GitHub - mjg59/shim: UEFI shim loader

This branch is 861 commits behind rhboot/shim:main.

Name	Name	Last commit message	Last commit date
Latest commit Linn Crosetto and vathpela Fix recursive reference for RELEASE Sep 18, 2015 e22a7b5 · Sep 18, 2015 History 388 Commits
Cryptlib	Cryptlib	Specify the gnu89 standard	Jul 28, 2015
include	include	Fix console_print_box*() parameters.	Jun 16, 2015
lib	lib	More incorrect unsigned vs signed fixups from yours truly.	Jun 29, 2015
.gitignore	.gitignore	Add ident-like blobs to shim.efi for version checking.	Oct 3, 2013
COPYRIGHT	COPYRIGHT	Add copyright file	Jul 9, 2012
Makefile	Makefile	Fix recursive reference for RELEASE	Sep 18, 2015
MokManager.c	MokManager.c	MokManager: Nerf SHA-1 again for actual hashes and signatures.	Jun 16, 2015
MokVars.txt	MokVars.txt	Add support for disabling db for verification	Oct 2, 2013
PasswordCrypt.c	PasswordCrypt.c	additional bounds-checking on section sizes	Apr 11, 2014
PasswordCrypt.h	PasswordCrypt.h	MokManager: support Tradition DES hash	Sep 26, 2013
README	README	Replace build instructions in README with something not completely wr…	Jul 21, 2014
TODO	TODO	Update for Josh's changes.	Oct 2, 2013
cert.S	cert.S	Add support for 32-bit ARM	Aug 12, 2014
crypt_blowfish.c	crypt_blowfish.c	MokManager: support blowfish-based crypt() hash	Sep 26, 2013
crypt_blowfish.h	crypt_blowfish.h	MokManager: support blowfish-based crypt() hash	Sep 26, 2013
elf_aarch64_efi.lds	elf_aarch64_efi.lds	Make sure our build-id notes wind up at a reasonable place.	Jun 30, 2015
elf_arm_efi.lds	elf_arm_efi.lds	Make sure our build-id notes wind up at a reasonable place.	Jun 30, 2015
elf_ia32_efi.lds	elf_ia32_efi.lds	Make sure our build-id notes wind up at a reasonable place.	Jun 30, 2015
elf_ia64_efi.lds	elf_ia64_efi.lds	Make sure our build-id notes wind up at a reasonable place.	Jun 30, 2015
elf_x86_64_efi.lds	elf_x86_64_efi.lds	Make sure our build-id notes wind up at a reasonable place.	Jun 30, 2015
fallback.c	fallback.c	Improve our debuginfo path print	Jun 30, 2015
make-certs	make-certs	Sign MokManager with a locally-generated key	Nov 26, 2012
netboot.c	netboot.c	Correctly reject bad tftp addresses earlier, rather than later.	Oct 2, 2014
netboot.h	netboot.h	netboot.h: fix build error on 32-bit systems	Nov 12, 2013
replacements.c	replacements.c	Ensure that apps launched by shim get correct BS->Exit() behavior	Jun 11, 2015
replacements.h	replacements.h	Ensure that apps launched by shim get correct BS->Exit() behavior	Jun 11, 2015
shim.c	shim.c	Improve our debuginfo path print	Jun 30, 2015
shim.h	shim.h	Ensure that apps launched by shim get correct BS->Exit() behavior	Jun 11, 2015
testplan.txt	testplan.txt	Another testplan error.	Oct 2, 2014
ucs2.h	ucs2.h	Add StrCSpn()	Apr 30, 2013
version.c.in	version.c.in	Add ident-like blobs to shim.efi for version checking.	Oct 3, 2013
version.h	version.h	Add ident-like blobs to shim.efi for version checking.	Oct 3, 2013

Repository files navigation

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.

To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".