diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 16 |
1 files changed, 16 insertions, 0 deletions
@@ -0,0 +1,16 @@ +shim is a trivial EFI application that, when run, attempts to open and +execute another application. It will initially attempt to do this via the +standard EFI LoadImage() and StartImage() calls. If these fail (because secure +boot is enabled and the binary is not signed with an appropriate key, for +instance) it will then validate the binary against a built-in certificate. If +this succeeds and if the binary or signing key are not blacklisted then shim +will relocate and execute the binary. + +shim will also install a protocol which permits the second-stage bootloader +to perform similar binary validation. This protocol has a GUID as described +in the shim.h header file and provides a single entry point. On 64-bit systems +this entry point expects to be called with SysV ABI rather than MSABI, and +so calls to it should not be wrapped. + +To use shim, simply place a DER-encoded public certificate in a file such as +pub.cer and build with "make VENDOR_CERT_FILE=pub.cer". |