proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-14 21:59:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
372 Commits 1 Branch 3 Tags 11 MiB
C 97.8%
Makefile 0.8%
Shell 0.7%
Assembly 0.7%
7db9f7c71c
Go to file
Gary Ching-Pang Lin 7db9f7c71c MokManager: Add more key list safe checks 
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
2015-06-16 11:46:14 -04:00
Cryptlib Update Cryptlib and openssl 2015-05-12 13:51:02 -04:00
include Fix console_print_box*() parameters. 2015-06-16 11:41:32 -04:00
lib Fix console_print_box*() parameters. 2015-06-16 11:41:32 -04:00
.gitignore Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00
cert.S Add support for 32-bit ARM 2014-08-12 10:54:05 -04:00
COPYRIGHT Add copyright file 2012-07-09 11:03:12 -04:00
crypt_blowfish.c MokManager: support blowfish-based crypt() hash 2013-09-26 11:58:01 -04:00
crypt_blowfish.h MokManager: support blowfish-based crypt() hash 2013-09-26 11:58:01 -04:00
elf_aarch64_efi.lds Add support for 64-bit ARM (AArch64) 2014-08-12 10:54:05 -04:00
elf_arm_efi.lds Fix typo from Ard's old tree 32-bit ARM patch. 2014-08-27 11:49:39 -04:00
elf_ia32_efi.lds Revert header changes 2014-09-30 22:49:21 -04:00
elf_ia64_efi.lds Move embedded certificates to their own section. 2013-06-10 17:35:33 -04:00
elf_x86_64_efi.lds Revert header changes 2014-09-30 22:49:21 -04:00
fallback.c Fix length of allocated buffer for boot option comparison. 2015-04-13 19:55:25 -04:00
make-certs Sign MokManager with a locally-generated key 2012-11-26 13:43:50 -05:00
Makefile Make the build failed with objcopy < 2.24 2015-05-12 13:52:22 -04:00
MokManager.c MokManager: Add more key list safe checks 2015-06-16 11:46:14 -04:00
MokVars.txt Add support for disabling db for verification 2013-10-02 11:29:34 -04:00
netboot.c Correctly reject bad tftp addresses earlier, rather than later. 2014-10-02 01:01:54 -04:00
netboot.h netboot.h: fix build error on 32-bit systems 2013-11-12 10:25:40 -05:00
PasswordCrypt.c additional bounds-checking on section sizes 2014-04-11 14:41:22 -04:00
PasswordCrypt.h MokManager: support Tradition DES hash 2013-09-26 11:58:01 -04:00
README Replace build instructions in README with something not completely wrong. 2014-07-21 16:15:07 -04:00
replacements.c Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
replacements.h Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
shim.c Make shim to check MokXAuth for MOKX reset 2015-06-16 11:41:32 -04:00
shim.h Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
testplan.txt Another testplan error. 2014-10-02 01:01:46 -04:00
TODO Update for Josh's changes. 2013-10-02 13:33:52 -04:00
ucs2.h Add StrCSpn() 2013-04-30 09:46:22 -04:00
version.c.in Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00
version.h Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00

README 

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.

To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".