(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=0.4 2013-06-10T21:51:57+00:00 2013-06-10T21:51:57+00:00 Peter Jones pjones@redhat.com 2013-06-10T21:44:16+00:00 urn:sha1:967152aa9c462bb2013acd4b32ff729311e95522 Since I've finally merged in the "sections" branch, best to increment the version number. Signed-off-by: Peter Jones <pjones@redhat.com> 2013-06-10T21:51:57+00:00 Peter Jones pjones@redhat.com 2013-06-10T21:48:33+00:00 urn:sha1:24c9d9d05911ce39f14a77578081be749676a758 Signed-off-by: Peter Jones <pjones@redhat.com> 2013-06-10T21:35:33+00:00 Peter Jones pjones@redhat.com 2013-03-20T17:18:34+00:00 urn:sha1:4541fce44f88d335b9a72e1cc07687e4198e4847 With this change, the embedded certificate and dbx lists (vendor_cert, vendor_cert_size, vendor_dbx, and vendor_dbx_size) wind up being in a section named .vendor_cert, and so will look something like: ------ fenchurch:~/devel/github.com/shim$ objdump -h shim.efi shim.efi: file format pei-x86-64 Sections: Idx Name Size VMA LMA File off Algn 0 .eh_frame 000174a8 0000000000005000 0000000000005000 00000400 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 1 .text 000aa7e1 000000000001d000 000000000001d000 00017a00 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 .reloc 0000000a 00000000000c8000 00000000000c8000 000c2200 2**0 CONTENTS, ALLOC, LOAD, READONLY, DATA 3 .data 00031228 00000000000c9000 00000000000c9000 000c2400 2**5 CONTENTS, ALLOC, LOAD, DATA 4 .vendor_cert 00000375 00000000000fb000 00000000000fb000 000f3800 2**0 CONTENTS, READONLY 5 .dynamic 000000f0 00000000000fc000 00000000000fc000 000f3c00 2**3 CONTENTS, ALLOC, LOAD, DATA 6 .rela 0002afa8 00000000000fd000 00000000000fd000 000f3e00 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 7 .dynsym 0000f1f8 0000000000128000 0000000000128000 0011ee00 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA ------ This simplifies a security audit, because it means that different versions of shim with substantially the same code with different keys will be more easily comperable, and therefore logic differences may be more easily identified. This also means that if there's a trusted build you want to use, you can remove the certificates, implant new ones, and have it signed, and the code sections won't change. Signed-off-by: Peter Jones <pjones@redhat.com> 2013-06-10T21:34:55+00:00 Peter Jones pjones@redhat.com 2013-06-10T21:30:14+00:00 urn:sha1:6c49c04551ce351f6089958eca3f44917d91e409 Signed-off-by: Peter Jones <pjones@redhat.com> 2013-06-10T20:38:05+00:00 Peter Jones pjones@redhat.com 2013-06-10T20:38:05+00:00 urn:sha1:b78a8d656e2b91fecab59baaea46606e9e3db4f6 Signed-off-by: Peter Jones <pjones@redhat.com> 2013-05-31T19:34:11+00:00 Peter Jones pjones@redhat.com 2013-05-31T19:22:37+00:00 urn:sha1:547d57156f8019af2aaf9a4bf9d324a0895a7411 GCC 4.8.0 will try to use these by default, and you'll wind up looping across the (uninitialized!) trap handler for uninitialized instructions. Signed-off-by: Peter Jones <pjones@redhat.com> 2013-05-16T15:03:32+00:00 Peter Jones pjones@redhat.com 2013-05-16T15:03:25+00:00 urn:sha1:ea3a0a0b8769ed0705719ab8e93cd1c2b1f2769a Signed-off-by: Peter Jones <pjones@redhat.com> 2013-05-16T14:21:15+00:00 Peter Jones pjones@redhat.com 2013-05-16T14:09:46+00:00 urn:sha1:25d6c434dfcbcf03513589df18d79c272422367d This means that we now require gnu-efi 3.0s Signed-off-by: Peter Jones <pjones@redhat.com> 2013-04-30T13:46:22+00:00 Peter Jones pjones@redhat.com 2013-03-15T16:40:47+00:00 urn:sha1:3ce517fdbb4eb895060e99bc86e63e223091faab If shim is invoked as \EFI\BOOT\BOOT*.EFI and a file exists named \EFI\BOOT\FALLBACK.EFI, try it instead of our second stage. So don't put fallback.efi on your install media in \EFI\BOOT, because that won't do whatever it is you're hoping for, unless you're hoping not to start the installer. So here's the process for using this: in /EFI/fedora/ (or whichever directory you happen to own), you put: shim.efi grub.efi boot.csv - format is: shim.efi,Nice Label,cmdline arguments,comments - filenames refer only to files in this directory, with no leading characters such as L"./" or L"/EFI/fedora/" - note that while this is CSV, the character encoding is UCS-2 and if /EFI/BOOT/BOOTX64.EFI doesn't already exist, then in /EFI/BOOT: shim.efi as BOOTX64.EFI fallback.efi Signed-off-by: Peter Jones <pjones@redhat.com> 2012-11-26T18:43:50+00:00 Matthew Garrett mjg59@srcf.ucam.org 2012-11-24T05:07:11+00:00 urn:sha1:6d50f87a06ff70d2075863f4c145235c081263d6 shim needs to verify that MokManager hasn't been modified, but we want to be able to support configurations where shim is shipped without a vendor certificate. This patch adds support for generating a certificate at build time, incorporating the public half into shim and signing MokManager with the private half. It uses pesign and nss, but still requires openssl for key generation. Anyone using sbsign will need to figure this out for themselves.