iPXE
Functions | Variables
efi_shim.c File Reference

UEFI shim special handling. More...

#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <ipxe/image.h>
#include <ipxe/efi/efi.h>
#include <ipxe/efi/efi_strings.h>
#include <ipxe/efi/efi_shim.h>
#include <ipxe/efi/Protocol/PxeBaseCode.h>
#include <ipxe/efi/Protocol/ShimLock.h>

Go to the source code of this file.

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 
static int efi_shim_is_sbatlevel (const CHAR16 *name, const EFI_GUID *guid)
 Check if variable is SbatLevel. More...
 
static void efi_shim_unlock (void)
 Unlock UEFI shim. More...
 
static EFI_STATUS EFIAPI efi_shim_set_variable (CHAR16 *name, EFI_GUID *guid, UINT32 attrs, UINTN len, VOID *data)
 Wrap SetVariable() More...
 
static EFI_STATUS EFIAPI efi_shim_get_variable (CHAR16 *name, EFI_GUID *guid, UINT32 *attrs, UINTN *len, VOID *data)
 Wrap GetVariable() More...
 
static EFIAPI EFI_STATUS efi_shim_get_memory_map (UINTN *len, EFI_MEMORY_DESCRIPTOR *map, UINTN *key, UINTN *desclen, UINT32 *descver)
 Wrap GetMemoryMap() More...
 
static int efi_shim_inhibit_pxe (EFI_HANDLE handle)
 Inhibit use of PXE base code. More...
 
static int efi_shim_cmdline (struct image *shim, wchar_t **cmdline)
 Update command line. More...
 
int efi_shim_install (struct image *shim, EFI_HANDLE handle, wchar_t **cmdline)
 Install UEFI shim special handling. More...
 
void efi_shim_uninstall (void)
 Uninstall UEFI shim special handling. More...
 

Variables

int efi_shim_require_loader = 0
 Require use of a third party loader binary. More...
 
int efi_shim_allow_pxe = 0
 Allow use of PXE base code protocol. More...
 
int efi_shim_allow_sbat = 0
 Allow SBAT variable access. More...
 
struct image_tag efi_shim __image_tag
 UEFI shim image. More...
 
static EFI_GET_MEMORY_MAP efi_shim_orig_get_memory_map
 Original GetMemoryMap() function. More...
 
static EFI_SET_VARIABLE efi_shim_orig_set_variable
 Original SetVariable() function. More...
 
static EFI_GET_VARIABLE efi_shim_orig_get_variable
 Original GetVariable() function. More...
 
static int efi_shim_sbatlevel_verify
 Verify read from SbatLevel variable. More...
 

Detailed Description

UEFI shim special handling.

Definition in file efi_shim.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

◆ efi_shim_is_sbatlevel()

static int efi_shim_is_sbatlevel ( const CHAR16 name,
const EFI_GUID guid 
)
static

Check if variable is SbatLevel.

Parameters
nameVariable name
guidVariable namespace GUID
Return values
is_sbatlevelVariable is SbatLevel

Definition at line 131 of file efi_shim.c.

131  {
132  static CHAR16 sbatlevel[] = L"SbatLevel";
133  EFI_GUID *shimlock = &efi_shim_lock_protocol_guid;
134 
135  return ( ( memcmp ( name, sbatlevel, sizeof ( sbatlevel ) ) == 0 ) &&
136  ( memcmp ( guid, shimlock, sizeof ( *shimlock ) ) == 0 ) );
137 }
name
const char * name
Definition: ath9k_hw.c:1984
GUID
128 bit buffer containing a unique identifier value.
Definition: Base.h:215
CHAR16
unsigned short CHAR16
Definition: ProcessorBind.h:101
guid
uint64_t guid
GUID.
Definition: edd.h:30
efi_shim_lock_protocol_guid
EFI_GUID efi_shim_lock_protocol_guid
Shim lock protocol GUID.
Definition: efi_guid.c:299
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114

References efi_shim_lock_protocol_guid, guid, memcmp(), and name.

