Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipxe: Add options to specify trusted root certificate and enable image trust management #52593

Closed
wants to merge 1 commit into from
Closed

ipxe: Add options to specify trusted root certificate and enable image trust management #52593

wants to merge 1 commit into from

Conversation

ali-abrar
Copy link
Contributor

@ali-abrar ali-abrar commented Dec 20, 2018
edited

Motivation for this change

These changes are necessary for the "Trusted root certificates" and
"Code signing" sections of ipxe's Cryptography configuration guide
(http://ipxe.org/crypto).

"DOWNLOAD_PROTO_HTTPS" is defaulted to true for backward
compatibility (it was hard-coded before).

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ali-abrar
ipxe: Add options to specify trusted root certificate and enable imag…
37aa57e 
…e trust management

These changes are necessary for the "Trusted root certificates" and
"Code signing" sections of ipxe's Cryptography configuration guide
(http://ipxe.org/crypto).

"DOWNLOAD_PROTO_HTTPS" is defaulted to `true` for backward
compatibility (it was hard-coded before).
@ali-abrar
Copy link
Contributor Author

I tested the resulting ipxe.iso with both a custom trusted root cert and an embedded script that used the imgtrust and imgverify commands from IMAGE_TRUST_CMD by dding it to a usb and booting it. It appeared to work as expected.

grahamc
grahamc reviewed Dec 23, 2018
View reviewed changes
pkgs/tools/misc/ipxe/default.nix


enabledOptions = [ "DOWNLOAD_PROTO_HTTPS" ];
enabledOptions = lib.optional optionDownloadProtoHttps "DOWNLOAD_PROTO_HTTPS"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm why add an option for it?

Copy link
Contributor Author

@ali-abrar ali-abrar Jan 6, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought rather than arbitrarily hard-coding certain options while exposing others, it might be better to allow each supported option to be set by the user. I defaulted this option to its previous value (enabled), so there should be no difference from the perspective of current users of this module.

cleverca22
cleverca22 reviewed Jun 6, 2019
View reviewed changes
pkgs/tools/misc/ipxe/default.nix
@@ -27,10 +30,12 @@ stdenv.mkDerivation {
[ "ECHO_E_BIN_ECHO=echo" "ECHO_E_BIN_ECHO_E=echo" # No /bin/echo here.
"ISOLINUX_BIN_LIST=${syslinux}/share/syslinux/isolinux.bin"
"LDLINUX_C32=${syslinux}/share/syslinux/ldlinux.c32"
] ++ lib.optional (embedScript != null) "EMBED=${embedScript}";
] ++ lib.optional (trustedRootCert != null) "TRUST=${trustedRootCert}"
++ lib.optional (embedScript != null) "EMBED=${embedScript}";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CERT= is missing from this list, so you cant embed a cert into the binary

cleverca22
cleverca22 reviewed Jun 6, 2019
View reviewed changes
pkgs/tools/misc/ipxe/default.nix


enabledOptions = [ "DOWNLOAD_PROTO_HTTPS" ];
enabledOptions = lib.optional optionDownloadProtoHttps "DOWNLOAD_PROTO_HTTPS"
++ lib.optional optionImageTrustCmd "IMAGE_TRUST_CMD";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could maybe also add CONSOLE_SERIAL and POWEROFF_CMD as optional commands

@stale
Copy link

stale bot commented Jun 2, 2020

Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the
    related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on
    irc.freenode.net.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 2, 2020
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Oct 3, 2020
@ali-abrar ali-abrar closed this Apr 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grahamc grahamc grahamc left review comments

@cleverca22 cleverca22 cleverca22 left review comments

Assignees
No one assigned
Labels
2.status: merge conflict 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
Security
Awaiting triage
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ali-abrar @grahamc @cleverca22 @ryantm @GrahamcOfBorg