All of lore.kernel.org
 help / color / mirror / Atom feed
From: Laszlo Ersek <lersek@redhat.com>
To: Gerd Hoffmann <kraxel@redhat.com>,
	ipxe-devel@lists.ipxe.org, qemu-devel@nongnu.org
Cc: crobinso@redhat.com
Subject: Re: https booting
Date: Wed, 22 Jul 2020 20:34:10 +0200	[thread overview]
Message-ID: <3ae745cb-487e-c380-7899-5fa274cc3e4c@redhat.com> (raw)
In-Reply-To: <20200722120827.dq72uabrk26nllra@sirius.home.kraxel.org>

On 07/22/20 14:08, Gerd Hoffmann wrote:

> How does edk2 handle the root ca problem?

It has no builtin CA certificate. HTTPS boot will not work until at
least one trusted CA cert is imported.

The setup TUI offers an option to import CA cert(s) from local files
(which must be on such filesystems that edk2 can read).

The platform may set up CA certs without (guest-)user interaction, too.
That's what OVMF and ArmVirtQemu do. On the host side, the command

  p11-kit extract --format=edk2-cacerts --filter=ca-anchors \
    --overwrite --purpose=server-auth <certdb>

translates the host-side trusted CA cert list into a format that edk2
can consume.

This p11-kit command is usually invoked as part of the higher-level command

  update-ca-trust extract

When "p11-kit extract" is invoked like that, then the <certdb> pathname
is (for example)

  /etc/pki/ca-trust/extracted/edk2/cacerts.bin

Then QEMU is launched with the following option:

  -fw_cfg name=etc/edk2/https/cacerts,file=<certdb>

OVMF and ArmVirtQemu then fetch the CA cert list from fw_cfg, and make
the generic TLS code use it:

- 9c7d0d499296 ("OvmfPkg/TlsAuthConfigLib: configure trusted CA certs
for HTTPS boot", 2018-03-30)

- ffe048a0807b ("ArmVirtPkg: handle NETWORK_TLS_ENABLE in ArmVirtQemu*",
2019-06-28)

Thanks
Laszlo



      parent reply	other threads:[~2020-07-22 18:35 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-22 12:08 https booting Gerd Hoffmann
2020-07-22 12:23 ` Daniel P. Berrangé
2020-07-22 13:55   ` Gerd Hoffmann
2020-07-22 14:13     ` Daniel P. Berrangé
2020-07-22 18:47       ` Laszlo Ersek
2020-07-24 16:19       ` [ipxe-devel] " Michael Brown
2020-08-03  7:37         ` Gerd Hoffmann
2020-07-22 13:21 ` Michael Brown
2020-07-22 13:45   ` Michael Brown
2020-08-03  8:04   ` Gerd Hoffmann
2020-07-22 18:34 ` Laszlo Ersek [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3ae745cb-487e-c380-7899-5fa274cc3e4c@redhat.com \
    --to=lersek@redhat.com \
    --cc=crobinso@redhat.com \
    --cc=ipxe-devel@lists.ipxe.org \
    --cc=kraxel@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.