It's possible to require that any images used be signed using a specific key that is configured in the hardware ahead of time. Even if you don't do that, the same setup can be helpful for provisioning a bunch of machines without accessing any external network. You can configure a small box to act just as a DHCP server and to serve a machine image for network boot. Then you can have all the machines on this subnet automatically load that image as it is updated without the need for any further configuration on each device.

I've seen organizations do something similar to this for trade shows when they want a bunch of machines that visitors can interact with and don't want to have to keep them updated individually. Just update the image once and reboot each machine.

Ideally it would be possible to just specify an image url and a hash.

Or, even better, a magnet link.

I dunno, I actually think a public key is better than a hash, because it lets you sign updated images without having to update things on the client. Obviously it should be user-controlled, but this feels like a legitimate use.

It is more flexible than a hash, but it's also more complicated.

I don't really see it being that much more complicated. Signing the image is just one extra step when you publish, but it also means that you never need to update client machines unless the key is compromised.

Okay but why not just use PXE? Why does everything have to be HTTP?

Well, it kind of does. Normally, the PXE network booting will use DHCP (or bootp or whatever) to fetch the boot image location, then it will fetch that boot image. Historically, that has worked this way:

1. bootp says boot image is at <ip address>/path/to/img 2. PXE network stack fetches that image via TFTP (which is awful) 3. PXE network stack boots that image

In most cases, the boot image would be a chainloader like pxelinux, and that would fetch a config file which told it the kernel path, the initrd path, and the commandline, and then the user could choose to boot that image, and then pxelinux would fetch the files via TFTP (which is still awful) and boot them.

In this new, HTTP-based case, we replace each instance of "TFTP" with "HTTP", which we can authenticate (ish), which we can easily firewall, which doesn't have weird compatibility issues, and so on.

Note that, before now, you could replace pxelinux with iPXE, and iPXE could fetch files via HTTP (which is awesome), but you still had to fetch iPXE and its config file via TFTP.

Note that TFTP is an unauthenticated, UDP-based, extremely limited protocol which has almost no support for anything but the most basic "get this file" or "take this file" functionality. Being able to replace it is a joy and a wonder.

PXE is one layer higher than what you're thinking of. The old-school analog to HTTP in this case is TFTP, and it sucks.

You can do either