On 07/22/20 16:13, Daniel P. Berrangé wrote: > On Wed, Jul 22, 2020 at 03:55:38PM +0200, Gerd Hoffmann wrote: >>>> How does edk2 handle the root ca problem? >>> >>> There are two fw_cfg paths >>> >>> - etc/edk2/https/ciphers >>> - etc/edk2/https/cacerts >>> >>> The first sets the cipher algorithms that are permitted and their >>> priority, the second sets the CA certificate bundle. >> >> Ok, ipxe should be able to fetch them. Would be roughly the same as >> compiling in the certificates, except that they don't take up space in >> the rom and are much easier to update. > > > >> >> What is in cacerts? >> Basically /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem of the host >> machine? > > Not that file exactly. Instead > > /etc/pki/ca-trust/extracted/edk2/cacerts.bin > > which is the same certs, but in a different format: > > [quote man update-ca-trust] > The directory /etc/pki/ca-trust/extracted/edk2/ contains a > CA certificate bundle ("cacerts.bin") in the "sequence of > EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 > specification, sections "31.4.1 Signature Database" and > "EFI_CERT_X509_GUID". Distrust information cannot be > represented in this file format, and distrusted certificates > are missing from these files. File "cacerts.bin" contains CA > certificates trusted for TLS server authentication. > [/quote] > > On Fedora/RHEL the "update-ca-trust" tool creates the file in this > format automatically now. > > I don't know if that's a useful format for iPXE or not. > > We could easily define etc/ipxe/https/{ciphers,cacerts} paths in a > different format if better suited for iPXE.
I agree. The p11-kit extractor for edk2 was implemented in p11-kit commit range ba6ebb05fc0c..de963b96929b: https://github.com/p11-glue/p11-kit/commit/59054e4f9fe3 https://github.com/p11-glue/p11-kit/commit/ee27f9153a14 https://github.com/p11-glue/p11-kit/commit/de963b96929b https://github.com/p11-glue/p11-kit/pull/137 https://github.com/p11-glue/p11-kit/pull/139 The dependent "update-ca-trust" changes are here: https://src.fedoraproject.org/rpms/ca-certificates/c/6220683f7640?branch=master https://src.fedoraproject.org/rpms/ca-certificates/c/34c0da9058d6?branch=master I think these commits could be used as model for an "iPXE extractor" if necessary. Thanks, Laszlo > Libvirt can set the right > path depending on whether its booting a VM with EDK2 vs legacy BIOS > > Regards, > Daniel > _______________________________________________ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel