Adventures with the UEFI shim
Paul Moore
paul at paul-moore.com
Thu Oct 1 20:16:08 BST 2020
Hello all,
I was looking for a list to discuss the UEFI shim and was directed
here, if there is a better place please correct me.
While most shim use cases involve using shim to load GRUB which in
turn loads the kernel/OS, I'm looking to use shim to boot the
kernel/OS directly. Specifically, I want to use shim to boot a
combined kernel+initrd+cmdline EFI application using the systemd-boot
EFI stub. Unfortunately I've been running into problems with shim's
ExitBootServices hook. Looking at the code, it would appear that shim
expects (and requires) that some piece of the bootloader chain calls
into shim's verification protocol to authorize the kernel prior to
calling ExitBootServices. This would normally be handled by GRUB, or
any other bootloader in the chain, but if there is no bootloader
beyond shim things fall apart.
If this was anything but shim, the fix would be a small and
straightforward patch to replacements.c:exit_boot_services() but since
our project would eventually like to get a shim signed by Microsoft we
need to find a solution that is suitable for the rhboot/shim-review
crowd. I've got a couple of ideas on ways this could be resolved, but
I wanted to check with the list to see if anyone has attempted this
before, and if so, how they did it. I can't believe I'm the first to
attempt this.
As an aside, how do people do dev/test of the UEFI shim when UEFI
Secure Boot is enabled? I originally thought I could use a Microsoft
signed shim to boot my development shim which would finally boot the
kernel/OS, but I'm running afoul of the nested EFI service hooks. Any
advice you can provide would be appreciated.
--
paul moore
www.paul-moore.com
More information about the Efi
mailing list