From 2616b13645ca387fc6f85c608e00a5229033fe96 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 23 Jun 2020 01:57:05 +0000
Subject: Convert README -> README.md

One of the really great things about Github IMO is how
"front and center" the README file in a repository is (just
compare with Sourceforge).

Github renders it more nicely if the file is declared to be Markdown,
so let's do that.  Add a bit of formatting: using code fences
for code, hyperlinks for other files etc.

I also added a title block from the Fedora package `Summary`
since while I know in theory shim is independent of bootloaders,
let's say what the 95% case is here.
---
 README.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 README.md

(limited to 'README.md')

diff --git a/README.md b/README.md
new file mode 100644
index 00000000..c4663a79
--- /dev/null
+++ b/README.md
@@ -0,0 +1,25 @@
+# shim, a first-stage UEFI bootloader
+
+shim is a trivial EFI application that, when run, attempts to open and
+execute another application. It will initially attempt to do this via the
+standard EFI `LoadImage()` and `StartImage()` calls. If these fail (because Secure
+Boot is enabled and the binary is not signed with an appropriate key, for
+instance) it will then validate the binary against a built-in certificate. If
+this succeeds and if the binary or signing key are not blacklisted then shim
+will relocate and execute the binary.
+
+shim will also install a protocol which permits the second-stage bootloader
+to perform similar binary validation. This protocol has a GUID as described
+in the shim.h header file and provides a single entry point. On 64-bit systems
+this entry point expects to be called with SysV ABI rather than MSABI, so calls
+to it should not be wrapped.
+
+On systems with a TPM chip enabled and supported by the system firmware,
+shim will extend various PCRs with the digests of the targets it is
+loading.  A full list is in the file [README.tpm](README.tpm) .
+
+To use shim, simply place a DER-encoded public certificate in a file such as
+pub.cer and build with `make VENDOR_CERT_FILE=pub.cer`.
+
+There are a couple of build options, and a couple of ways to customize the
+build, described in [BUILDING](BUILDING).
-- 
cgit v1.2.3