[efi] Accept and trust CA certificates in the TlsCaCertificates variable

UEFI's built-in HTTPS boot mechanism requires the trusted CA certificates to be provided via the TlsCaCertificates variable. (There is no equivalent of the iPXE cross-signing mechanism, so it is not possible for UEFI to automatically use public CA certificates.) Users who have configured UEFI HTTPS boot to use a custom root of trust (e.g. a private CA certificate) may find it useful to have iPXE automatically pick up and use this same root of trust, so that iPXE can seamlessly fetch files via HTTPS from the same servers that were trusted by UEFI HTTPS boot, in addition to servers that iPXE can validate through other means such as cross-signed certificates. Parse the TlsCaCertificates variable at startup, add any certificates to the certificate store, and mark these certificates as trusted. There are no access restrictions on modifying the TlsCaCertificates variable: anybody with access to write UEFI variables is permitted to change the root of trust. The UEFI security model assumes that anyone with access to run code prior to ExitBootServices() or with access to modify UEFI variables from within a loaded operating system is supposed to be able to change the system's root of trust for TLS. Any certificates parsed from TlsCaCertificates will show up in the output of "certstat", and may be discarded using "certfree" if unwanted. Support for parsing TlsCaCertificates is enabled by default in EFI builds, but may be disabled in config/general.h if needed. As with the ${trust} setting, the contents of the TlsCaCertificates variable will be ignored if iPXE has been compiled with an explicit root of trust by specifying TRUST=... on the build command line. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-02-01 23:39:46 +03:00 · 2025-03-13 14:04:26 +00:00
parent aa49ce5b1d
commit ddc2d928d2
10 changed files with 261 additions and 3 deletions
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -428,6 +428,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define ERRFILE_usb_cmd		      ( ERRFILE_OTHER | 0x00640000 )
 #define ERRFILE_usb_settings	      ( ERRFILE_OTHER | 0x00650000 )
 #define ERRFILE_weierstrass	      ( ERRFILE_OTHER | 0x00660000 )
+#define ERRFILE_efi_cacert	      ( ERRFILE_OTHER | 0x00670000 )

 /** @} */

--- a/src/include/ipxe/rootcert.h
+++ b/src/include/ipxe/rootcert.h
@@ -11,6 +11,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

 #include <ipxe/x509.h>

+extern const int allow_trust_override;
 extern struct x509_root root_certificates;

 #endif /* _IPXE_ROOTCERT_H */
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -421,6 +421,9 @@ extern int x509_certificate ( const void *data, size_t len,
 			      struct x509_certificate **cert );
 extern int x509_is_valid ( struct x509_certificate *cert,
 			   struct x509_root *root );
+extern void x509_set_valid ( struct x509_certificate *cert,
+			     struct x509_certificate *issuer,
+			     struct x509_root *root );
 extern int x509_validate ( struct x509_certificate *cert,
 			   struct x509_certificate *issuer,
 			   time_t time, struct x509_root *root );