Hi,
> > After looking at https://ipxe.org/cfg/crosscert I'm not convinced this
> > is a good idea though. This would likely put quite some load to
> > ca.ipxe.org. Also that machine becomes a single point of failure for
> > worldwide ipxe https boot, and looking through the mailing list I've
On Fri, Jul 24, 2020 at 05:19:38PM +0100, Michael Brown wrote:
> On 22/07/2020 15:13, Daniel P. Berrangé wrote:
> > We could easily define etc/ipxe/https/{ciphers,cacerts} paths in a
> > different format if better suited for iPXE. Libvirt can set the right
> > path depending on whether its
On 22/07/2020 15:13, Daniel P. Berrangé wrote:
We could easily define etc/ipxe/https/{ciphers,cacerts} paths in a
different format if better suited for iPXE. Libvirt can set the right
path depending on whether its booting a VM with EDK2 vs legacy BIOS
The most useful for iPXE would probably be
On Wed, Jul 22, 2020 at 03:55:38PM +0200, Gerd Hoffmann wrote:
> > > How does edk2 handle the root ca problem?
> >
> > There are two fw_cfg paths
> >
> > - etc/edk2/https/ciphers
> > - etc/edk2/https/cacerts
> >
> > The first sets the cipher algorithms that are permitted and their
> >
On Wed, Jul 22, 2020 at 02:08:27PM +0200, Gerd Hoffmann wrote:
> Hi,
>
> With the world moving to use https by default people start to ask for
> https being enabled by default for the qemu boot roms.
>
> We could simply flip the DOWNLOAD_PROTO_HTTPS switch in
> src/config/qemu/general.h (ipxe
On 07/22/20 16:13, Daniel P. Berrangé wrote:
> On Wed, Jul 22, 2020 at 03:55:38PM +0200, Gerd Hoffmann wrote:
How does edk2 handle the root ca problem?
>>>
>>> There are two fw_cfg paths
>>>
>>> - etc/edk2/https/ciphers
>>> - etc/edk2/https/cacerts
>>>
>>> The first sets the cipher
On 07/22/20 14:08, Gerd Hoffmann wrote:
> How does edk2 handle the root ca problem?
It has no builtin CA certificate. HTTPS boot will not work until at
least one trusted CA cert is imported.
The setup TUI offers an option to import CA cert(s) from local files
(which must be on such filesystems
> > How does edk2 handle the root ca problem?
>
> There are two fw_cfg paths
>
> - etc/edk2/https/ciphers
> - etc/edk2/https/cacerts
>
> The first sets the cipher algorithms that are permitted and their
> priority, the second sets the CA certificate bundle.
Ok, ipxe should be able to fetch
On 22/07/2020 14:21, Michael Brown wrote:
After looking at https://ipxe.org/cfg/crosscert I'm not convinced this
is a good idea though. This would likely put quite some load to
ca.ipxe.org. Also that machine becomes a single point of failure for
worldwide ipxe https boot, and looking through
On 22/07/2020 13:08, Gerd Hoffmann wrote:
With the world moving to use https by default people start to ask for
https being enabled by default for the qemu boot roms.
We could simply flip the DOWNLOAD_PROTO_HTTPS switch in
src/config/qemu/general.h (ipxe git repo). Note that this would only
Hi,
With the world moving to use https by default people start to ask for
https being enabled by default for the qemu boot roms.
We could simply flip the DOWNLOAD_PROTO_HTTPS switch in
src/config/qemu/general.h (ipxe git repo). Note that this would only
affect booting in bios mode, for uefi
11 matches
Mail list logo