> >> Generally, though I am in favor of your proposal. Providing as many
> >> boot-time security measures as possible sounds like a *very* good idea
> >> --- but maybe I am just a little bit paranoid :-)
this reminds me of root NFS which tries to fallback to a floppy boot when
it doesn't get a RARP/BOOTP answer after a certain time. I think this
feature is a bad idea in terms of security:
- let a diskless machine boot its kernel
- unplug the network cable before the kernel tries to get RARP/BOOTP answers
- wait the the kernel gives up waiting for a RARP/BOOTP answer
- insert your favourite bootdisk
You may say given physical access to a machine this class of attacks is always
easy. Well, you're right. It's just that the NFS root stuff just makes it
*too* easy. There is a big difference between just removing and reattaching a
network cable (no tools required) and other, more conspicuous, manipulations.
Aside of this this fallback action when no RARP/BOOTP answer is received is
in my experience never a helpful action; in case of a large network like my
university's it's even the wrong thing after a complete power failure. (The
right thing would be to wait for the servers coming back online. Given the
problems with our larger servers this might mean waiting for hours.)
Ralf