Re: https booting

["Daniel P. Berrangé" <berrange@redhat.com>]

On Wed, Jul 22, 2020 at 02:08:27PM +0200, Gerd Hoffmann wrote:
>   Hi,
> 
> With the world moving to use https by default people start to ask for
> https being enabled by default for the qemu boot roms.
> 
> We could simply flip the DOWNLOAD_PROTO_HTTPS switch in
> src/config/qemu/general.h (ipxe git repo).  Note that this would only
> affect booting in bios mode, for uefi qemu uses the efidrv builds which
> implies https support is in the hands of the uefi firmware (edk2/ovmf).
> 
> After looking at https://ipxe.org/cfg/crosscert I'm not convinced this
> is a good idea though.  This would likely put quite some load to
> ca.ipxe.org.  Also that machine becomes a single point of failure for
> worldwide ipxe https boot, and looking through the mailing list I've
> seen we already had (at least) two outages this year.
> 
> What happens if you sent crosscert to the empty string?
> Will ipxe fail or will it boot without cert verification?
> 
> What does it take to mirror http://ca.ipxe.org/auto/?
> Just "wget -r" everything and serve it?
> 
> How does edk2 handle the root ca problem?

There are two fw_cfg paths

  - etc/edk2/https/ciphers
  - etc/edk2/https/cacerts

The first sets the cipher algorithms that are permitted and their
priority, the second sets the CA certificate bundle.

There's some recently merged code in QEMU to simplify the setup
of the ciphers data via the "tls-cipher-suites" object, but
ultimately libvirt is responsible for passing suitable -fw_cfg
args to QEMU to populate both.

I'd suggest that iPXE needs to support the equivalent kind of
concept, both CA certs, and the cipher priority.

The rationale is that the OS vendor defines CA certs and cipher
priority for the host OS, with optional local administrator
override. Any firmware QEMU runs needs to honour the host OS
settings in this area, so we should have a mechanism for pass
in the relevant data from the host for iPXE IMHO.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|