ipxe
ipxe 编译 支持https ,失败了
https://ipxe.org/crypto
Cryptography
iPXE supports the HTTPS protocol, which allows you to encrypt all communication with a web server and to verify the server's identity. To enable support for the HTTPS protocol, you must enable the DOWNLOAD_PROTO_HTTPS build configuration option.
iPXE supports code signing, which allows you to verify the authenticity and integrity of files downloaded by iPXE. To enable support for code signing, you must enable the IMAGE_TRUST_CMD build configuration option, and use the imgtrust
command within an embedded script.
iPXE supports file decryption, which allows you to decrypt encrypted files downloaded by iPXE. To enable support for file decryption, you must enable the IMAGE_CRYPT_CMD build configuration option.
Supported configurations
Protocol versions | TLSv1.0 TLSv1.1 TLSv1.2 |
---|---|
Public-key algorithms | RSA |
Key exchange algorithms | RSA DHE ECDHE |
Block cipher algorithms | AES-128-GCM AES-256-GCM AES-128-CBC AES-256-CBC |
Hash algorithms | MD5 SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256 |
Named curves | X25519 |
Trusted root certificates
In the default configuration, iPXE trusts only a single root certificate: the "iPXE root CA" certificate. This root certificate is used to cross-sign the standard Mozilla list of public CA certificates.
In the default configuration, iPXE will therefore automatically trust the same set of certificates as the Firefox web browser.
If you want more control over the chain of trust, then you can generate your own private root certificate ca.crt
using:
openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 1000
You can change the list of trusted root certificates when you build iPXE using the TRUST=...
build parameter. For example, to trust your private root certificate ca.crt
:
make bin/ipxe.iso TRUST=ca.crt
This will create a custom version of the iPXE binary ipxe.iso
which trusts your private root certificate ca.crt
.
You can specify multiple root certificates to trust. For example:
make bin/ipxe.iso TRUST=/path/to/ca1.crt,/path/to/ca2.crt
Certificates must be in PEM format.
The full root certificates are generally too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints will be included by default. If you are using the default "iPXE root CA" certificate, then iPXE will automatically download the full root certificate as needed from http://ca.ipxe.org/ca.crt (or from a mirror specified using the crosscert
setting).
If you are using a private root certificate, then you must make this certificate available to iPXE either by setting up your own crosscert
server, or by including the root certificate within all certificate chains presented to iPXE (as documented below), or by explicitly embedding the full root certificate within the iPXE binary.