[ipxe-devel] https booting

Gerd Hoffmann kraxel at redhat.com
Wed Jul 22 12:08:27 UTC 2020


With the world moving to use https by default people start to ask for
https being enabled by default for the qemu boot roms.

We could simply flip the DOWNLOAD_PROTO_HTTPS switch in
src/config/qemu/general.h (ipxe git repo).  Note that this would only
affect booting in bios mode, for uefi qemu uses the efidrv builds which
implies https support is in the hands of the uefi firmware (edk2/ovmf).

After looking at https://ipxe.org/cfg/crosscert I'm not convinced this
is a good idea though.  This would likely put quite some load to
ca.ipxe.org.  Also that machine becomes a single point of failure for
worldwide ipxe https boot, and looking through the mailing list I've
seen we already had (at least) two outages this year.

What happens if you sent crosscert to the empty string?
Will ipxe fail or will it boot without cert verification?

What does it take to mirror http://ca.ipxe.org/auto/?
Just "wget -r" everything and serve it?

How does edk2 handle the root ca problem?
Other comments?

take care,

More information about the ipxe-devel mailing list