Secure boot is designed to verify software signatures. The UEFI bios might support loading software over https, but it isn't part of secure boot. Secure boot would verify any kernels/etc loaded from https.
That was the point as I read it. Payload signature verification is a good and sometimes desirable alternative to transport encryption when the payload itself isn't secret.
Highly-cacheable resources like game and OS updates are often intentionally delivered over http as signed payloads to facilitate middlebox caching.
> Secure boot is designed to verify software signatures
aka integrity.
HTTPS is a useless gesture here, adding complexity to critical software that needs to be as simple and auditable as possible. Confidentiality is essentially unimportant to anyone but the most autistic of by-the-book nerds. It buys you nothing in a practical sense. Most netbooting happens over closed networks anyway.
I agree that integrity can be done by secure boot, but HTTPS does mean that someone can't intercept your request and serve you valid, signed, older software that has a known security flaw in it.
An LLM pointed this out to me as well which I think is a fair point.
However, in practice it doesn't matter for any machine that has persistence since it only needs to netboot once to transfer an image to local storage. Besides that, you can also invert and bootstrap with BMC or even a flash drive and skip the whole network anyway.
Finally, you can reduce risk if you only bootstrap a minimal executable which itself has a robust bootstrapping mechanism. In the post, they're jumping to iPXE from UEFI so the concern would be loading an old iPXE version.
Highly-cacheable resources like game and OS updates are often intentionally delivered over http as signed payloads to facilitate middlebox caching.