Go to file
Peter Jones a8f3dc82be fallback.c: be more correct with device path code.
Rob Clark noticed while, implementing a UEFI like backend on u-boot,
that if a File Handle actually returns a meaningful device path from
DevicePathFromHandle(), we wind up with a horribly wrong device path in
the boot variable.  He's right, normal UEFI doesn't return that, which
means FileDevicePath() in our code currently does nothing at all.

Instead of all that, pass in the device's handle, and it'll do what
we're doing after the fact there.

Here's the log from a current run:

FS0:\> \efi\BOOT\BOOTX64.EFI
System BootOrder not found.  Initializing defaults.
find_boot_options:778:Found directory named "fedora"
try_boot_csv:532:Found file "\EFI\fedora\BOOT.CSV"
try_boot_csv:544:File looks like:
?shim.efi,Fedora,,This is the boot entry for Fedora

populate_stanza:495:CSV data: "shim.efi,Fedora,,This is the boot entry for Fedora"
populate_stanza:501:filename: "shim.efi"
populate_stanza:508:label: "Fedora"
populate_stanza:514:arguments: ""
add_to_boot_list:430:file DP: PciRoot(0)/Pci(0x1F,0x2)/Sata(0x0,0x0,0x0)/HD(Part1,Sig6584272A-D7B9-442A-B8A4-19B5EC4566F4)/\EFI\fedora\shim.efi
FindSubDevicePath:78:input device path: "PciRoot(0)/Pci(0x1F,0x2)/Sata(0x0,0x0,0x0)/HD(Part1,Sig6584272A-D7B9-442A-B8A4-19B5EC4566F4)/\EFI\fedora\shim.efi"
FindSubDevicePath:86:sub-path (4,1): "HD(Part1,Sig6584272A-D7B9-442A-B8A4-19B5EC4566F4)/\EFI\fedora\shim.efi"
add_to_boot_list:452:04 01 2A 00 01 00 00 00 00 08 00 00 00 00 00 00
add_to_boot_list:452:00 40 06 00 00 00 00 00 2A 27 84 65 B9 D7 2A 44
add_to_boot_list:452:B8 A4 19 B5 EC 45 66 F4 02 02 04 04 2E 00 5C 00
add_to_boot_list:452:45 00 46 00 49 00 5C 00 66 00 65 00 64 00 6F 00
add_to_boot_list:452:72 00 61 00 5C 00 73 00 68 00 69 00 6D 00 2E 00
add_to_boot_list:452:65 00 66 00 69 00 00 00 7F FF 04 00
add_to_boot_list:459:device path: "HD(Part1,Sig6584272A-D7B9-442A-B8A4-19B5EC4566F4)/\EFI\fedora\shim.efi"
Creating boot entry "Boot0000" with label "Fedora" for file "\EFI\fedora\shim.efi"
AddOption - Boot0000, then CurrentCount = 0x00000008
update_boot_order:390:nbootorder: 7
BootOrder: 0000 0002 0001 0003 0005 0006 0004

Signed-off-by: Peter Jones <pjones@redhat.com>
2017-08-01 10:17:07 -04:00
Cryptlib Make it possible to build in a subdirectory. 2017-07-24 20:11:28 -04:00
include Add HTTP and IpConfig headers 2016-09-06 14:49:52 -04:00
lib Make it possible to build in a subdirectory. 2017-07-24 20:11:28 -04:00
.gitignore Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00
cert.S Add support for 32-bit ARM 2014-08-12 10:54:05 -04:00
COPYRIGHT Add copyright file 2012-07-09 11:03:12 -04:00
crypt_blowfish.c MokManager: support blowfish-based crypt() hash 2013-09-26 11:58:01 -04:00
crypt_blowfish.h MokManager: support blowfish-based crypt() hash 2013-09-26 11:58:01 -04:00
elf_aarch64_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_arm_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_ia32_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
elf_ia64_efi.lds Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
elf_x86_64_efi.lds Don't allow anything with a small alignment in our PE files. 2017-04-26 21:52:23 -04:00
fallback.c fallback.c: be more correct with device path code. 2017-08-01 10:17:07 -04:00
hexdump.h Add a utility hexdump() call we can use when we need it. 2015-11-17 11:39:28 -05:00
httpboot.c httpboot: fix OVMF crash 2017-07-17 13:13:00 -04:00
httpboot.h Fix some type errors gcc7 finds in http boot code. 2017-02-27 15:45:54 -05:00
make-certs Sign MokManager with a locally-generated key 2012-11-26 13:43:50 -05:00
Makefile Make it possible to build in a subdirectory. 2017-07-24 20:11:28 -04:00
MokManager.c MokManager: Update to new openssl API 2017-04-11 10:42:19 -04:00
MokVars.txt Add support for disabling db for verification 2013-10-02 11:29:34 -04:00
netboot.c Make translate_slashes() public 2016-09-06 14:49:52 -04:00
netboot.h netboot.h: fix build error on 32-bit systems 2013-11-12 10:25:40 -05:00
PasswordCrypt.c Cryptlib: remove DES 2017-04-11 10:42:19 -04:00
PasswordCrypt.h MokManager: support Tradition DES hash 2013-09-26 11:58:01 -04:00
README Replace build instructions in README with something not completely wrong. 2014-07-21 16:15:07 -04:00
README.fallback README.fallback: correct the path of BOOT.CSV in layout example 2017-07-24 14:12:31 -04:00
replacements.c Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
replacements.h Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
shim.c update verification_method if the loaded image is signed by shim/vendor cert 2017-06-15 11:30:11 -04:00
shim.h Ensure that apps launched by shim get correct BS->Exit() behavior 2015-06-11 13:25:56 -04:00
testplan.txt Another testplan error. 2014-10-02 01:01:46 -04:00
TODO Update for Josh's changes. 2013-10-02 13:33:52 -04:00
tpm.c tpm2_present(): remove unused tpm2 protocol argument. 2017-06-20 16:41:44 -04:00
tpm.h shim/tpm: Avoid passing an usupported event log format to GetEventLogs() 2017-06-15 11:30:22 -04:00
ucs2.h Don't test for the 0 character on the wrong half of the UCS2-LE char. 2015-11-17 11:41:12 -05:00
version.c.in Make shim_version live in a special aligned section. 2017-02-23 16:08:42 -05:00
version.h Add ident-like blobs to shim.efi for version checking. 2013-10-03 11:11:09 -04:00

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.

To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".