[ipxe-devel] https booting

Laszlo Ersek lersek at redhat.com
Wed Jul 22 18:47:19 UTC 2020

On 07/22/20 16:13, Daniel P. Berrangé wrote:
> On Wed, Jul 22, 2020 at 03:55:38PM +0200, Gerd Hoffmann wrote:
>>>> How does edk2 handle the root ca problem?
>>> There are two fw_cfg paths
>>>   - etc/edk2/https/ciphers
>>>   - etc/edk2/https/cacerts
>>> The first sets the cipher algorithms that are permitted and their
>>> priority, the second sets the CA certificate bundle.
>> Ok, ipxe should be able to fetch them.  Would be roughly the same as
>> compiling in the certificates, except that they don't take up space in
>> the rom and are much easier to update.
>> What is in cacerts?
>> Basically /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem of the host
>> machine?
> Not that file exactly. Instead
>    /etc/pki/ca-trust/extracted/edk2/cacerts.bin
> which is the same certs, but in a different format:
> [quote man update-ca-trust]
>        The directory /etc/pki/ca-trust/extracted/edk2/ contains a
>        CA certificate bundle ("cacerts.bin") in the "sequence of
>        EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7
>        specification, sections "31.4.1 Signature Database" and
>        "EFI_CERT_X509_GUID". Distrust information cannot be
>        represented in this file format, and distrusted certificates
>        are missing from these files. File "cacerts.bin" contains CA
>        certificates trusted for TLS server authentication.
> [/quote]
> On Fedora/RHEL  the "update-ca-trust" tool creates the file in this
> format automatically now.
> I don't know if that's a useful format for iPXE or not.
> We could easily define etc/ipxe/https/{ciphers,cacerts} paths in a
> different format if better suited for iPXE.

I agree.

The p11-kit extractor for edk2 was implemented in p11-kit commit range ba6ebb05fc0c..de963b96929b:



The dependent "update-ca-trust" changes are here:


I think these commits could be used as model for an "iPXE extractor" if necessary.


> Libvirt can set the right
> path depending on whether its booting a VM with EDK2 vs legacy BIOS
> Regards,
> Daniel

More information about the ipxe-devel mailing list