rhboot/shim rhboot/shim

  • Stars
    star
    864
  • Rank 52,774 (Top 2 %)
  • Language
    C
  • License
    Other
  • Created over 12 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
rhboot/shim
github

rhboot

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

UEFI shim loader

shim, a first-stage UEFI bootloader

shim is a trivial EFI application that, when run, attempts to open and execute another application. It will initially attempt to do this via the standard EFI LoadImage() and StartImage() calls. If these fail (because Secure Boot is enabled and the binary is not signed with an appropriate key, for instance) it will then validate the binary against a built-in certificate. If this succeeds and if the binary or signing key are not forbidden then shim will relocate and execute the binary.

shim will also install a protocol which permits the second-stage bootloader to perform similar binary validation. This protocol has a GUID as described in the shim.h header file and provides a single entry point. On 64-bit systems this entry point expects to be called with SysV ABI rather than MSABI, so calls to it should not be wrapped.

On systems with a TPM chip enabled and supported by the system firmware, shim will extend various PCRs with the digests of the targets it is loading. A full list is in the file README.tpm .

To use shim, simply place a DER-encoded public certificate in a file such as pub.cer and build with make VENDOR_CERT_FILE=pub.cer.

There are a couple of build options, and a couple of ways to customize the build, described in BUILDING.

See the test plan, and file a ticket if anything fails!

In the event that the developers need to be contacted related to a security incident or vulnerability, please mail [email protected].

More Repositories

1

efibootmgr

efibootmgr development tree
C
444
star
2

efivar

Tools and libraries to work with EFI variables
C
209
star
3

grub2

Ongoing downstream work on grub2, including Fedora and RHEL. ***This is not upstream; please send code upstream first***
C
183
star
4

fwupdate

System firmware update support for UEFI machines
99
star
5

pesign

Linux tools for signed PE-COFF binaries
C
93
star
6

nmbl-poc

Proof of concept for the nmbl bootloader-less booting scheme
Shell
72
star
7

shim-review

Reviews of shim
67
star
8

grubby

Retired; BLS-only support lives at https://src.fedoraproject.org/rpms/grubby
Roff
27
star
9

dbxtool

Tool for UEFI Secure Boot DBX updates
C
25
star
10

dumpet

Tool for debugging and verifying El Torito boot data on CD-like images
C
17
star
11

gnu-efi

C
13
star
12

efi-ci

Build CI for EFI-related tools
7
star
13

sbdiff

Diff build artifacts modulo secureboot signatures
Python
5
star
14

blkdev-sysfs-test-data

This is a bunch of test data for sysfs block device parsers.
Shell
3
star
15

certwrapper

x509 certificate wrapper in the form of an EFI binary
Makefile
3
star
16

efivar-test-data

Test sysfs data for efivar
Shell
3
star
17

efi-rpm-macros

efi-rpm-macros provides a set of RPM macros for use in EFI-related packages.
Makefile
3
star
18

syslinux

Downstream packaging trees for syslinux. ***Upstream is dead, but this is not upstream***
C
3
star
19

pesign-test-app

An application entirely devoted to making sure the fedora pesign daemon and builders work.
Makefile
2
star
20

shim-test-images

Test VM images for shim
Shell
2
star
21

nmbl-builder

tool for building nmbl loader images
Makefile
1
star
22

dracut-nmbl

dracut plugin for use in nmbl images
Shell
1
star