ipxe

 

 

ipxe 编译 支持https ,失败了

 

 

https://ipxe.org/crypto

 

Cryptography

iPXE supports the HTTPS protocol, which allows you to encrypt all communication with a web server and to verify the server's identity. To enable support for the HTTPS protocol, you must enable the DOWNLOAD_PROTO_HTTPS build configuration option.

iPXE supports code signing, which allows you to verify the authenticity and integrity of files downloaded by iPXE. To enable support for code signing, you must enable the IMAGE_TRUST_CMD build configuration option, and use the imgtrust command within an embedded script.

iPXE supports file decryption, which allows you to decrypt encrypted files downloaded by iPXE. To enable support for file decryption, you must enable the IMAGE_CRYPT_CMD build configuration option.

Supported configurations

Protocol versions TLSv1.0 TLSv1.1 TLSv1.2
Public-key algorithms RSA
Key exchange algorithms RSA DHE ECDHE
Block cipher algorithms AES-128-GCM AES-256-GCM AES-128-CBC AES-256-CBC
Hash algorithms MD5 SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256
Named curves X25519

 

Trusted root certificates

In the default configuration, iPXE trusts only a single root certificate: the "iPXE root CA" certificate. This root certificate is used to cross-sign the standard Mozilla list of public CA certificates.

In the default configuration, iPXE will therefore automatically trust the same set of certificates as the Firefox web browser.

If you want more control over the chain of trust, then you can generate your own private root certificate ca.crt using:

  openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 1000

You can change the list of trusted root certificates when you build iPXE using the TRUST=... build parameter. For example, to trust your private root certificate ca.crt:

  make bin/ipxe.iso TRUST=ca.crt

This will create a custom version of the iPXE binary ipxe.iso which trusts your private root certificate ca.crt.

You can specify multiple root certificates to trust. For example:

  make bin/ipxe.iso TRUST=/path/to/ca1.crt,/path/to/ca2.crt

Certificates must be in PEM format.

Warning

The full root certificates are generally too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints will be included by default. If you are using the default "iPXE root CA" certificate, then iPXE will automatically download the full root certificate as needed from http://ca.ipxe.org/ca.crt (or from a mirror specified using the crosscert setting).

If you are using a private root certificate, then you must make this certificate available to iPXE either by setting up your own crosscert server, or by including the root certificate within all certificate chains presented to iPXE (as documented below), or by explicitly embedding the full root certificate within the iPXE binary.

 

 

posted @ 2024-12-19 15:59  redrobot  阅读(3)  评论(0编辑  收藏  举报