Re: [ipxe-devel] https booting

[Gerd Hoffmann]

On Fri, Jul 24, 2020 at 05:19:38PM +0100, Michael Brown wrote:
> On 22/07/2020 15:13, Daniel P. Berrangé wrote:
> > We could easily define etc/ipxe/https/{ciphers,cacerts} paths in a
> > different format if better suited for iPXE. Libvirt can set the right
> > path depending on whether its booting a VM with EDK2 vs legacy BIOS
> 
> The most useful for iPXE would probably be to expose the fw_cfg mechanism as
> a URI scheme.  This would give a general mechanism allowing for use cases
> such as running a script provided by the host via e.g.
> 
>   chain fw_cfg:///opt/org.example/script.ipxe

Looks useful.
(coreboot folks might want add cbfs: support).

> The ${crosscert} setting could then be pointed at a base URL within the
> fw_cfg space, e.g.
> 
>   #define CROSSCERT "fw_cfg:///etc/ipxe/crosscert/auto"
> 
> This would then work in the same way under either BIOS or UEFI (or other
> custom firmware), would provide a feature with applicability broader than
> just obtaining certificates, and would avoid any potential problems from
> allocating enough RAM to parse every root certificate from iPXE's fixed
> 512kB internal heap.

Well, it isn't that easy.

fw_cfg isn't designed for a large number of files, and right now there
is a hard limit of (IIRC) 32 entries.  While adding an entry or two
isn't that much of a problem, adding all *.der files (228 right now)
hosted @ http://ca.ipxe.org/auto/ individually certainly is.

So, we'll have to pass a certificate bundle as single file and have ipxe
pick the certificate it needs from it.

take care,
  Gerd