From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from sigma.offblast.org ([199.191.58.44]) by pp; Sat Jan 24 19:17:21 EST 2015
Date: Sat, 24 Jan 2015 19:17:14 -0500
From: mischief@9.offblast.org
To: 9front@9front.org
Subject: boot root filesystem over tls
Message-ID: <42564d90e74d01f64a2518a3c6edf506@sigma.offblast.org>
List-ID: <9front.9front.org>
X-Glyph: ➈
X-Bullshit: compliant software hypervisor software-aware DOM frontend
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="upas-ibzlwjwrmkdflarhhwzqvtcunq"

This is a multi-part message in MIME format.
--upas-ibzlwjwrmkdflarhhwzqvtcunq
Content-Disposition: inline
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

attached is a diff to boot the root filesystem over tls. a new bootargs argument is added, tcptls. if used, the fingerprint of the remote server is checked against fsthumb=, set in plan9.ini, in thumbprint(6) format.

any comments on this?

--upas-ibzlwjwrmkdflarhhwzqvtcunq
Content-Disposition: inline
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

diff -r 27d6b9ab8cce sys/src/9/boot/bootfs.proto
--- a/sys/src/9/boot/bootfs.proto	Fri Jan 23 14:01:56 2015 +0100
+++ b/sys/src/9/boot/bootfs.proto	Sat Jan 24 16:12:33 2015 -0800
@@ -35,6 +35,7 @@
 		sleep
 		srv
 		test
+		tlsclient
 		unmount
 		nusb
 			usbd
diff -r 27d6b9ab8cce sys/src/9/boot/bootrc
--- a/sys/src/9/boot/bootrc	Fri Jan 23 14:01:56 2015 +0100
+++ b/sys/src/9/boot/bootrc	Sat Jan 24 16:12:33 2015 -0800
@@ -66,7 +66,7 @@
 		if(~ $#nobootprompt 0){
 			echo
 			showlocaldevs
-			ask bootargs ' is (tcp, il, local!device)' $"bootargs
+			ask bootargs ' is (tcp, tcptls, il, local!device)' $"bootargs
 		}
 		if not bootargs=$nobootprompt
 		nobootprompt=()
diff -r 27d6b9ab8cce sys/src/9/boot/net.rc
--- a/sys/src/9/boot/net.rc	Fri Jan 23 14:01:56 2015 +0100
+++ b/sys/src/9/boot/net.rc	Sat Jan 24 16:12:33 2015 -0800
@@ -48,6 +48,12 @@
 	fs=$fs(1)
 }
 
+fn connecttcptls{
+	while(! ~ $#fs 0 && ! srv -qe 'tlsclient -t <{echo $fsthumb} tcp!'^$fs(1)^!5564 boot)
+		fs=$fs(2-);
+	fs=$fs(1)
+}
+
 fn connectil{
 	while(! ~ $#fs 0 && ! srv -q il!$fs(1)^!17008 boot)
 		fs=$fs(2-);
@@ -55,5 +61,7 @@
 }
 
 mtcp=(confignet connecttcp)
+mtcptls=(confignet connecttcptls)
 mil=(confignet connectil)
-mt=(mtcp mil $mt)
+mt=(mtcp mtcptls mil $mt)
+
--upas-ibzlwjwrmkdflarhhwzqvtcunq--