On 07/22/20 14:08, Gerd Hoffmann wrote:
> How does edk2 handle the root ca problem?
It has no builtin CA certificate. HTTPS boot will not work until at
least one trusted CA cert is imported.
The setup TUI offers an option to import CA cert(s) from local files
(which must be on such filesystems that edk2 can read).
The platform may set up CA certs without (guest-)user interaction, too.
That's what OVMF and ArmVirtQemu do. On the host side, the command
p11-kit extract --format=edk2-cacerts --filter=ca-anchors \
--overwrite --purpose=server-auth <certdb>
translates the host-side trusted CA cert list into a format that edk2
can consume.
This p11-kit command is usually invoked as part of the higher-level command
update-ca-trust extract
When "p11-kit extract" is invoked like that, then the <certdb> pathname
is (for example)
/etc/pki/ca-trust/extracted/edk2/cacerts.bin
Then QEMU is launched with the following option:
-fw_cfg name=etc/edk2/https/cacerts,file=<certdb>
OVMF and ArmVirtQemu then fetch the CA cert list from fw_cfg, and make
the generic TLS code use it:
- 9c7d0d499296 ("OvmfPkg/TlsAuthConfigLib: configure trusted CA certs
for HTTPS boot", 2018-03-30)
- ffe048a0807b ("ArmVirtPkg: handle NETWORK_TLS_ENABLE in ArmVirtQemu*",
2019-06-28)
Thanks
Laszlo
