mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-08-15 02:18:32 +00:00
0cc030c2f2
AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX variables with ami_masked_device_path_guid. Initially, the normal boot option created by fallback looks like this: 00000000 01 00 00 00 5e 00 42 00 6f 00 6f 00 74 00 6c 00 |....^.B.o.o.t.l.| 00000010 6f 00 61 00 64 00 65 00 72 00 20 00 54 00 65 00 |o.a.d.e.r. .T.e.| 00000020 73 00 74 00 20 00 28 00 36 00 34 00 2d 00 62 00 |s.t. .(.6.4.-.b.| 00000030 69 00 74 00 29 00 00 00 04 01 2a 00 01 00 00 00 |i.t.).....*.....| 00000040 00 08 00 00 00 00 00 00 00 00 08 00 00 00 00 00 |................| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000060 01 01 04 04 30 00 5c 00 45 00 46 00 49 00 5c 00 |....0.\.E.F.I.\.| 00000070 42 00 4f 00 4f 00 54 00 5c 00 74 00 65 00 73 00 |B.O.O.T.\.t.e.s.| 00000080 74 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 |t.x.6.4...e.f.i.| 00000090 00 00 7f ff 04 00 |......| 00000096 after reboot, fallback has to create a new one due to the previous boot option is hidden and masked by AMI BIOS: 00000000 09 00 00 00 76 00 42 00 6f 00 6f 00 74 00 6c 00 |....v.B.o.o.t.l.| 00000010 6f 00 61 00 64 00 65 00 72 00 20 00 54 00 65 00 |o.a.d.e.r. .T.e.| 00000020 73 00 74 00 20 00 28 00 36 00 34 00 2d 00 62 00 |s.t. .(.6.4.-.b.| 00000030 69 00 74 00 29 00 00 00 01 04 14 00 e7 75 e2 99 |i.t.)........u..| 00000040 a0 75 37 4b a2 e6 c5 38 5e 6c 00 cb 7f ff 04 00 |.u7K...8^l......| 00000050 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 |..*.............| 00000060 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000070 00 00 00 00 00 00 00 00 01 01 04 04 30 00 5c 00 |............0.\.| 00000080 45 00 46 00 49 00 5c 00 42 00 4f 00 4f 00 54 00 |E.F.I.\.B.O.O.T.| 00000090 5c 00 74 00 65 00 73 00 74 00 78 00 36 00 34 00 |\.t.e.s.t.x.6.4.| 000000a0 2e 00 65 00 66 00 69 00 00 00 7f ff 04 00 |..e.f.i.......| 000000ae And after several reboot, fallback will have to create more boot options because AMI BIOS corrupts the previous ones. We can get the valid device path if just skipping the masked device path and its next end path. Signed-off-by: Lans Zhang <jia.zhang@windriver.com> |
||
|---|---|---|
| Cryptlib | ||
| include | ||
| lib | ||
| .gitignore | ||
| cert.S | ||
| COPYRIGHT | ||
| crypt_blowfish.c | ||
| crypt_blowfish.h | ||
| elf_aarch64_efi.lds | ||
| elf_arm_efi.lds | ||
| elf_ia32_efi.lds | ||
| elf_ia64_efi.lds | ||
| elf_x86_64_efi.lds | ||
| fallback.c | ||
| hexdump.h | ||
| httpboot.c | ||
| httpboot.h | ||
| make-certs | ||
| Makefile | ||
| MokManager.c | ||
| MokVars.txt | ||
| netboot.c | ||
| netboot.h | ||
| PasswordCrypt.c | ||
| PasswordCrypt.h | ||
| README | ||
| README.fallback | ||
| README.tpm | ||
| replacements.c | ||
| replacements.h | ||
| shim.c | ||
| shim.h | ||
| testplan.txt | ||
| TODO | ||
| tpm.c | ||
| tpm.h | ||
| ucs2.h | ||
| version.c.in | ||
| version.h | ||
shim is a trivial EFI application that, when run, attempts to open and execute another application. It will initially attempt to do this via the standard EFI LoadImage() and StartImage() calls. If these fail (because secure boot is enabled and the binary is not signed with an appropriate key, for instance) it will then validate the binary against a built-in certificate. If this succeeds and if the binary or signing key are not blacklisted then shim will relocate and execute the binary. shim will also install a protocol which permits the second-stage bootloader to perform similar binary validation. This protocol has a GUID as described in the shim.h header file and provides a single entry point. On 64-bit systems this entry point expects to be called with SysV ABI rather than MSABI, and so calls to it should not be wrapped. On systems with a TPM chip enabled and supported by the system firmware, shim will extend various PCRs with the digests of the targets it is loading. A full list is in the file README.tpm . To use shim, simply place a DER-encoded public certificate in a file such as pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".