GoKawiilIntroduction to UEFI HTTP(S) boot with Qemu/OVMF
The historic go-to solution for network booting is PXE. PXE is based on DHCP and TFTP. It is tricky to correctly configure, even trickier to make it highly available and good luck with the security with this clear-text unsigned protocol.
The modern web has long standardized on HTTPS with TLS certificates for server authentication, integrity and confidentiality. Moreover, highly available setups are a solved problem when it comes to HTTPS. Even better, the encryption layer makes it practical to boot over the Internet without immediately facing the threat of a man-in-the-middle attack that would be trivial with TFTP (remember, the leading t stands for “trivial”, not “secure”).
The good news is, most modern UEFI-based system support booting over HTTP(S).
In this post, we’ll boot the snponly variant of netboot.xyz directly from the official website. Be prepared for some fun with HTTPS.
All these tests were performed on Ubuntu 26.04 with the provided 1:10.2.1+ds-1ubuntu3 Qemu and 2025.11-3ubuntu7 OVMF packages, unless otherwise stated. Note that, for reasons that will become clear later in this post, older versions might actually work better 🙃.
Starting with the simple case: HTTP boot discovered over DHCP
(Righteously) Suspecting that the HTTPS variant would be a tough beast to beat, I started this journey with a first test that side steps the certificate trust and other quirks at the beginning.
The URL for the boot firmware is: http://boot.netboot.xyz/ipxe/netboot.xyz-snponly.efi.
The aim here is to demonstrate a minimal setup to make it easier to integrate it in your own environment. We’ll use a non-root Qemu machine with userland-based SLIRP networking and no additional devices like storage for instance. The whole system will run in-memory.
... continue reading