qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ipxe-devel] https booting

From: Michael Brown
Subject: Re: [ipxe-devel] https booting
Date: Wed, 22 Jul 2020 14:21:57 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 
On 22/07/2020 13:08, Gerd Hoffmann wrote:

With the world moving to use https by default people start to ask for
https being enabled by default for the qemu boot roms.

We could simply flip the DOWNLOAD_PROTO_HTTPS switch in
src/config/qemu/general.h (ipxe git repo).  Note that this would only
affect booting in bios mode, for uefi qemu uses the efidrv builds which
implies https support is in the hands of the uefi firmware (edk2/ovmf).
The .efidrv builds can be used for booting via either the UEFI PXE flow (using iPXE as just a NIC driver) or via the iPXE flow (using iPXE as an application invoked via the NIC driver's EFI_LOAD_FILE_PROTOCOL entry point), so it might still be relevant to UEFI as well as BIOS. 


After looking at https://ipxe.org/cfg/crosscert I'm not convinced this
is a good idea though.  This would likely put quite some load to
ca.ipxe.org.  Also that machine becomes a single point of failure for
worldwide ipxe https boot, and looking through the mailing list I've
seen we already had (at least) two outages this year.
The crosscert fetches are static files (with iPXE including a query string only for debugging purposes), and it should be fairly straightforward for me to switch to hosting them in AWS S3 or equivalent. The ca.ipxe.org domain is not used for anything else so could be pointed at a new hosting infrastructure with no disruption or code changes.
I would worry more about the OCSP service for the cross-signed certificates, since OCSP does not just serve static responses. This service is currently implemented using openca-ocspd running on a VM in AWS. I'm very open to suggestions on more scalable ways to host this. 


What happens if you sent crosscert to the empty string?
An empty string is equivalent to a deleted setting, so it will fall back to using the compiled-in default. 


Will ipxe fail or will it boot without cert verification?
iPXE does need to be able to construct a full certificate chain leading back to its trusted root certificate. If the crosscert source is unavailable then otherwise valid certs will be treated as invalid since the information required to validate them is not avaiable. 


What does it take to mirror http://ca.ipxe.org/auto/?
Just "wget -r" everything and serve it?


For the crosscert files, yes.  There's still OCSP to think about; see above.


How does edk2 handle the root ca problem?


I'm also curious to know!

Thanks,

Michael
reply via email to
[Prev in Thread] Current Thread [Next in Thread]