proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-03 03:05:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
516 Commits 1 Branch 3 Tags 11 MiB
C 97.8%
Makefile 0.8%
Shell 0.7%
Assembly 0.7%
1d39ada8cb
Go to file
Peter Jones 1d39ada8cb Revert lots of Cryptlib updates. 
OpenSSL changes quite a bit of the key validation, and most of the keys
I can find in the wild aren't marked as trusted by the new checker.

Intel noticed this too: https://github.com/vathpela/edk2/commit/f536d7c3ed
but instead of fixing the compatibility error, they switched their test
data to match the bug.

So that's pretty broken.

For now, I'm reverting OpenSSL 1.1.0e, because we need those certs in
the wild to work.

This reverts commit 513cbe2aea.
This reverts commit e9cc33d6f2.
This reverts commit 80d49f758e.
This reverts commit 9bc647e2b2.
This reverts commit ae75df6232.
This reverts commit e883479f35.
This reverts commit 97469449fd.
This reverts commit e39692647f.
This reverts commit 0f3dfc01e2.
This reverts commit 4da6ac8195.
This reverts commit d064bd7eef.
This reverts commit 9bc86cfd6f.
This reverts commit ab9a05a10f.

Signed-off-by: Peter Jones <pjones@redhat.com>
2017-08-31 15:13:58 -04:00
Cryptlib Revert lots of Cryptlib updates. 2017-08-31 15:13:58 -04:00
include Add a mechanism to print openssl errors 2017-08-31 15:13:45 -04:00
lib Add a mechanism to print openssl errors 2017-08-31 15:13:45 -04:00
.gitignore Add install targets. 2017-08-11 15:18:39 -04:00
buildid.c Make better debuginfo and install it reasonably. 2017-08-11 15:18:39 -04:00
BUILDING Add ENABLE_SHIM_CERT to make MokManager/fallback signing optional. 2017-08-11 15:18:39 -04:00
cert.S Add support for 32-bit ARM 2014-08-12 10:54:05 -04:00
COPYRIGHT Add copyright file 2012-07-09 11:03:12 -04:00
crypt_blowfish.c MokManager: support blowfish-based crypt() hash 2013-09-26 11:58:01 -04:00
crypt_blowfish.h MokManager: support blowfish-based crypt() hash 2013-09-26 11:58:01 -04:00
elf_aarch64_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_arm_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_ia32_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_ia64_efi.lds Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
elf_x86_64_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
fallback.c fallback: work around the issue of boot option creation with AMI BIOS 2017-08-11 14:10:43 -04:00
hexdump.h Add a utility hexdump() call we can use when we need it. 2015-11-17 11:39:28 -05:00
httpboot.c httpboot: fix OVMF crash 2017-07-17 13:13:00 -04:00
httpboot.h Fix some type errors gcc7 finds in http boot code. 2017-02-27 15:45:54 -05:00
make-certs Sign MokManager with a locally-generated key 2012-11-26 13:43:50 -05:00
Makefile Add ENABLE_SHIM_HASH and make install-as-data know how to install it. 2017-08-11 15:46:43 -04:00
MokManager.c Revert lots of Cryptlib updates. 2017-08-31 15:13:58 -04:00
MokVars.txt Add MokListX to MokVars.txt 2017-08-03 11:00:58 -04:00
netboot.c Make translate_slashes() public 2016-09-06 14:49:52 -04:00
netboot.h netboot.h: fix build error on 32-bit systems 2013-11-12 10:25:40 -05:00
PasswordCrypt.c Revert lots of Cryptlib updates. 2017-08-31 15:13:58 -04:00
PasswordCrypt.h MokManager: support Tradition DES hash 2013-09-26 11:58:01 -04:00
README Add install targets. 2017-08-11 15:18:39 -04:00
README.fallback README.fallback: correct the path of BOOT.CSV in layout example 2017-07-24 14:12:31 -04:00
README.tpm Add README.tpm to explain which PCRs we extend things to. 2017-08-03 11:24:56 -04:00
replacements.c Make msleep() be a thing 2017-08-31 15:13:34 -04:00
replacements.h Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
shim.c Revert lots of Cryptlib updates. 2017-08-31 15:13:58 -04:00
shim.h Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
testplan.txt Another testplan error. 2014-10-02 01:01:46 -04:00
TODO Update TODO with some stuff 2017-08-11 15:18:39 -04:00
tpm.c Make fallback aware of tpm measurements, and reboot if tpm is used. 2017-08-03 11:00:58 -04:00
tpm.h Make fallback aware of tpm measurements, and reboot if tpm is used. 2017-08-03 11:00:58 -04:00
ucs2.h Don't test for the 0 character on the wrong half of the UCS2-LE char. 2015-11-17 11:41:12 -05:00
version.c.in Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
version.h Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00

README 

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.

On systems with a TPM chip enabled and supported by the system firmware,
shim will extend various PCRs with the digests of the targets it is
loading.  A full list is in the file README.tpm .

To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".

There are a couple of build options, and a couple of ways to customize the
build, described in BUILDING.