencies in the Dockerfile, An embedded script (chain.ipxe) is added which will chainload another iPXE script from a remote HTTP(S) server and continue the boot process.

The chainloaded iPXE script which has the menu, OS files, and Debian preseed config is in the pxeboot ansible role.

Requirements

  • git
  • make
  • Docker

Usage

Run make image, artifacts will be created in out. By default it will build:

  • undionly.kxpe - Can be served by a DHCP server and chainloads with the NIC's built in PXE UNDI network driver implementation

  • ipxe.usb - write to a USB stick with dd if=bin/ipxe.usb of=/dev/<rawdevice>. There are also 32 and 64 bit EFI versions of this payload.

  • ipxe.pdisk - padded to floppy size, useful for some LOM implementations

  • ipxe.iso - ISO image for writing to optical discs, and some other tools.

  • EFI32/EFI64 USB and snponly images

See also build targets.

Chainloading

Chainloading can be accomlished by modifying the chain.ipxe file with the URL of the target webserver, then embedding a script when building images:

make COPY_FILES="chain.ipxe" OPTIONS="EMBED=chain.ipxe" image

Mutual TLS

Mutual TLS can be used secure the connection between the iPXE payload and and images.

Using mTLS requires cryptography support to be added to the generated binaries. A patch is included that enables HTTPS Support.

To use this support, the CA key, and public/private client certificates must copied and built into the iPXE artifacts. As the private client certs are embedded, care must be taken with the resulting artifacts as they contain those client certs.

Steps:

  1. Modify the chain.ipxe file to use the mTLS HTTPS URL

  2. Put the CA public key (ca.pem), Client public key (client.pem) and private key (client.key) in the same directory

  3. Build the artifacts incorporating all these files using Makefile options:

    make COPY_FILES="chain.ipxe onfca.pem client.pem client.key"
    OPTIONS="EMBED=chain.ipxe CERT=onfca.pem,client.pem TRUST=onfca.pem PRIVKEY=client.key"
    image

About

Docker-based build for creating iPXE images

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages