[ipxe-devel] Using a modern TLS library
Christian Nilsson
nikize at gmail.com
Mon Jul 1 19:39:33 UTC 2019
On Mon, 1 Jul 2019 at 21:24, Demi Obenour <demiobenour at gmail.com> wrote:
>
> Has there been any interest in using a modern TLS library, such as mbedTLS or BearSSL, to replace the internal crypto in iPXE? I have zero trust in iPXE’s internal crypto and TLS/ASN.1 stacks.
>
> Demi
Awesome start on that email, really love the "zero trust" part.
Now feel free to send patches, remember that the code should be
compatible with the UBDL license:
https://git.ipxe.org/ipxe.git/blob_plain/HEAD:/COPYING.UBDL
Now since iPXE runs in a limited environment, do measure the footprint
it takes up,
Most constraining environment is pcbios mode.
And are still struggling with .rom builds that must fit in 64KiB flash chips.
So make sure to test those scenarios properly.
There is both pros and cons of using external code,
It's great if it has more features without being much larger than existing code.
But I can imagine that it would cause an even larger headache in terms
of having for example MS accept iPXE for EFI cross-signing.
More information about the ipxe-devel
mailing list