On Wed, Jul 22, 2020 at 03:55:38PM +0200, Gerd Hoffmann wrote:
> > > How does edk2 handle the root ca problem?
> >
> > There are two fw_cfg paths
> >
> > - etc/edk2/https/ciphers
> > - etc/edk2/https/cacerts
> >
> > The first sets the cipher algorithms that are permitted and their
> > priority, the second sets the CA certificate bundle.
>
> Ok, ipxe should be able to fetch them. Would be roughly the same as
> compiling in the certificates, except that they don't take up space in
> the rom and are much easier to update.
>
> What is in cacerts?
> Basically /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem of the host
> machine?
Not that file exactly. Instead
/etc/pki/ca-trust/extracted/edk2/cacerts.bin
which is the same certs, but in a different format:
[quote man update-ca-trust]
The directory /etc/pki/ca-trust/extracted/edk2/ contains a
CA certificate bundle ("cacerts.bin") in the "sequence of
EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7
specification, sections "31.4.1 Signature Database" and
"EFI_CERT_X509_GUID". Distrust information cannot be
represented in this file format, and distrusted certificates
are missing from these files. File "cacerts.bin" contains CA
certificates trusted for TLS server authentication.
[/quote]
On Fedora/RHEL the "update-ca-trust" tool creates the file in this
format automatically now.
I don't know if that's a useful format for iPXE or not.
We could easily define etc/ipxe/https/{ciphers,cacerts} paths in a
different format if better suited for iPXE. Libvirt can set the right
path depending on whether its booting a VM with EDK2 vs legacy BIOS
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
