On Fri, Jul 24, 2020 at 05:19:38PM +0100, Michael Brown wrote: > On 22/07/2020 15:13, Daniel P. Berrangé wrote: > > We could easily define etc/ipxe/https/{ciphers,cacerts} paths in a > > different format if better suited for iPXE. Libvirt can set the right > > path depending on whether its booting a VM with EDK2 vs legacy BIOS > > The most useful for iPXE would probably be to expose the fw_cfg mechanism as > a URI scheme. This would give a general mechanism allowing for use cases > such as running a script provided by the host via e.g. > > chain fw_cfg:///opt/org.example/script.ipxe
Looks useful. (coreboot folks might want add cbfs: support). > The ${crosscert} setting could then be pointed at a base URL within the > fw_cfg space, e.g. > > #define CROSSCERT "fw_cfg:///etc/ipxe/crosscert/auto" > > This would then work in the same way under either BIOS or UEFI (or other > custom firmware), would provide a feature with applicability broader than > just obtaining certificates, and would avoid any potential problems from > allocating enough RAM to parse every root certificate from iPXE's fixed > 512kB internal heap. Well, it isn't that easy. fw_cfg isn't designed for a large number of files, and right now there is a hard limit of (IIRC) 32 entries. While adding an entry or two isn't that much of a problem, adding all *.der files (228 right now) hosted @ http://ca.ipxe.org/auto/ individually certainly is. So, we'll have to pass a certificate bundle as single file and have ipxe pick the certificate it needs from it. take care, Gerd