{"id":2718,"date":"2022-01-29T22:17:34","date_gmt":"2022-01-29T20:17:34","guid":{"rendered":"https:\/\/possiblelossofprecision.net\/?p=2718"},"modified":"2022-01-30T01:08:35","modified_gmt":"2022-01-29T23:08:35","slug":"chainloading-patched-ipxe-firmware-with-ipxe","status":"publish","type":"post","link":"https:\/\/possiblelossofprecision.net\/?p=2718","title":{"rendered":"Chainloading (patched) iPXE firmware with iPXE"},"content":{"rendered":"

These days, quite a few devices already come with built-in iPXE support: Some hypervisors (qemu, Proxmox, VMWare, VirtulBox, etc.) support iPXE right out of the gate but there’s also an increasing number of network equipment vendors<\/a> that sell network interface cards with bundled iPXE support.<\/p>\n

But what if the bundled iPXE firmware is out of date and\/or lacking a relevant feature? Recompiling iPXE<\/a> is not particularly difficult but changing the iPXE rom file on a hypervisor might be. Or it might be inadvisable due to a support contract. And flashing new rom files onto network interface cards is usually cumbersome and very time consuming.<\/p>\n

So how about using iPXE chainloading<\/a> to load a patched or otherwise customised iPXE rom?<\/p>\n

<\/p>\n

Chainloading iPXE via ISC DHCP<\/h2>\n

iPXE chaingloading<\/a> is quite a common technique to dynamically load an iPXE rom onto a device that otherwise would not support iPXE. It’s usually used to load iPXE from a PXE environment. To break the resulting infinite loop<\/a> the DHCP server needs to be configured to hand out an iPXE rom to PXE clients but a “real” boot configuration to iPXE clients:<\/p>\n

