proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-03 17:27:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
674 Commits 1 Branch 3 Tags 11 MiB
C 97.8%
Makefile 0.8%
Shell 0.7%
Assembly 0.7%
6fd8db6bb3
Go to file
Chris Coulson 6fd8db6bb3 tpm: Fix off-by-one error when calculating event size 
tpm_log_event_raw() allocates a buffer for the EFI_TCG2_EVENT structure
that is one byte larger than necessary, and sets event->Size accordingly.
The result of this is that the event data recorded in the log differs
from the data that is measured to the TPM (it has an extra zero byte
at the end).

Upstream-commit-id: 8a27a4809a6
2020-07-23 20:53:24 -04:00
Cryptlib Use portable shebangs: /bin/bash -> /usr/bin/env bash 2020-07-23 20:53:24 -04:00
include shim: Rework pause functions and add read_counter() 2020-07-23 20:52:12 -04:00
lib Fix get_variable() usage in setup_verbosity() 2018-04-05 14:49:17 -04:00
.gitignore Add "make scan-build" target. 2018-03-12 16:21:43 -04:00
.syntastic_c_config Fix syntastic config for include/ 2018-03-12 18:00:41 -04:00
.travis.yml .travis.yml: update travis to get newer gnu-efi. 2018-03-23 15:06:32 -04:00
buildid.c buildid: Check the return values of write() calls 2017-09-29 11:10:32 -04:00
BUILDING Document REQUIRE_TPM 2018-03-12 16:21:43 -04:00
cert.S Add support for 32-bit ARM 2014-08-12 10:54:05 -04:00
COPYRIGHT Add copyright file 2012-07-09 11:03:12 -04:00
crypt_blowfish.c Move includes around to clean the source tree up a bit. 2018-03-12 16:21:43 -04:00
elf_aarch64_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_arm_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_ia32_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_ia64_efi.lds Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
elf_x86_64_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
errlog.c VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls 2020-07-23 20:52:12 -04:00
fallback.c Audit get_variable() calls for correct FreePool() use. 2018-04-05 14:49:17 -04:00
httpboot.c httpboot: show the error message for the ChildHandle 2020-07-23 20:51:18 -04:00
make-certs Use portable shebangs: /bin/bash -> /usr/bin/env bash 2020-07-23 20:53:24 -04:00
Make.coverity Add 'make coverity' target. 2018-03-12 16:21:43 -04:00
Make.defaults Once again, try even harder to get binaries without timestamps in them. 2020-07-23 20:52:12 -04:00
Make.rules Add 'make coverity' target. 2018-03-12 16:21:43 -04:00
Make.scan-build Work around clang bugs for scan-build. 2018-03-15 11:23:26 -04:00
Makefile Once again, try even harder to get binaries without timestamps in them. 2020-07-23 20:52:12 -04:00
model.c Add a model file for coverity. 2018-03-12 16:21:43 -04:00
mok.c mok: minor cleanups 2020-07-23 20:52:12 -04:00
MokManager.c MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid 2020-07-23 20:53:24 -04:00
MokVars.txt Add MokListX to MokVars.txt 2017-08-03 11:00:58 -04:00
netboot.c console: Add console_print and console_print_at helpers 2018-03-12 18:00:41 -04:00
PasswordCrypt.c shim: Use EFI_ERROR() instead of comparing to EFI_SUCCESS everywhere. 2018-03-12 16:21:43 -04:00
README Add install targets. 2017-08-11 15:18:39 -04:00
README.fallback README.fallback: correct the path of BOOT.CSV in layout example 2017-07-24 14:12:31 -04:00
README.tpm Add GRUB's PCR Usage to README.tpm 2020-07-23 20:51:49 -04:00
replacements.c console: Add console_print and console_print_at helpers 2018-03-12 18:00:41 -04:00
shim.c OpenSSL: always provide OBJ_create() with name strings. 2020-07-23 20:53:24 -04:00
shim.h shim: Rework pause functions and add read_counter() 2020-07-23 20:52:12 -04:00
testplan.txt Another testplan error. 2014-10-02 01:01:46 -04:00
TODO Add another TODO for shim-16 2018-04-04 16:49:43 -04:00
tpm.c tpm: Fix off-by-one error when calculating event size 2020-07-23 20:53:24 -04:00
travis-build.sh travis: Fix a typo 2018-03-14 18:41:59 -04:00
version.c.in Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
version.h Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00

README 

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.

On systems with a TPM chip enabled and supported by the system firmware,
shim will extend various PCRs with the digests of the targets it is
loading.  A full list is in the file README.tpm .

To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".

There are a couple of build options, and a couple of ways to customize the
build, described in BUILDING.