Re: https booting

[Daniel P . Berrangé]

On Wed, Jul 22, 2020 at 03:55:38PM +0200, Gerd Hoffmann wrote:
> > > How does edk2 handle the root ca problem?
> > 
> > There are two fw_cfg paths
> > 
> >   - etc/edk2/https/ciphers
> >   - etc/edk2/https/cacerts
> > 
> > The first sets the cipher algorithms that are permitted and their
> > priority, the second sets the CA certificate bundle.
> 
> Ok, ipxe should be able to fetch them.  Would be roughly the same as
> compiling in the certificates, except that they don't take up space in
> the rom and are much easier to update.



> 
> What is in cacerts?
> Basically /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem of the host
> machine?

Not that file exactly. Instead

   /etc/pki/ca-trust/extracted/edk2/cacerts.bin

which is the same certs, but in a different format:

[quote man update-ca-trust]
       The directory /etc/pki/ca-trust/extracted/edk2/ contains a
       CA certificate bundle ("cacerts.bin") in the "sequence of
       EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7
       specification, sections "31.4.1 Signature Database" and
       "EFI_CERT_X509_GUID". Distrust information cannot be
       represented in this file format, and distrusted certificates
       are missing from these files. File "cacerts.bin" contains CA
       certificates trusted for TLS server authentication.
[/quote]

On Fedora/RHEL  the "update-ca-trust" tool creates the file in this
format automatically now.

I don't know if that's a useful format for iPXE or not.

We could easily define etc/ipxe/https/{ciphers,cacerts} paths in a
different format if better suited for iPXE. Libvirt can set the right
path depending on whether its booting a VM with EDK2 vs legacy BIOS

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|