• Stars
    star
    242
  • Rank 167,048 (Top 4 %)
  • Language
  • License
    Other
  • Created about 3 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

UEFI Shell binary images, generated from EDK2 stable

UEFI-Shell

Build status Github stats Release License

This repository contains pre-built UEFI Shell binary images, generated from official EDK2 stable releases.

Usage

These images are provided in the form of a bootable ISO, in order to make them easy to use with boot media creators such as Rufus.

However, these can also readily used by:

  • Partitioning and formatting a media, such as a USB Flash drive, using a FAT file system.
  • Extracting the ISO content as is, onto the FAT partition.

Once you have done that, and provided that your machine is set to boot from removable media (and runs a UEFI firmware that uses one of the architectures supported by the release), it should automatically boot into the UEFI Shell.

Note that Secure Boot must be disabled for a UEFI Shell media to boot, as Microsoft does not allow an external UEFI Shell to be signed for Secure Boot.

Binary validation

These binaries are built in a fully transparent manner, in order to provide you with complete assurance that they do not contain anything malicious.

To validate that this claim, you can perform the following:

  1. Locate the build action for the ISO you downloaded under https://github.com/pbatard/UEFI-Shell/actions. For instance, for the 21H1 release, this would be https://github.com/pbatard/UEFI-Shell/actions/runs/1160237413.
  2. Click on build to access the build log, and then look at the Checkout repository and submodules task. The last line for that task provides the SHA-1 of the repository commit that was used for the build process (for 21H1 that would be 19803c2b2183849fc3a4d6f08cc3c0549232df0c).
  3. Append that SHA-1 to https://github.com/pbatard/UEFI-Shell/commit/ to validate that you end up with one of the public commits that were pushed to this repository. This validates that the build was not triggered by a "hidden" commit, that would perform something malicious, and that we would later delete, since it is impossible for anyone without an army of supercomputers to alter a git commit in order to "fake" a specific SHA-1.
    NB: You don't have to take our word for that last claim. Just google "SHA-1 collision" and also look into the measures that git is taking to switch to SHA-256 so as to make the possibility of collision impossible.
  4. At this stage, you have assurance that the commit that was used to build the binary is a public one. However, you must also further validate that the EDK2 source that was used for the build is also the public one that is published from https://github.com/tianocore/edk2, and not some private potentially malicious copy. To accomplish that, click the Browse Files button on the page you got from the URL that was constructed above and the click on the edk2 @ ##### link that you see in the repository tree. For instance, for 21H1, that link will be labelled edk2 @ e1999b2.
  5. Validate that this link takes you to a public commit from https://github.com/tianocore/edk2. Once you have done that, then you have validated that, not only the build cannot have been triggered by a hidden commit but also that the EDK2 source for the UEFI Shell that is produced by the build cannot have come from anywhere else but the public EDK2 repository.
  6. If you are familiar enough with the build process, you should now look at the GitHub actions .yml from the commit that was used to trigger the build to also validate that it is not doing anything suspiscious (such as discarding the built executables to replace them with pre-built malicious ones downloaded from a third-party server). Again, because you have already validated, with 100% certainty, that all the steps that are used for the build can only have come from a public commit which everyone has access to, it would simply be impossible for any such behaviour not to appear plainly in the .yml.
  7. At this stage, you should have total confidence that the build process did produce binaries that can be trusted to have been built only from the public unmodified EDK2 UEFI Shell source. Therefore, the one last item to check is to validate that the binaries proposed under this project's Release page are the actual binaries that were produced from the build, rather than some malicious replacements (since the owner of any GitHub project has the ability to delete and replace release files). This last step is very easy to accomplish however: As part of the build process, we make sure to also display the SHA-256 for all of the UEFI binaries as well as for the ISO images being generated.
    Thus, depending on whether you extracted individual .efi files, or are working directly with a .iso, you can find the relevant SHA-256 displayed either under the Display SHA-256 step or the Generate ISO images step within the build log (and you should of course have validated that the GitHub Actions' .yml that was used as part of the build was indeed set to perform an actual computation of the SHA-256 from the generated files, as opposed to mimicking the display of an SHA-256 computation in order to trick someone looking only at the log into thinking that a malicious file published under Releases, and that was not generated from the automated build process, did come from the build process).
  8. Compare the SHA-256 from the build log with the one from the .efi or .iso you downloaded, and verify that they are the same.

