[ipxe-devel] [RESEND PATCH 0/5] [crypto] Relax root certificate restrictions

Ladi Prosek lprosek at redhat.com
Fri Mar 3 12:37:02 UTC 2017


Resending the series from last year. Still wanting to do it, still
looking for feedback.


The goal of this series is to make it possible to use iPXE with security
features, such as HTTPS, in enterprise environments where rebuilding
from sources is not an option and connecting to external services is not
desired. An ideal iPXE binary for this environment:

1) Does not use any cross-cert server by default. It can be configured
at runtime but is not required at build time (PATCH 1).

2) Does not contain any trusted certificate fingerprints. They can be
configured at runtime but the binary may have nothing embedded in it
(PATCH 5).

3) Allows trusted root certificate fingerprints to be changed by trusted
images (PATCH 3, 4).

4) Assumes initrd, kernel command line, and images embedded in iPXE to
be trusted (PATCH 2).

The particular scenario I am interested in is ipxe.lkrn booted locally
from ISOLINUX and passed a script as initrd. The script is trusted and
should be able to configure crypto as needed before chaining into an
HTTPS-downloaded image. Thanks!


[RESEND PATCH 1/5] [crypto] Fail fast if cross-certificate source is empty
[RESEND PATCH 2/5] [image] Make initrd, cmdline, and embedded images trusted
[RESEND PATCH 3/5] [settings] Make settings applicators aware of the setting
[RESEND PATCH 4/5] [crypto] Allow trusted certificates to be set by trusted
[RESEND PATCH 5/5] [crypto] Allow ALLOW_TRUST_OVERRIDE to be overriden by

 src/arch/x86/core/runtime.c |  4 ++++
 src/core/settings.c         | 10 +++++-----
 src/crypto/certstore.c      |  2 +-
 src/crypto/privkey.c        |  2 +-
 src/crypto/rootcert.c       | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++------------------
 src/image/embedded.c        |  1 +
 src/include/ipxe/settings.h |  3 ++-
 src/net/80211/net80211.c    |  4 ++--
 src/net/ipv4.c              |  2 +-
 src/net/tcp/syslogs.c       |  2 +-
 src/net/udp/dns.c           |  2 +-
 src/net/udp/syslog.c        |  2 +-
 src/net/udp/tftp.c          |  2 +-
 src/net/validator.c         |  6 ++++++
 14 files changed, 78 insertions(+), 33 deletions(-)




More information about the ipxe-devel mailing list