Re: [ipxe-devel] https booting

From: Michael Brown <mcb30@ipxe.org>
To: Gerd Hoffmann <kraxel@redhat.com>,
	ipxe-devel@lists.ipxe.org, qemu-devel@nongnu.org
Cc: "László Érsek" <lersek@redhat.com>
Subject: Re: [ipxe-devel] https booting
Date: Wed, 22 Jul 2020 14:21:57 +0100	[thread overview]
Message-ID: <73923bb0-0a75-d8f1-fa49-87994e5354db@ipxe.org> (raw)
In-Reply-To: <20200722120827.dq72uabrk26nllra@sirius.home.kraxel.org>

On 22/07/2020 13:08, Gerd Hoffmann wrote:
> With the world moving to use https by default people start to ask for
> https being enabled by default for the qemu boot roms.
> 
> We could simply flip the DOWNLOAD_PROTO_HTTPS switch in
> src/config/qemu/general.h (ipxe git repo).  Note that this would only
> affect booting in bios mode, for uefi qemu uses the efidrv builds which
> implies https support is in the hands of the uefi firmware (edk2/ovmf).

The .efidrv builds can be used for booting via either the UEFI PXE flow 
(using iPXE as just a NIC driver) or via the iPXE flow (using iPXE as an 
application invoked via the NIC driver's EFI_LOAD_FILE_PROTOCOL entry 
point), so it might still be relevant to UEFI as well as BIOS.

> After looking at https://ipxe.org/cfg/crosscert I'm not convinced this
> is a good idea though.  This would likely put quite some load to
> ca.ipxe.org.  Also that machine becomes a single point of failure for
> worldwide ipxe https boot, and looking through the mailing list I've
> seen we already had (at least) two outages this year.

The crosscert fetches are static files (with iPXE including a query 
string only for debugging purposes), and it should be fairly 
straightforward for me to switch to hosting them in AWS S3 or 
equivalent.  The ca.ipxe.org domain is not used for anything else so 
could be pointed at a new hosting infrastructure with no disruption or 
code changes.

I would worry more about the OCSP service for the cross-signed 
certificates, since OCSP does not just serve static responses.  This 
service is currently implemented using openca-ocspd running on a VM in 
AWS.  I'm very open to suggestions on more scalable ways to host this.

> What happens if you sent crosscert to the empty string?

An empty string is equivalent to a deleted setting, so it will fall back 
to using the compiled-in default.

> Will ipxe fail or will it boot without cert verification?

iPXE does need to be able to construct a full certificate chain leading 
back to its trusted root certificate.  If the crosscert source is 
unavailable then otherwise valid certs will be treated as invalid since 
the information required to validate them is not avaiable.

> What does it take to mirror http://ca.ipxe.org/auto/?
> Just "wget -r" everything and serve it?

For the crosscert files, yes.  There's still OCSP to think about; see above.

> How does edk2 handle the root ca problem?

I'm also curious to know!

Thanks,

Michael