proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-14 12:49:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
720 Commits 1 Branch 3 Tags 11 MiB
C 97.8%
Makefile 0.8%
Shell 0.7%
Assembly 0.7%
06e98a10f6
Go to file
Peter Jones 06e98a10f6 Move a bunch of PE-related stuff out of shim.c 
Signed-off-by: Peter Jones <pjones@redhat.com>
2021-02-13 11:02:59 -05:00
.github/workflows github workflows: add the sbat branch to one PR builds run for 2021-02-05 16:30:57 -05:00
Cryptlib Make openssl accept the right set of KU/EKUs 2020-07-23 22:22:04 -04:00
data Add a .sbat section to EFI binaries 2021-02-12 12:51:32 -05:00
include Move a bunch of PE-related stuff out of shim.c 2021-02-13 11:02:59 -05:00
lib Always use lower case for our local include file names. 2021-01-29 18:24:57 -05:00
.clang-format Add a .clang-format file. 2021-01-29 18:24:57 -05:00
.gitignore efi bins: add an easy way for vendors to add .sbat data 2021-02-12 19:27:21 +01:00
buildid.c Fix the license on our buildid extractor. 2020-07-23 20:53:24 -04:00
BUILDING efi bins: add an easy way for vendors to add .sbat data 2021-02-12 19:27:21 +01:00
cert.S Add support for vendor_db built-in shim authorized list. 2020-07-23 22:22:04 -04:00
COPYRIGHT Add copyright file 2012-07-09 11:03:12 -04:00
crypt_blowfish.c Move includes around to clean the source tree up a bit. 2018-03-12 16:21:43 -04:00
elf_aarch64_efi.lds efi bins: add an easy way for vendors to add .sbat data 2021-02-12 19:27:21 +01:00
elf_arm_efi.lds efi bins: add an easy way for vendors to add .sbat data 2021-02-12 19:27:21 +01:00
elf_ia32_efi.lds efi bins: add an easy way for vendors to add .sbat data 2021-02-12 19:27:21 +01:00
elf_ia64_efi.lds efi bins: add an easy way for vendors to add .sbat data 2021-02-12 19:27:21 +01:00
elf_x86_64_efi.lds efi bins: add an easy way for vendors to add .sbat data 2021-02-12 19:27:21 +01:00
errlog.c Improve debug output some 2020-07-25 22:14:08 -04:00
fallback.c Work around some clang-format oddnesses 2021-01-29 18:24:57 -05:00
httpboot.c translate_slashes(): don't write to string literals 2020-07-23 20:53:24 -04:00
make-certs Use portable shebangs: /bin/bash -> /usr/bin/env bash 2020-07-23 20:53:24 -04:00
Make.coverity Add 'make coverity' target. 2018-03-12 16:21:43 -04:00
Make.defaults efi bins: add an easy way for vendors to add .sbat data 2021-02-12 19:27:21 +01:00
Make.rules efi bins: add an easy way for vendors to add .sbat data 2021-02-12 19:27:21 +01:00
Make.scan-build Work around clang bugs for scan-build. 2018-03-15 11:23:26 -04:00
Makefile Move a bunch of PE-related stuff out of shim.c 2021-02-13 11:02:59 -05:00
model.c Add a model file for coverity. 2018-03-12 16:21:43 -04:00
mok.c Work around some clang-format oddnesses 2021-01-29 18:24:57 -05:00
MokManager.c Fix some mokmanager deletion paths 2020-10-15 19:17:35 -04:00
MokVars.txt Add MokListX to MokVars.txt 2017-08-03 11:00:58 -04:00
netboot.c Check PxeReplyReceived as fallback in netboot 2020-07-23 20:53:24 -04:00
PasswordCrypt.c shim: Use EFI_ERROR() instead of comparing to EFI_SUCCESS everywhere. 2018-03-12 16:21:43 -04:00
pe.c Move a bunch of PE-related stuff out of shim.c 2021-02-13 11:02:59 -05:00
README Add install targets. 2017-08-11 15:18:39 -04:00
README.fallback README.fallback: correct the path of BOOT.CSV in layout example 2017-07-24 14:12:31 -04:00
README.tpm Add support for vendor_db built-in shim authorized list. 2020-07-23 22:22:04 -04:00
replacements.c shim: compile time option to bypass the ExitBootServices() check 2021-01-29 15:53:34 -05:00
sbat.c Add a .sbat section to EFI binaries 2021-02-12 12:51:32 -05:00
shim.c Move a bunch of PE-related stuff out of shim.c 2021-02-13 11:02:59 -05:00
shim.h Move a bunch of PE-related stuff out of shim.c 2021-02-13 11:02:59 -05:00
testplan.txt Another testplan error. 2014-10-02 01:01:46 -04:00
TODO Add another TODO for shim-16 2018-04-04 16:49:43 -04:00
tpm.c Fix a broken tpm type 2020-07-23 20:53:24 -04:00
travis-build.sh travis: Fix a typo 2018-03-14 18:41:59 -04:00
version.c.in Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
version.h Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00

README 

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.

On systems with a TPM chip enabled and supported by the system firmware,
shim will extend various PCRs with the digests of the targets it is
loading.  A full list is in the file README.tpm .

To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".

There are a couple of build options, and a couple of ways to customize the
build, described in BUILDING.