Referenced by efi_shim_get_variable(), and efi_shim_set_variable().

◆ efi_shim_unlock()

static void efi_shim_unlock ( void  )
static

Unlock UEFI shim.

Definition at line 143 of file efi_shim.c.

143  {
144  EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
145  uint8_t empty[0];
146  union {
147  EFI_SHIM_LOCK_PROTOCOL *lock;
148  void *interface;
149  } u;
150  EFI_STATUS efirc;
151 
152  /* Locate shim lock protocol */
153  if ( ( efirc = bs->LocateProtocol ( &efi_shim_lock_protocol_guid,
154  NULL, &u.interface ) ) == 0 ) {
155  u.lock->Verify ( empty, sizeof ( empty ) );
156  DBGC ( &efi_shim, "SHIM unlocked via %p\n", u.lock );
157  }
158 }
EFI_SYSTEM_TABLE::BootServices
EFI_BOOT_SERVICES * BootServices
A pointer to the EFI Boot Services Table.
Definition: UefiSpec.h:2081
EFI_BOOT_SERVICES::LocateProtocol
EFI_LOCATE_PROTOCOL LocateProtocol
Definition: UefiSpec.h:1995
DBGC
#define DBGC(...)
Definition: compiler.h:505
_EFI_SHIM_LOCK_PROTOCOL
Definition: ShimLock.h:25
interface
An object interface.
Definition: interface.h:124
EFI_BOOT_SERVICES
EFI Boot Services Table.
Definition: UefiSpec.h:1917
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
EFI_STATUS
RETURN_STATUS EFI_STATUS
Function return status for EFI API.
Definition: UefiBaseType.h:31
u
union @17 u
efi_shim_lock_protocol_guid
EFI_GUID efi_shim_lock_protocol_guid
Shim lock protocol GUID.
Definition: efi_guid.c:299
efi_systab
EFI_SYSTEM_TABLE * efi_systab
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References EFI_SYSTEM_TABLE::BootServices, DBGC, efi_shim_lock_protocol_guid, efi_systab, EFI_BOOT_SERVICES::LocateProtocol, NULL, and u.

Referenced by efi_shim_get_memory_map().

◆ efi_shim_set_variable()

static EFI_STATUS EFIAPI efi_shim_set_variable ( CHAR16 name,
EFI_GUID guid,
UINT32  attrs,
UINTN  len,
VOID data 
)
static

Wrap SetVariable()

Parameters
nameVariable name
guidVariable namespace GUID
attrsAttributes
lenBuffer size
dataData buffer
Return values
efircEFI status code

Definition at line 171 of file efi_shim.c.

172  {
173  EFI_STATUS efirc;
174 
175  /* Call original SetVariable() */
176  efirc = efi_shim_orig_set_variable ( name, guid, attrs, len, data );
177 
178  /* Allow verification of SbatLevel variable content */
179  if ( efi_shim_is_sbatlevel ( name, guid ) && ( efirc == 0 ) ) {
180  DBGC ( &efi_shim, "SHIM detected write to %ls:\n", name );
181  DBGC_HDA ( &efi_shim, 0, data, len );
182  efi_shim_sbatlevel_verify = 1;
183  }
184 
185  return efirc;
186 }
name
const char * name
Definition: ath9k_hw.c:1984
DBGC
#define DBGC(...)
Definition: compiler.h:505
efi_shim_orig_set_variable
static EFI_SET_VARIABLE efi_shim_orig_set_variable
Original SetVariable() function.
Definition: efi_shim.c:116
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
attrs
uint32_t attrs
Extended attributes (optional)
Definition: memmap.c:32
efi_shim_is_sbatlevel
static int efi_shim_is_sbatlevel(const CHAR16 *name, const EFI_GUID *guid)
Check if variable is SbatLevel.
Definition: efi_shim.c:131
guid
uint64_t guid
GUID.
Definition: edd.h:30
len
uint32_t len
Length.
Definition: ena.h:14
EFI_STATUS
RETURN_STATUS EFI_STATUS
Function return status for EFI API.
Definition: UefiBaseType.h:31
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
efi_shim_sbatlevel_verify
static int efi_shim_sbatlevel_verify
Verify read from SbatLevel variable.
Definition: efi_shim.c:122

