iPXE
Defines | Functions | Variables
rootcert.c File Reference

Root certificate store. More...

#include <stdlib.h>
#include <ipxe/crypto.h>
#include <ipxe/sha256.h>
#include <ipxe/x509.h>
#include <ipxe/settings.h>
#include <ipxe/dhcp.h>
#include <ipxe/init.h>
#include <ipxe/rootcert.h>

Go to the source code of this file.

Defines

#define FINGERPRINT_LEN   SHA256_DIGEST_SIZE
 Length of a root certificate fingerprint.
#define ALLOW_TRUST_OVERRIDE   1
#define TRUSTED

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
static struct setting trust_setting __setting (SETTING_CRYPTO, trust)
 Root certificate fingerprint setting.
static void rootcert_init (void)
 Initialise root certificate.
struct startup_fn
rootcert_startup_fn 
__startup_fn (STARTUP_LATE)
 Root certificate initialiser.

Variables

static const uint8_t fingerprints [] = { TRUSTED }
 Root certificate fingerprints.
struct x509_root root_certificates
 Root certificates.

Detailed Description

Root certificate store.

Definition in file rootcert.c.


Define Documentation

Length of a root certificate fingerprint.

Definition at line 42 of file rootcert.c.

Referenced by rootcert_init().

#define ALLOW_TRUST_OVERRIDE   1

Definition at line 48 of file rootcert.c.

Referenced by rootcert_init().

#define TRUSTED
Value:
/* iPXE root CA */                                              \
        0x9f, 0xaf, 0x71, 0x7b, 0x7f, 0x8c, 0xa2, 0xf9, 0x3c, 0x25,     \
        0x6c, 0x79, 0xf8, 0xac, 0x55, 0x91, 0x89, 0x5d, 0x66, 0xd1,     \
        0xff, 0x3b, 0xee, 0x63, 0x97, 0xa7, 0x0d, 0x29, 0xc6, 0x5e,     \
        0xed, 0x1a,

Definition at line 53 of file rootcert.c.


Function Documentation

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )
static struct setting trust_setting __setting ( SETTING_CRYPTO  ,
trust   
) [static, read]

Root certificate fingerprint setting.

static void rootcert_init ( void  ) [static]

Initialise root certificate.

The list of trusted root certificates can be specified at build time using the TRUST= build parameter. If no certificates are specified, then the default iPXE root CA certificate is trusted.

If no certificates were explicitly specified, then we allow the list of trusted root certificate fingerprints to be overridden using the "trust" setting, but only at the point of iPXE initialisation. This prevents untrusted sources of settings (e.g. DHCP) from subverting the chain of trust, while allowing trustworthy sources (e.g. VMware GuestInfo or non-volatile stored options) to specify the trusted root certificate without requiring a rebuild.

Definition at line 95 of file rootcert.c.

References ALLOW_TRUST_OVERRIDE, x509_root::count, DBGC, DBGC_HDA, fetch_raw_setting_copy(), FINGERPRINT_LEN, x509_root::fingerprints, len, and NULL.

                                   {
        static int initialised;
        void *external = NULL;
        int len;

        /* Allow trusted root certificates to be overridden only if
         * not explicitly specified at build time.
         */
        if ( ALLOW_TRUST_OVERRIDE && ( ! initialised ) ) {

                /* Fetch copy of "trust" setting, if it exists.  This
                 * memory will never be freed.
                 */
                if ( ( len = fetch_raw_setting_copy ( NULL, &trust_setting,
                                                      &external ) ) >= 0 ) {
                        root_certificates.fingerprints = external;
                        root_certificates.count = ( len / FINGERPRINT_LEN );
                }

                /* Prevent subsequent modifications */
                initialised = 1;
        }

        DBGC ( &root_certificates, "ROOTCERT using %d %s certificate(s):\n",
               root_certificates.count, ( external ? "external" : "built-in" ));
        DBGC_HDA ( &root_certificates, 0, root_certificates.fingerprints,
                   ( root_certificates.count * FINGERPRINT_LEN ) );
}
struct startup_fn rootcert_startup_fn __startup_fn ( STARTUP_LATE  ) [read]

Root certificate initialiser.


Variable Documentation

const uint8_t fingerprints[] = { TRUSTED } [static]

Root certificate fingerprints.

Definition at line 62 of file rootcert.c.

Initial value:
 {
        .digest = &sha256_algorithm,
        .count = ( sizeof ( fingerprints ) / FINGERPRINT_LEN ),
        .fingerprints = fingerprints,
}

Root certificates.

Definition at line 73 of file rootcert.c.

Referenced by x509_validate().