\r\nnext-server your-tftp-server;\r\n\r\nif exists user-class and option user-class = "iPXE" {\r\n    filename "http:\/\/your-http-server\/ipxe\/boot.ipxe";\r\n} elsif option arch = 00:07 {\r\n    # EFI x86-64 (Intel x86 64-bit EFI mode)\r\n    # - most commonly used on newer hardware\r\n    filename "ipxe-x86_64.efi";\r\n} elsif option arch = 00:06 {\r\n    # EFI IA32 (Intel x86 32-bit EFI mode)\r\n    # - almost never seen in the wild\r\n    filename "ipxe-i386.efi";\r\n}  else {\r\n    # Intel x86PC (Intel x86 32-bit legacy BIOS mode)\r\n    # - technically option arch = 00:00, but we use it as fallback\r\n    filename "undionly.kpxe";\r\n}\r\n<\/pre>\n
Assuming we’ve successfully recompiled our iPXE roms with the desired patches or enhancements we can expand on this to hand out a newer iPXE rom even to iPXE client. Making use use of some iPXE specific dhcp options<\/a>:<\/p>\n
\r\nnext-server your-tftp-server;\r\n\r\n# http:\/\/www.ietf.org\/assignments\/dhcpv6-parameters\/dhcpv6-parameters.txt\r\noption arch code 93 = unsigned integer 16;\r\n\r\noption space ipxe;\r\noption ipxe.version code 235 = string;\r\n\r\nif exists ipxe.version and binary-to-ascii(10, 8, ".", option ipxe.version) = "1.21.1" {\r\n    filename "http:\/\/your-http-server\/ipxe\/boot.ipxe";\r\n} elsif option arch = 00:07 {\r\n    # EFI x86-64 (Intel x86 64-bit EFI mode)\r\n    # - most commonly used on newer hardware\r\n    filename "ipxe-x86_64-fixed.efi";\r\n} elsif option arch = 00:06 {\r\n    # EFI IA32 (Intel x86 32-bit EFI mode)\r\n    # - almost never seen in the wild\r\n    filename "ipxe-i386-fixed.efi";\r\n}  else {\r\n    # Intel x86PC (Intel x86 32-bit legacy BIOS mode)\r\n    # - technically option arch = 00:00, but we use it as fallback\r\n    filename "undionly-fixed.kpxe";\r\n}\r\n<\/pre>\n
Documentation on ISC DHCP conditional evaluation can be found here: https:\/\/linux.die.net\/man\/5\/dhcpd-eval<\/a><\/p>\n
To bump the version number when compiling a new rom:<\/p>\n
\r\n$ git clone https:\/\/github.com\/ipxe\/ipxe\r\n$ cd ipxe\/src\r\n$ make VERSION_PATCH=2\r\n<\/pre>\n
On could, of course, also bump VERSION_MAJOR<\/code> or VERSION_MINOR<\/code> or use EXTRAVERSION<\/code><\/p>\n
\"\"<\/a>
iPXE chainloading an updated version via dhcp<\/center><\/p>\n
Chainloading iPXE via iPXE script<\/h2>\n
Sometimes modifying the dhcp server configuration might not be possible or practical in a real world application, e.g. because you don’t have control over the dhcp server or because it’s a Microsoft Windows DHCP server<\/a>. But we can use iPXE to determine its current version and then potentially handing out an updated iPXE rom.<\/p>\n
Let’s assume the dhcp server is handing out http:\/\/your-http-server\/ipxe\/boot.ipxe<\/em> through the filename<\/code> option and that particular file reads:<\/p>\n
\r\n#!ipxe\r\n\r\necho Booting Linux...\r\nkernel your-kernel-image.img\r\ninitrd your-initramfs.img\r\n\r\nboot\r\n<\/pre>\n
We can modify this to include an iPXE version check:<\/p>\n
\r\n#!ipxe\r\n\r\nchain --autofree version_check.ipxe ||\r\n\r\necho Booting Linux...\r\nkernel your-kernel-image.img\r\ninitrd your-initramfs.img\r\n\r\nboot\r\n<\/pre>\n
The version check might look like something similar to this (source<\/a>):<\/p>\n
\r\n#!ipxe\r\n\r\n# Figure out if client is 64-bit capable\r\ncpuid --ext 29 && set arch x64 || set arch x86\r\ncpuid --ext 29 && set archl amd64 || set archl i386\r\n\r\nset latest_version 1.21.1+ (g6ba67)\r\necho ${cls}\r\niseq ${version} ${latest_version} && exit ||\r\necho\r\necho Updated version of iPXE is available:\r\necho\r\necho Running version.....${version}\r\necho Updated version.....${latest_version}\r\necho\r\necho Attempting to chain to latest version...\r\n\r\niseq ${platform} efi && goto is_efi || goto not_efi\r\n\r\n:is_efi\r\niseq ${archl} amd64 && chain --autofree ${boot-url}ipxe-x86_64-fixed.efi || chain --autofree ${boot-url}ipxe-i386-fixed.efi\r\n\r\n:not_efi\r\nchain --autofree ${boot-url}undionly-fixed.kpxe ||\r\n<\/pre>\n
Of course, one needs to ensure that the server at boot-url<\/code> hands out the fixed versions of the iPXE roms.<\/p>\n
\"\"<\/a>
iPXE chainloading an updated version via iPXE script<\/center><\/p>\n","protected":false},"excerpt":{"rendered":"
These days, quite a few devices already come with built-in iPXE support: Some hypervisors (qemu, Proxmox, VMWare, VirtulBox, etc.) support iPXE right out of the gate but there’s also an increasing number of network equipment vendors that sell network interface cards with bundled iPXE support. But what if the bundled iPXE firmware is out of date and\/or lacking a relevant… Read more »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[58,85],"class_list":["post-2718","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-hardware","tag-pxe"],"_links":{"self":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/2718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2718"}],"version-history":[{"count":23,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/2718\/revisions"}],"predecessor-version":[{"id":2743,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/2718\/revisions\/2743"}],"wp:attachment":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}