[ipxe-devel] HTTPS notes

Geert Stappers stappers at stappers.nl
Fri Jan 5 18:50:25 UTC 2024 

Hi,

On the iPXE IRC channel came some HTTPS notes along.

To prevent that they are lost after the paste bin expire date,
do I post them here.  Mailinglist archive will preserve them.

Enjoy
[...]

Prepare Source
--------------

Requirements:
```sh
sudo apt-get build-essential liblzma-dev git
```

Clone repository:
```sh
git clone https://github.com/ipxe/ipxe.git
cd ipxe/src/
# NOTE: ^ Remaining commands are executed from this directory
```

Basic configuration:
```sh
cat >config/local/general.h <<EOF
#define	DOWNLOAD_PROTO_HTTPS
EOF

cat >provision.ipxe <<EOF
#!ipxe
echo Attempting DHCP ...
:retry
dhcp || goto retry
echo Contacting Server ...

:chain
chain --autofree http://boot.netboot.xyz/ipxe/netboot.xyz.efi || goto failed
exit

:failed
echo Provisioning Failed
sleep 9000000
goto chain
EOF
```

Certificates
------------

The default build may require updated certificates in order to continue trusting
most valid certificates. Depending on final deployment, this may not be needed.
```sh
curl -s http://ca.ipxe.org/ca.crt > ca.pem
curl -s https://letsencrypt.org/certs/isrgrootx1.pem > isrgrootx1.pem
curl -s https://letsencrypt.org/certs/lets-encrypt-r3.pem > lets-encrypt-r3.pem

# Make Options
CERT=ca.pem,isrgrootx1.pem,lets-encrypt-r3.pem TRUST=ca.pem,isrgrootx1.pem,lets-encrypt-r3.pem
DEBUG=tls,httpcore,x509,certstore
```

The current deployment solution sits alongside the package update service. The
certificate (.crt) for this server can be copied to the ``ipxe/src/`` directory
and then included using ``CERT=server.crt TRUST=server.crt``.

Create Image
-----------

Build:
```sh
make -j8 bin-x86_64-efi/ipxe.efi EMBED=provision.ipxe \
    CERT=server.crt TRUST=server.crt
```

Publish:
```sh
mv bin-x86_64-efi/ipxe.efi [...]/salt/states/ipxe/provision.efi
```

Actual commands used for current image:
```sh
git pull

cat >provision.ipxe [...]
cat >config/local/general.h [...]
cp /.../deb.crt server.crt

make -j8 bin-x86_64-efi/ipxe.efi EMBED=provision.ipxe CERT=server.crt TRUST=server.crt
cp bin-x86_64-efi/ipxe.efi [...]/salt/states/wipe/provision.efi
```

More information about the ipxe-devel mailing list