If you accomplish all the steps above, then you will have established, with absolute certainty, that the binaries that are being published on our Releases page can be trusted not to contain malware (that is, provided you do accept that toolchains like gcc or GitHub employees can be trusted not to insert malware on their own, but this is outside of the scope of the kind of assurance that we can provide here).

And the nice thing is that, because any failure of validation for the points we describe above is very easy to detect, you can rest assured that, even if you do not go through these steps yourself, someone else is likely to, and is bound to say something if we ever are to do anything that looks contrary to our claim that the UEFI Shell binaries published here are 100% trustworthy.

More Repositories

1

rufus

The Reliable USB Formatting Utility
C
26,912
star
2

Fido

A PowerShell script to download Windows or UEFI Shell ISOs
PowerShell
2,212
star
3

libwdi

Windows Driver Installer library for USB devices
C
1,738
star
4

uefi-ntfs

UEFI:NTFS - Boot NTFS or exFAT partitions from UEFI
C
723
star
5

efifs

EFI FileSystem drivers
C
497
star
6

bootimg-tools

Android boot.img creation and extraction tools [NOTE: This project is NO LONGER maintained]
C
156
star
7

winpatch

Windows system file patcher
C
62
star
8

fasmg-ebc

An EFI Byte Code (EBC) assembler, based on fasmg
Assembly
38
star
9

rufus-web

https://rufus.ie homepage and locale tracker
HTML
37
star
10

ffs

For F@%k's sake - it's a MODULE!
C
34
star
11

ms-sys

Not an official mirror of ms-sys
C
32
star
12

ubrx

Universal BIOS Recovery console for x86 PCs
Assembly
31
star
13

bled

Base Library for Easy Decompression
C
29
star
14

ntfs-3g-old

UEFI read/write NTFS driver, based on ntfs-3g
C
27
star
15

fasmg-efi

A simple Hello World for x86_64 UEFI using fasmg
Assembly
22
star
16

gnu-efi

gnu-efi fork
C
19
star
17

parrot

Linux parrot device driver sample
C
15
star
18

base-parallel

Win32 console sample for running a CPU-heavy task against multiple core/CPUs
C
11
star
19

base-console

A simple "hello world" win32 console template
C
11
star
20

winpki

Windows PKI library, for binary signing and more
C
11
star
21

pbatard.github.io

Github pages
HTML
9
star
22

xtreamerdev

Automatically exported from code.google.com/p/xtreamerdev
C
9
star
23

AltInput

Alternate Input module for Kerbal Space Program
C#
8
star
24

libusbx-hp

libusbx Windows hotplug
C
8
star
25

list-immersive-colors

List Immersive Colors
C
7
star
26

xisle

XAML Islands testing ground
C++
7
star
27

AmiNtfsBug

AMI UEFI NTFS driver bug test application
C
6
star
28

jekyll

Ruby
5
star
29

files

A repository to share static content
HTML
4
star
30

EbcDebugger

A standalone EBC Debugger
C
4
star
31

libusb-pbatard

old libusb-pbatard repo and associated branches
C
4
star
32

uefi-md5sum

MD5 checksum validation for UEFI
C
3
star
33

akeo

Automatically exported from code.google.com/p/akeo
Assembly
3
star
34

AppVeyor

A repository to test AppVeyor
C
2
star
35

thanks_for_the_regression

Thanks for the regression, GitHub Actions!
2
star