[ipxe-devel] https booting

Gerd Hoffmann kraxel at redhat.com
Wed Jul 22 13:55:38 UTC 2020


> > How does edk2 handle the root ca problem?
> 
> There are two fw_cfg paths
> 
>   - etc/edk2/https/ciphers
>   - etc/edk2/https/cacerts
> 
> The first sets the cipher algorithms that are permitted and their
> priority, the second sets the CA certificate bundle.

Ok, ipxe should be able to fetch them.  Would be roughly the same as
compiling in the certificates, except that they don't take up space in
the rom and are much easier to update.

What is in cacerts?
Basically /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem of the host
machine?

thanks,
  Gerd




More information about the ipxe-devel mailing list