Remote Booting Using a Wireless Network Card?

Eboneye asks: "I have been assigned to a project to figure out how to make a diskless portable workstation (laptop) boot through a wireless connection. The idea is to have a stateless client that stores no local data (for security purposes). The only totally network boot stuff I have found uses PXE extensions. I have seen nothing like this in a PCMCIA card, much less a -wireless- PCMCIA card. For the proof of concept, we'll boot from a read only device, but of course during the setup phase use media to create a boot image on a boot server. I am currently looking at a couple different products that will provide a booting service. Ultimately, the goal is a to have a wireless tablet that can use different PCMCIA wireless adapters to connect to different LANs. Because of the specialized concerns of tablet PCs the solution has to be Windows compatible (sorry, Linux). Has anyone seen or worked on remote boot through wireless? Any experiences, gotchas, or suggestions for ways to solve this are welcome."

Why make it bootable?

[sQuEeDeN]

It seems like it would be waaaaay easier to do thin clients, like our friends in Largo, Florida. Remote booting brings a host of problems:

First: security. Any authentication to get the boot image would, natrually, have to happen before the image was downloaded, so the Client would have to be able to haddle any encryption protocols before anything useful even happened. Unless you have a powerful system operating pre-boot, that is gonna be really insecure, especially over wireless, comprende? Imagine if the boot image was intercepted? I can't think of how that would be good.


Also, the simple fact that consolidation is typically more economic. One Big Server (could be running linux with crossover[whoring]) is typically easier to maintain than a remo.te, full-fledged laptop. So, read the story on Largo (about the thin clients, rather than the Linux bit) and think about it--decide if you really, really have to make it bootable--be sure you can't or are unwilling to go thin.

Re:Serious security issues with 802.11b

[addaon]

Precisely. You need some physical media for the encryption key, unless you're doing this entirely unencrypted, a decidedly bad idea. The way I would do this is to stick a 802.11 card, permanently, in each tablet, and issue people a usbkey storage device (www.usbkeydrive.com, for instance... pricier ones available). You could either give this to each employee, or have them check them out the same way they would have checked out a pc card under your plan. These keys are bootable in most machines (the advantage over using a pc card hard drive, which may or may not be bootable depending on your hardware); what you want to do is put on each a small bootable OS, the information necessary to form your VPN or however you're dealing with security, and nothing else. (At this point, you'll wish you could use linux, as it will require a smaller key, and be cheaper. But you'll survive with windows). Of course, there are still problems with this; you're not truly remote booting, just using a read-only boot disk. But it may be sufficient.

The next step up in complexity, as well as power, is to again use a usbkey to boot, but boot into linux. Have it boot from the read-only keychain, use the (unique) information on each key to establish the connection, etc, and then start X-Windows and rdesktop (linux remote desktop client), connecting to a remote windows server. It would be quite easy to secure the tablet so that the linux distribution is secure, and again you have a unique key to secure the connection. From the users point of view, they're working on a local windows machine, although from your point of view they're remotely logged on to another box.

These are just the first two ideas that came to mind. As the parent said, though, you need some kind of local storage for encrypted booting. I highly recommend a usbkey from one brand or another, as they're relatively cheap, absurdly robust, and quite convenient. And once you're allowing even a bit of storage, make it a useful amount, and boot locally off a secured disk, rather than trying to get the hardware to do something it's not supposed to do. Remote booting, keep in mind, just uses some ROM code to boot the computer and then moves control elsewhere. I'm pretty sure you won't find a system ROM or an 802.11 ROM that does what you need; instead, you're going to have to attach a boot ROM of some kind, and a usb key is about as good as it gets.

Oh, one final point, to make this make sense. Most of the usb keys have a read-only switch that can be latched, which makes them appear as read-only mass storage devices to the OS. Once you write the key, you can physically remove the switch (I've done this to several usb keys) to make it quite inconvenient to write to them again. It is possible to write to them either by opening them up and reconnecting the switch, or by writing a custom driver which ignores that the device is read-only (it turns out that, even in read-only mode, the keys I've worked with do honor writes), but neither of these methods is very convenient. It depends just how much security you need.