Introduction to UEFI HTTP(s) Boot with QEMU/OVMF
5 hours ago
- #Network Booting
- #UEFI
- #HTTPS Boot
- PXE is the historic network booting solution based on DHCP and TFTP but is complex to configure, insecure, and lacks high availability.
- Modern UEFI systems support HTTP(S) boot, leveraging HTTPS for security, integrity, and high availability, offering improvements over PXE.
- HTTP boot requires a random number generator device (e.g., virtio-rng-pci) in OVMF to enable the network stack; without it, boot fails silently.
- Speed improvements for HTTP boot can be achieved by disabling IPv4 and IPv6 PXE support via Qemu's fw_cfg options to avoid timeouts.
- HTTPS boot requires providing a trusted CA certificate store to OVMF (e.g., via fw_cfg) and may fail if server certificates do not meet OpenSSL security level 3 requirements.
- Debugging HTTPS boot involves using a DEBUG build of OVMF to access logs, revealing TLS errors like certificate verification failures due to weak keys.
- Patching EDK II to lower the SSL security level from 3 to 2 allowed HTTPS boot to succeed with certificates that would otherwise be rejected.
- Practical methods include DHCP-based HTTP boot, UEFI variable injection for HTTP/HTTPS boot, and using tools like virt-fw-vars and p11-kit for certificate management.