GitHub - andrewboie/shim: UEFI shim loader

This branch is 11 commits ahead of, 984 commits behind rhboot/shim:main.

Name	Name	Last commit message	Last commit date
Latest commit Andrew Boie shim: load_image(): use relative and absolute paths Nov 12, 2013 aab72bb · Nov 12, 2013 History 280 Commits
Cryptlib	Cryptlib	allow 32-bit compilation with 64-bit compiler	Nov 12, 2013
include	include	Try to actually make debug printing look reasonable.	Oct 4, 2013
lib	lib	allow 32-bit compilation with 64-bit compiler	Nov 12, 2013
.gitignore	.gitignore	Add ident-like blobs to shim.efi for version checking.	Oct 3, 2013
COPYRIGHT	COPYRIGHT	Add copyright file	Jul 9, 2012
Makefile	Makefile	allow 32-bit compilation with 64-bit compiler	Nov 12, 2013
MokManager.c	MokManager.c	Revert "additional bounds-checking on section sizes"	Oct 23, 2013
MokVars.txt	MokVars.txt	Add support for disabling db for verification	Oct 2, 2013
PasswordCrypt.c	PasswordCrypt.c	Revert "additional bounds-checking on section sizes"	Oct 23, 2013
PasswordCrypt.h	PasswordCrypt.h	MokManager: support Tradition DES hash	Sep 26, 2013
README	README	Add basic documentation	Jul 28, 2012
TODO	TODO	Update for Josh's changes.	Oct 2, 2013
cert.S	cert.S	Make vendor_cert/vendor_dbx actually replaceable by an external tool.	Oct 1, 2013
crypt_blowfish.c	crypt_blowfish.c	MokManager: support blowfish-based crypt() hash	Sep 26, 2013
crypt_blowfish.h	crypt_blowfish.h	MokManager: support blowfish-based crypt() hash	Sep 26, 2013
elf_ia32_efi.lds	elf_ia32_efi.lds	Move embedded certificates to their own section.	Jun 10, 2013
elf_ia64_efi.lds	elf_ia64_efi.lds	Move embedded certificates to their own section.	Jun 10, 2013
elf_x86_64_efi.lds	elf_x86_64_efi.lds	Move embedded certificates to their own section.	Jun 10, 2013
fallback.c	fallback.c	fallback.c: fix 32-bit compilation	Nov 12, 2013
make-certs	make-certs	Sign MokManager with a locally-generated key	Nov 26, 2012
netboot.c	netboot.c	Use CHAR8 not UINT8 for character work.	Oct 2, 2013
netboot.h	netboot.h	netboot.h: fix build error on 32-bit systems	Nov 12, 2013
replacements.c	replacements.c	Unhook system services as we exit.	Oct 4, 2013
replacements.h	replacements.h	Unhook system services as we exit.	Oct 4, 2013
shim.c	shim.c	shim: load_image(): use relative and absolute paths	Nov 12, 2013
shim.h	shim.h	add VerifyBlob to shim_lock protocol	Nov 12, 2013
ucs2.h	ucs2.h	Add StrCSpn()	Apr 30, 2013
version.c.in	version.c.in	Add ident-like blobs to shim.efi for version checking.	Oct 3, 2013
version.h	version.h	Add ident-like blobs to shim.efi for version checking.	Oct 3, 2013

Repository files navigation

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation. This protocol has a GUID as described
in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.

To use shim, simply place a hex dump of the public certificate in cert.h
and build it with make.