Diskless NFS over TLS
- Reply: Rick Macklem : "Re: Diskless NFS over TLS"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 24 Jun 2023 09:23:47 UTC
I have a number of aarch64 SBCs that run "diskless": U-Boot loads
boot.scr.uimg, loader.efi and the DTB via TFTP, EFI loads the loader
config and kernel via NFS and passes the NFS root details to the kernel.
I am contemplating whether it's possible to use secure NFS for at least
the root mount[*]. The problem is that NFS-over-TLS relies on
rpc.tlsclntd to perform the STARTTLS and that needs a functional
userland to run it.
Does anyone have any idea how to proceed? Maybe something like mfsroot
with the real root then overlaid over it (though I haven't thought this
through). (And I realise that protecting the keys is problematic).
[*] It would be nice to secure TFTP and the kernel load but that's less
feasible.
--
Peter Jeremy