BUILDING: fix missing DISABLE_EBS_PROTECTION section

Signed-off-by: Peter Jones <pjones@redhat.com>
author: Peter Jones <pjones@redhat.com> 2021-02-14 17:15:54 -0500
committer: Peter Jones <pjones@redhat.com> 2021-02-15 17:20:05 -0500
commit: 0a1bf93d4a7bdf2f9f7541b50a68e8b1d93f826c (patch)
tree: 7e0291cd7156bec5716ed9002c87c8742fb03dd4
parent: 9a960c6e32c95fa68b506c9ad75572940bcdca33 (diff)
download: efi-boot-shim-0a1bf93d4a7bdf2f9f7541b50a68e8b1d93f826c.tar.gz
efi-boot-shim-0a1bf93d4a7bdf2f9f7541b50a68e8b1d93f826c.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/BUILDING b/BUILDING
index 4b582036..8e3351b6 100644
--- a/BUILDING
+++ b/BUILDING
@@ -33,6 +33,15 @@ Variables you could set to customize the build:
   install targets
 - ENABLE_HTTPBOOT
   build support for http booting
+- DISABLE_EBS_PROTECTION
+  On systems where a second stage bootloader is not used, and the Linux
+  Kernel is embedded in the same EFI image as shim and booted directly
+  from shim, shim's ExitBootServices() hook can cause problems as the
+  kernel never calls the shim's verification protocol.  In this case
+  calling the shim verification protocol is unnecessary and redundant as
+  shim has already verified the kernel when shim loaded the kernel as the
+  second stage loader.  In such a case, and only in this case, you should
+  use DISABLE_EBS_PROTECTION=y to build.
 - REQUIRE_TPM
   if tpm logging or extends return an error code, treat that as a fatal error.
 - ARCH
author	Peter Jones <pjones@redhat.com>	2021-02-14 17:15:54 -0500
committer	Peter Jones <pjones@redhat.com>	2021-02-15 17:20:05 -0500
commit	0a1bf93d4a7bdf2f9f7541b50a68e8b1d93f826c (patch)
tree	7e0291cd7156bec5716ed9002c87c8742fb03dd4
parent	9a960c6e32c95fa68b506c9ad75572940bcdca33 (diff)
download	efi-boot-shim-0a1bf93d4a7bdf2f9f7541b50a68e8b1d93f826c.tar.gz efi-boot-shim-0a1bf93d4a7bdf2f9f7541b50a68e8b1d93f826c.zip