Skip to content

SYSTEM Cited by 1 source

iPXE

Definition

iPXE (ipxe.org) is open-source network boot firmware that supports modern protocols — HTTP, HTTPS, iSCSI, AoE — going beyond the legacy PXE/TFTP-only path. Lets a machine boot operating systems directly from web servers, cloud storage, or enterprise storage networks, with much higher throughput and reliability than TFTP.

Architecturally, iPXE acts as a chainloaded replacement (or complement) to the firmware's built-in PXE stack, running early in the pre-boot stage to fetch and execute the OS kernel.

Why it matters operationally

iPXE turns network boot into a programmable workflow:

"iPXE turns the boot process into a programmable workflow. It offers advanced scripting capabilities that allow IT teams to automate complex deployments, such as provisioning servers based on specific hardware configurations or managing secure, diskless workstations."

(Source: Cloudflare 2026-06-01)

Cloudflare uses iPXE for "various automation reasons" in their core-server reboot process. Some of their hardware also supports UEFI HTTPS boot natively (firmware downloads the OS over HTTPS without going through iPXE), so the production fleet runs both substrates depending on the platform.

Seen in

2026-06-01 — Cloudflare Gen12 fleet boot-time regression

Source: sources/2026-06-01-cloudflare-how-we-reduced-core-unit-boot-time-from-hours-to-minutes.

iPXE is the substrate Cloudflare's Gen12 core-server boot automation runs on. Two iPXE-specific engineering details disclosed:

  1. iPXE reads UEFI variables as HEX, which broke direct string-equality comparisons against expected configuration values. Cloudflare added a boolean flag, uefi-same-hex, that lets an iPXE script run a single set command instead of a show-then-conditional-set sequence — hex-comparison flag pattern. The disclosed iPXE script shape:
# construct path to read the update variable
set buffer-var-guid 91468514-75bc-4bb5-8f33-91efff9e9b1f
set var-upd-path efivar/CfHIIVarUpd-${buffer-var-guid}

# Run the config change command
imgexec <signed CF UEFI configuration App> set ${uefi-setting}=${uefi-value}

# Compare the update variable with the expected value if it has changed.
# If it has changed, set the local variable to reboot the system
iseq ${uefi-same-hex} ${${var-upd-path}} || set has-changed ${uefi-diff-hex}
  1. iPXE is the integration point for Cloudflare's CfHIIConfig_App tool, which was extended with a wildcard matching feature (.*HTTP.*IPv4.*P1) to handle vendor string drift across NIC vendors — patterns/wildcard-config-match-for-vendor-string-drift.

The headline endpoint state is "the entire workflow operates from iPXE" — configuration changes deploy at scale through Cloudflare's existing release pipeline rather than via per- server BIOS GUI interaction.

Composition with UEFI

iPXE and UEFI HTTPS boot are alternative network-boot interfaces on modern hardware. A typical Cloudflare Gen12 server has multiple interfaces in its boot list (IPv4 HTTPS, IPv4 iPXE, IPv6 HTTPS, IPv6 iPXE); the firmware probes them in order until one succeeds. The 2026-06-01 post's headline bug was that the declared probe order was the wrong order for this fleet, so the firmware burned ~5 min × 4 = ~20 min per boot probing dead interfaces before reaching the IPv6 HTTPS interface that actually worked. The fix was to declare the boot interface order upfront in the pre-boot PXE stage (patterns/declare-boot-interface-order-upfront).

Trade-offs vs vanilla PXE

Property Vanilla PXE iPXE
Transport TFTP TFTP / HTTP / HTTPS / iSCSI / AoE
Throughput Limited by TFTP Wire-speed
Programmability None Scripting, conditional logic
Authentication None TLS / chain-of-trust possible
Open source No (firmware-blob) Yes (GPL)
Operational composition One-shot boot Programmable workflow
Last updated · 542 distilled / 1,571 read