efi-boot-shim.git/BUILDING, branch vyos/current

Implement the rest of the loader protocol functions

2025-02-11T15:43:37+00:00

This adds an implementation of Exit() and UnloadImage(), removes the whole "loader_is_participating" mechanism and its supporting code, and removes DISABLE_EBS_PROTECTION. Signed-off-by: Peter Jones

Add docs for ENABLE_CODESIGN_EKU

2025-02-05T14:18:45+00:00

This adds documentation for the ENABLE_CODESIGN_EKU build option. Signed-off-by: Peter Jones

Enable the NX compatibility flag by default.

2023-01-27T18:03:31+00:00

Currently by default, when we build shim we do not set the PE NX-compatibility DLL Characteristic flag. This signifies to the firmware that shim (including the components it loads) is not prepared for several related firmware changes: - non-executable stack - non-executable pages from AllocatePages()/AllocatePool()/etc. - non-writable 0 page (not strictly related but some firmware will be transitioning at the same time) - the need to use the UEFI 2.10 Memory Attribute Protocol to set page permissions. This patch changes that default to be enabled by default. Distributors of shim will need to ensure that either their builds disable this bit (using "post-process-pe -N"), or that the bootloaders and kernels you support loading are all compliant with this change. A new make variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so. Signed-off-by: Peter Jones

shim: use SHIM_DEVEL_VERBOSE when built in devel mode

2022-05-17T22:16:07+00:00

This makes SHIM_VERBOSE / SHIM_DEVEL_VERBOSE work the same way as SHIM_DEBUG / SHIM_DEVEL_DEBUG when shim is built with ENABLE_SHIM_DEVEL set. Signed-off-by: Peter Jones

shim: Don't parse load options if invoked from removable media path

2021-10-12T14:50:44+00:00

We see various reports of boot failures because the generated boot entries contain garbage/tagging that we do not expect, and that we then parse as a second stage boot loader.

Add ENABLE_SHIM_DEVEL config to change what our debug variable name is

2021-02-16T08:12:48+00:00

Currently, if you have two boot entries, say one for \EFI\fedora\shimx64.efi and one for \EFI\devel\shimx64.efi, and you set the efi variable SHIM_DEBUG=1, both of these will trigger, and you need to write your debugging scripts to allow each of the builds to continue. This is a pain. This patch makes it so on your development build, it will instead check SHIM_DEVEL_DEBUG, thus meaning you can have it pause for a debugger only on the development branch and not the OS you need to boot to scp in a new development build. Signed-off-by: Peter Jones

Make httpboot.c always get built.

2021-02-16T08:12:48+00:00

This is a backport from devel of: commit 634fd72ac6a6c6c9010c32506d524586826a8637 Author: Peter Jones Date: Fri Nov 22 15:14:22 2019 -0500 Make httpboot.c always get built. Signed-off-by: Peter Jones

BUILDING: Fix a typo

2021-02-15T22:20:05+00:00

This is a backport from devel for: commit 852091d63f73011742c61c976e40f35edd74d598 Author: Nicholas Bishop Date: Thu May 17 19:28:53 2018 -0400 Fix typo Signed-off-by: Peter Jones

BUILDING: fix missing DISABLE_EBS_PROTECTION section

2021-02-15T22:20:05+00:00

Signed-off-by: Peter Jones

efi bins: add an easy way for vendors to add .sbat data

2021-02-12T18:27:21+00:00

In cases where we accept vendor shim binaries with additional patches, it may become necessary to identify those builds with additional SBAT data. When we consider such patches, we should be proactive in asking vendors to include that data in the .sbat sections of their trusted EFI binaries. This patch adds any data in data/sbat.*.csv (after a quick sanitizing pass) after data/sbat.csv in the .sbat section, so that no changes to the upstream data/sbat.csv are ever required. Signed-off-by: Peter Jones