References attrs, data, DBGC, DBGC_HDA, efi_shim_is_sbatlevel(), efi_shim_orig_set_variable, efi_shim_sbatlevel_verify, guid, len, and name.

Referenced by efi_shim_get_memory_map(), and efi_shim_install().

◆ efi_shim_get_variable()

static EFI_STATUS EFIAPI efi_shim_get_variable ( CHAR16 name,
EFI_GUID guid,
UINT32 attrs,
UINTN len,
VOID data 
)
static

Wrap GetVariable()

Parameters
nameVariable name
guidVariable namespace GUID
attrsAttributes to fill in
lenBuffer size
dataData buffer
Return values
efircEFI status code

Definition at line 199 of file efi_shim.c.

200  {
201  char *value = data;
202  EFI_STATUS efirc;
203 
204  /* Call original GetVariable() */
205  efirc = efi_shim_orig_get_variable ( name, guid, attrs, len, data );
206 
207  /* Patch SbatLevel variable if applicable */
208  if ( efi_shim_is_sbatlevel ( name, guid ) && data && ( efirc == 0 ) ) {
209  if ( efi_shim_allow_sbat ) {
210  DBGC ( &efi_shim, "SHIM allowing read from %ls:\n",
211  name );
212  } else if ( efi_shim_sbatlevel_verify ) {
213  DBGC ( &efi_shim, "SHIM allowing one read from %ls:\n",
214  name );
215  efi_shim_sbatlevel_verify = 0;
216  } else {
217  DBGC ( &efi_shim, "SHIM patching read from %ls:\n",
218  name );
219  value[0] = '\0';
220  }
221  DBGC_HDA ( &efi_shim, 0, data, *len );
222  }
223 
224  return efirc;
225 }
efi_shim_allow_sbat
int efi_shim_allow_sbat
Allow SBAT variable access.
Definition: efi_shim.c:105
name
const char * name
Definition: ath9k_hw.c:1984
DBGC
#define DBGC(...)
Definition: compiler.h:505
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
attrs
uint32_t attrs
Extended attributes (optional)
Definition: memmap.c:32
value
pseudo_bit_t value[0x00020]
Definition: arbel.h:13
efi_shim_is_sbatlevel
static int efi_shim_is_sbatlevel(const CHAR16 *name, const EFI_GUID *guid)
Check if variable is SbatLevel.
Definition: efi_shim.c:131
guid
uint64_t guid
GUID.
Definition: edd.h:30
efi_shim_orig_get_variable
static EFI_GET_VARIABLE efi_shim_orig_get_variable
Original GetVariable() function.
Definition: efi_shim.c:119
len
uint32_t len
Length.
Definition: ena.h:14
EFI_STATUS
RETURN_STATUS EFI_STATUS
Function return status for EFI API.
Definition: UefiBaseType.h:31
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
efi_shim_sbatlevel_verify
static int efi_shim_sbatlevel_verify
Verify read from SbatLevel variable.
Definition: efi_shim.c:122

References attrs, data, DBGC, DBGC_HDA, efi_shim_allow_sbat, efi_shim_is_sbatlevel(), efi_shim_orig_get_variable, efi_shim_sbatlevel_verify, guid, len, name, and value.

Referenced by efi_shim_get_memory_map(), and efi_shim_install().

