proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-13 13:25:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
524 Commits 1 Branch 3 Tags 11 MiB
C 97.8%
Makefile 0.8%
Shell 0.7%
Assembly 0.7%
1dc35a4fe0
Go to file
Peter Jones 1dc35a4fe0 Work around some annoying compiler grievances 
I'm still having some trouble with the offsetof() definition, so just
nerf it to what stddef.h would say anyway.

Signed-off-by: Peter Jones <pjones@redhat.com>
2017-09-08 14:49:31 -04:00
Cryptlib Work around some annoying compiler grievances 2017-09-08 14:49:31 -04:00
include Add a mechanism to print openssl errors 2017-08-31 15:13:45 -04:00
lib Add a mechanism to print openssl errors 2017-08-31 15:13:45 -04:00
.gitignore Add install targets. 2017-08-11 15:18:39 -04:00
buildid.c Make better debuginfo and install it reasonably. 2017-08-11 15:18:39 -04:00
BUILDING Add ENABLE_SHIM_CERT to make MokManager/fallback signing optional. 2017-08-11 15:18:39 -04:00
cert.S Add support for 32-bit ARM 2014-08-12 10:54:05 -04:00
COPYRIGHT Add copyright file 2012-07-09 11:03:12 -04:00
crypt_blowfish.c MokManager: support blowfish-based crypt() hash 2013-09-26 11:58:01 -04:00
crypt_blowfish.h MokManager: support blowfish-based crypt() hash 2013-09-26 11:58:01 -04:00
elf_aarch64_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_arm_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_ia32_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_ia64_efi.lds Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
elf_x86_64_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
fallback.c fallback: work around the issue of boot option creation with AMI BIOS 2017-08-11 14:10:43 -04:00
hexdump.h Add a utility hexdump() call we can use when we need it. 2015-11-17 11:39:28 -05:00
httpboot.c httpboot: fix OVMF crash 2017-07-17 13:13:00 -04:00
httpboot.h Fix some type errors gcc7 finds in http boot code. 2017-02-27 15:45:54 -05:00
make-certs Sign MokManager with a locally-generated key 2012-11-26 13:43:50 -05:00
Makefile Fix build with ENABLE_SHIM_CERT and ENABLE_SBSIGN: shim.key is created by the shim.crt target 2017-08-31 15:28:17 -04:00
MokManager.c Revert lots of Cryptlib updates. 2017-08-31 15:13:58 -04:00
MokVars.txt Add MokListX to MokVars.txt 2017-08-03 11:00:58 -04:00
netboot.c Make translate_slashes() public 2016-09-06 14:49:52 -04:00
netboot.h netboot.h: fix build error on 32-bit systems 2013-11-12 10:25:40 -05:00
PasswordCrypt.c Cryptlib: remove DES 2017-09-08 14:47:09 -04:00
PasswordCrypt.h MokManager: support Tradition DES hash 2013-09-26 11:58:01 -04:00
README Add install targets. 2017-08-11 15:18:39 -04:00
README.fallback README.fallback: correct the path of BOOT.CSV in layout example 2017-07-24 14:12:31 -04:00
README.tpm Add README.tpm to explain which PCRs we extend things to. 2017-08-03 11:24:56 -04:00
replacements.c Make msleep() be a thing 2017-08-31 15:13:34 -04:00
replacements.h Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
shim.c Revert lots of Cryptlib updates. 2017-08-31 15:13:58 -04:00
shim.h Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
testplan.txt Another testplan error. 2014-10-02 01:01:46 -04:00
TODO Update TODO with some stuff 2017-08-11 15:18:39 -04:00
tpm.c Make fallback aware of tpm measurements, and reboot if tpm is used. 2017-08-03 11:00:58 -04:00
tpm.h Make fallback aware of tpm measurements, and reboot if tpm is used. 2017-08-03 11:00:58 -04:00
ucs2.h Don't test for the 0 character on the wrong half of the UCS2-LE char. 2015-11-17 11:41:12 -05:00
version.c.in Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
version.h Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00

README 

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.

On systems with a TPM chip enabled and supported by the system firmware,
shim will extend various PCRs with the digests of the targets it is
loading.  A full list is in the file README.tpm .

To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".

There are a couple of build options, and a couple of ways to customize the
build, described in BUILDING.