proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-13 13:06:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
449 Commits 1 Branch 3 Tags 11 MiB
C 97.8%
Makefile 0.8%
Shell 0.7%
Assembly 0.7%
97022acd36
Go to file
Ard Biesheuvel 97022acd36 Use EfiLoaderCode memory for loading PE/COFF executables 
Under a strict memory protection policy, UEFI may give out EfiLoaderData
memory with the XN attribute set. So use EfiLoaderCode explicitly.

At the same time, use a page based allocation rather than a pool
allocation, which is more appropriate when loading PE/COFF images.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2017-02-28 13:37:23 -05:00
Cryptlib Update the CryptLib 2016-11-30 12:57:35 -05:00
include Add HTTP and IpConfig headers 2016-09-06 14:49:52 -04:00
lib More incorrect unsigned vs signed fixups from yours truly. 2015-06-29 14:41:21 -04:00
.gitignore Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00
cert.S Add support for 32-bit ARM 2014-08-12 10:54:05 -04:00
COPYRIGHT Add copyright file 2012-07-09 11:03:12 -04:00
crypt_blowfish.c MokManager: support blowfish-based crypt() hash 2013-09-26 11:58:01 -04:00
crypt_blowfish.h MokManager: support blowfish-based crypt() hash 2013-09-26 11:58:01 -04:00
elf_aarch64_efi.lds Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
elf_arm_efi.lds Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
elf_ia32_efi.lds Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
elf_ia64_efi.lds Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
elf_x86_64_efi.lds Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
fallback.c Improve BOOT${ARCH}.CSV support. 2016-09-06 14:39:15 -04:00
hexdump.h Add a utility hexdump() call we can use when we need it. 2015-11-17 11:39:28 -05:00
httpboot.c Fix some type errors gcc7 finds in http boot code. 2017-02-27 15:45:54 -05:00
httpboot.h Fix some type errors gcc7 finds in http boot code. 2017-02-27 15:45:54 -05:00
make-certs Sign MokManager with a locally-generated key 2012-11-26 13:43:50 -05:00
Makefile Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
MokManager.c MokManager: list Extended Key Usage OIDs 2016-09-21 13:32:53 -04:00
MokVars.txt Add support for disabling db for verification 2013-10-02 11:29:34 -04:00
netboot.c Make translate_slashes() public 2016-09-06 14:49:52 -04:00
netboot.h netboot.h: fix build error on 32-bit systems 2013-11-12 10:25:40 -05:00
PasswordCrypt.c additional bounds-checking on section sizes 2014-04-11 14:41:22 -04:00
PasswordCrypt.h MokManager: support Tradition DES hash 2013-09-26 11:58:01 -04:00
README Replace build instructions in README with something not completely wrong. 2014-07-21 16:15:07 -04:00
README.fallback Improve BOOT${ARCH}.CSV support. 2016-09-06 14:39:15 -04:00
replacements.c Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
replacements.h Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
shim.c Use EfiLoaderCode memory for loading PE/COFF executables 2017-02-28 13:37:23 -05:00
shim.h Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
testplan.txt Another testplan error. 2014-10-02 01:01:46 -04:00
TODO Update for Josh's changes. 2013-10-02 13:33:52 -04:00
tpm.c shim/tpm: correct the definition of the capability structure version 1.0 2017-02-06 11:18:07 -05:00
tpm.h shim/tpm: the EFI_TCG2_BOOT_SERVICE_CAPABILITY structure shouldn't be packed 2017-02-06 11:18:07 -05:00
ucs2.h Don't test for the 0 character on the wrong half of the UCS2-LE char. 2015-11-17 11:41:12 -05:00
version.c.in Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
version.h Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00

README 

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.

To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".