HN Debrief

Introduction to UEFI HTTP(s) Boot with QEMU/OVMF

  • Infrastructure
  • Security
  • Hardware
  • Open Source

The post is a hands-on introduction to booting a machine over UEFI HTTP or HTTPS, using QEMU with OVMF so you can test the flow in a virtual machine before touching hardware. The appeal is straightforward. Instead of the classic PXE plus TFTP setup, you can serve boot files over ordinary web infrastructure, and in theory layer TLS on top.

If you run bare metal provisioning, HTTP boot is worth testing now because it can simplify serving boot artifacts and often works on current hardware. Treat HTTPS support and vendor firmware as reliability risks until you have validated your exact platform and debugging path in a VM and on real machines.

Discussion mood

Interested but wary. People like HTTP boot as a cleaner replacement for TFTP and say it is broadly usable on modern servers, but they are deeply skeptical of UEFI firmware quality, especially around HTTPS, debugging, and vendor-specific quirks.

Key insights

  1. 01

    Firmware HTTP clients behave like brittle parsers

    UEFI HTTP boot support often fails on tiny implementation details that normal web clients would ignore. One example was EDK2 requiring URLs ending in ".efi" instead of trusting HTTP metadata. Another reported newer AMI Aptio firmware completing DHCP and then failing to fetch the boot file at all. That shifts this from a standards feature to a compatibility exercise with each firmware stack.

    Build your boot service around the lowest-common-denominator client, not around what the spec allows. Keep URLs simple, test against the exact firmware families you own, and expect regressions across BIOS updates.

      Attribution:
    • pzmarzly #1
    • pdmccormick #1
  2. 02

    Debugging is the real operational cost

    The hard part is not standing up an HTTP server. It is figuring out why firmware says almost nothing when boot fails. DHCP option formatting, relay behavior, IPv4 versus IPv6 differences, router advertisements, and boot file discovery can all break the flow while exposing only a vague error like failure to get the network boot program size. Running the setup first in OVMF makes packet capture and iteration fast enough to be tolerable.

    Treat a VM-based repro as part of your boot pipeline, not just a lab convenience. If you cannot observe the packets and reproduce failures outside the target hardware, support will become guesswork.

      Attribution:
    • andrewjf #1
    • wmf #1
  3. 03

    Real hardware support exists but the entry points vary

    Current servers usually support HTTP boot, but the path into it is messy. Some firmware can use DHCP option 67 for an HTTP URL. Some need a specific boot entry that is awkward to create because Linux tooling like efibootmgr has incomplete support. Many operators still route around vendor firmware entirely with iPXE, BMC virtual media, or USB bootstrap methods because those are easier to control.

    Check support at two layers before committing. Confirm both that the firmware can speak HTTP boot and that you have a workable way to provision or select that boot path at scale.

      Attribution:
    • ValdikSS #1
    • wmf #1
    • zcw100 #1
    • nijave #1
  4. 04

    On-demand network block devices would change the tradeoff

    Using NBD over TLS instead of fetching a full boot image up front would let firmware or early boot environments pull only the blocks they actually touch. That would make large rescue or installer images more practical and would move HTTP boot from file download toward streaming storage.

    If your provisioning images are large or highly customized, watch for boot paths that support demand-paged remote storage. They can cut startup time and reduce the need to pre-bake many separate netboot artifacts.

      Attribution:
    • rwmj #1

Against the grain

  1. 01

    Apple solved the experience by owning the stack

    Internet Recovery shows that network boot can feel polished, but that result comes from Apple controlling firmware, hardware, and driver support end to end. Outside that world, firmware has to cope with a huge spread of Ethernet and Wi-Fi chipsets, plus large opaque firmware blobs, which makes a clean universal implementation much harder than the protocol choice suggests.

    Do not use Apple’s recovery flow as your baseline expectation for commodity hardware. Plan for a narrower supported device matrix or an alternate bootstrap path when you need predictable UX.

      Attribution:
    • naturalmovement #1
    • my-boot #1
    • mschuster91 #1
  2. 02

    HTTPS may add more bugs than protection

    Several comments rejected the idea that TLS meaningfully solves boot security when Secure Boot already validates signed software. In that view, firmware TLS mostly adds a fragile parser and certificate stack to one of the least trustworthy parts of the system. The one concrete security gap it can help with is serving an older signed image with known flaws, but only if your overall design lacks stronger anti-rollback controls.

    Before enabling HTTPS boot, write down the exact attack you expect it to stop. If the answer is just "integrity," spend the effort on signature policy, version control, and rollback prevention instead.

      Attribution:
    • naturalmovement #1 #2 #3
    • robertlagrant #1

In plain english

AMI Aptio
A widely used commercial UEFI firmware product from American Megatrends.
BMC
Baseboard Management Controller, a separate management processor on servers that can provide remote console access and virtual media.
DHCP
Dynamic Host Configuration Protocol, the network protocol that gives machines IP addresses and can also tell them where to boot from.
EDK2
An open source UEFI firmware development project from Tianocore that many vendors use as a base.
efibootmgr
A Linux command-line tool for creating and managing UEFI boot entries stored in firmware.
HTTP
Hypertext Transfer Protocol, the standard protocol used by web servers and browsers to transfer files and data.
HTTPS
Hypertext Transfer Protocol Secure, HTTP carried over Transport Layer Security so traffic is encrypted and the server can be authenticated.
IPv4
Internet Protocol version 4, the older and still common version of the Internet addressing system.
IPv6
Internet Protocol version 6, the newer version of Internet addressing with different configuration and boot-time networking behavior.
iPXE
An enhanced open source network boot firmware that supports more protocols and scripting than standard PXE firmware.
NBD
Network Block Device, a protocol that exposes remote storage blocks to a client as if they were a local disk.
OVMF
Open Virtual Machine Firmware, a UEFI firmware implementation commonly used with QEMU virtual machines.
PXE
Preboot Execution Environment, a standard way for a machine to boot from the network before an operating system is installed.
qemu
An open source machine emulator and virtualizer used to run virtual machines.
Secure Boot
A UEFI feature that allows firmware to verify digital signatures on boot software so only trusted components are loaded.
TFTP
Trivial File Transfer Protocol, a very simple file transfer protocol often used by PXE because firmware can implement it easily.
TLS
Transport Layer Security, the standard cryptographic protocol used to encrypt data while it moves across a network.
UEFI
Unified Extensible Firmware Interface, the modern firmware standard that replaces the legacy PC BIOS and can load operating systems and boot programs.

Reference links

Standards and implementation references

  • Tianocore EDK2 HttpBootSupport.c
    Referenced as evidence that the URL handling quirk in EDK2 may have been fixed.
  • Tianocore HTTP Boot wiki
    Documentation for configuring UEFI HTTP Boot, cited as a way to use DHCP option 67 without a custom boot entry.
  • SUSE UEFI HTTP Boot documentation
    Practical vendor documentation for setting up UEFI HTTP Boot on real systems.
  • iPXE
    Suggested as an alternative or fallback when native firmware HTTP boot is awkward or unreliable.

Talks and demos

Firmware blob examples