]>
Commit | Line | Data |
---|---|---|
3df9e294 MG |
1 | shim is a trivial EFI application that, when run, attempts to open and |
2 | execute another application. It will initially attempt to do this via the | |
3 | standard EFI LoadImage() and StartImage() calls. If these fail (because secure | |
4 | boot is enabled and the binary is not signed with an appropriate key, for | |
5 | instance) it will then validate the binary against a built-in certificate. If | |
6 | this succeeds and if the binary or signing key are not blacklisted then shim | |
7 | will relocate and execute the binary. | |
8 | ||
9 | shim will also install a protocol which permits the second-stage bootloader | |
10 | to perform similar binary validation. This protocol has a GUID as described | |
11 | in the shim.h header file and provides a single entry point. On 64-bit systems | |
12 | this entry point expects to be called with SysV ABI rather than MSABI, and | |
13 | so calls to it should not be wrapped. | |
14 | ||
15 | To use shim, simply place a hex dump of the public certificate in cert.h | |
16 | and build it with make. |