UEFI shim loader
C C++ Other
Clone or download
vathpela Undo part of our old openssl version rollback.
When OpenSSL 1.1.0e didn't work so well, we added a macro for abort() to
passify the build.  Now that we've got 1.1.0e in again, that macro
messes up building SysCall/CrtWrapper.c.  This patch gets rid of the
macro.

Signed-off-by: Peter Jones <pjones@redhat.com>
Latest commit 3beb971 Aug 1, 2018
Permalink
Failed to load latest commit information.
Cryptlib Undo part of our old openssl version rollback. Aug 1, 2018
include Fix get_variable() usage in setup_verbosity() Apr 5, 2018
lib Fix get_variable() usage in setup_verbosity() Apr 5, 2018
.gitignore Add "make scan-build" target. Mar 12, 2018
.syntastic_c_config Fix syntastic config for include/ Mar 12, 2018
.travis.yml Update travis to use some better build scripts Apr 11, 2018
BUILDING Fix typo Jul 18, 2018
COPYRIGHT Add copyright file Jul 9, 2012
Make.coverity Add 'make coverity' target. Mar 12, 2018
Make.defaults Makefiles: ensure -m32 gets propogated to our gcc parameter queries Apr 12, 2018
Make.rules Add 'make coverity' target. Mar 12, 2018
Make.scan-build Work around clang bugs for scan-build. Mar 15, 2018
Makefile Bump version to 15 Apr 5, 2018
MokManager.c MokManager: Update to new openssl API Aug 1, 2018
MokVars.txt Add MokListX to MokVars.txt Aug 3, 2017
PasswordCrypt.c shim: Use EFI_ERROR() instead of comparing to EFI_SUCCESS everywhere. Mar 12, 2018
README README: Remove superfluous *and* Jul 18, 2018
README.fallback README.fallback: correct the path of BOOT.CSV in layout example Jul 24, 2017
README.tpm Add GRUB's PCR Usage to README.tpm Aug 1, 2018
TODO Add fallback boot loop detection to TODO Aug 1, 2018
buildid.c buildid: Check the return values of write() calls Sep 29, 2017
cert.S Add support for 32-bit ARM Aug 12, 2014
crypt_blowfish.c Move includes around to clean the source tree up a bit. Mar 12, 2018
elf_aarch64_efi.lds Don't allow anything with a small alignment in our PE files. Apr 27, 2017
elf_arm_efi.lds Don't allow anything with a small alignment in our PE files. Apr 27, 2017
elf_ia32_efi.lds Don't allow anything with a small alignment in our PE files. Apr 27, 2017
elf_ia64_efi.lds Make shim_version live in a special aligned section. Feb 23, 2017
elf_x86_64_efi.lds Don't allow anything with a small alignment in our PE files. Apr 27, 2017
errlog.c console: Add console_print and console_print_at helpers Mar 12, 2018
fallback.c Audit get_variable() calls for correct FreePool() use. Apr 5, 2018
httpboot.c httpboot: show the error message for the ChildHandle Jul 18, 2018
make-certs Sign MokManager with a locally-generated key Nov 26, 2012
model.c Add a model file for coverity. Mar 12, 2018
mok.c shim: Make our variable validation and mirroring table driven. Mar 12, 2018
netboot.c console: Add console_print and console_print_at helpers Mar 12, 2018
replacements.c console: Add console_print and console_print_at helpers Mar 12, 2018
shim.c shim: Show the warning for the CA check result Aug 1, 2018
shim.h Fix typo in debug path in shim.h Jul 18, 2018
testplan.txt Another testplan error. Oct 2, 2014
tpm.c tpm_log_event_raw(): be more careful about EFI_NOT_FOUND Apr 4, 2018
version.c.in Make shim_version live in a special aligned section. Feb 23, 2017
version.h Add ident-like blobs to shim.efi for version checking. Oct 3, 2013

README

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, so calls
to it should not be wrapped.

On systems with a TPM chip enabled and supported by the system firmware,
shim will extend various PCRs with the digests of the targets it is
loading.  A full list is in the file README.tpm .

To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".

There are a couple of build options, and a couple of ways to customize the
build, described in BUILDING.