◆ efi_shim_get_memory_map()

static EFIAPI EFI_STATUS efi_shim_get_memory_map ( UINTN len,
EFI_MEMORY_DESCRIPTOR map,
UINTN key,
UINTN desclen,
UINT32 descver 
)
static

Wrap GetMemoryMap()

Parameters
lenMemory map size
mapMemory map
keyMemory map key
desclenDescriptor size
descverDescriptor version
Return values
efircEFI status code

Definition at line 237 of file efi_shim.c.

240  {
241  EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
242 
243  /* Unlock shim */
244  if ( ! efi_shim_require_loader )
245  efi_shim_unlock();
246 
247  /* Uninstall runtime services wrappers, if still installed */
248  if ( rs->SetVariable == efi_shim_set_variable ) {
249  rs->SetVariable = efi_shim_orig_set_variable;
250  DBGC ( &efi_shim, "SHIM uninstalled SetVariable() wrapper\n" );
251  } else if ( rs->SetVariable != efi_shim_orig_set_variable ) {
252  DBGC ( &efi_shim, "SHIM could not uninstall SetVariable() "
253  "wrapper!\n" );
254  }
255  if ( rs->GetVariable == efi_shim_get_variable ) {
256  rs->GetVariable = efi_shim_orig_get_variable;
257  DBGC ( &efi_shim, "SHIM uninstalled GetVariable() wrapper\n" );
258  } else if ( rs->GetVariable != efi_shim_orig_get_variable ) {
259  DBGC ( &efi_shim, "SHIM could not uninstall GetVariable() "
260  "wrapper!\n" );
261  }
262 
263  /* Hand off to original GetMemoryMap() */
264  return efi_shim_orig_get_memory_map ( len, map, key, desclen,
265  descver );
266 }
efi_shim_unlock
static void efi_shim_unlock(void)
Unlock UEFI shim.
Definition: efi_shim.c:143
DBGC
#define DBGC(...)
Definition: compiler.h:505
efi_shim_orig_set_variable
static EFI_SET_VARIABLE efi_shim_orig_set_variable
Original SetVariable() function.
Definition: efi_shim.c:116
efi_shim_orig_get_memory_map
static EFI_GET_MEMORY_MAP efi_shim_orig_get_memory_map
Original GetMemoryMap() function.
Definition: efi_shim.c:113
efi_shim_require_loader
int efi_shim_require_loader
Require use of a third party loader binary.
Definition: efi_shim.c:67
EFI_RUNTIME_SERVICES::SetVariable
EFI_SET_VARIABLE SetVariable
Definition: UefiSpec.h:1891
EFI_RUNTIME_SERVICES::GetVariable
EFI_GET_VARIABLE GetVariable
Definition: UefiSpec.h:1889
EFI_RUNTIME_SERVICES
EFI Runtime Services Table.
Definition: UefiSpec.h:1866
map
static __always_inline int struct dma_mapping * map
Definition: dma.h:181
efi_shim_orig_get_variable
static EFI_GET_VARIABLE efi_shim_orig_get_variable
Original GetVariable() function.
Definition: efi_shim.c:119
EFI_SYSTEM_TABLE::RuntimeServices
EFI_RUNTIME_SERVICES * RuntimeServices
A pointer to the EFI Runtime Services Table.
Definition: UefiSpec.h:2077
len
uint32_t len
Length.
Definition: ena.h:14
efi_shim_get_variable
static EFI_STATUS EFIAPI efi_shim_get_variable(CHAR16 *name, EFI_GUID *guid, UINT32 *attrs, UINTN *len, VOID *data)
Wrap GetVariable()
Definition: efi_shim.c:199
efi_systab
EFI_SYSTEM_TABLE * efi_systab
efi_shim_set_variable
static EFI_STATUS EFIAPI efi_shim_set_variable(CHAR16 *name, EFI_GUID *guid, UINT32 attrs, UINTN len, VOID *data)
Wrap SetVariable()
Definition: efi_shim.c:171
key
union @382 key
Sense key.
Definition: crypto.h:284

References DBGC, efi_shim_get_variable(), efi_shim_orig_get_memory_map, efi_shim_orig_get_variable, efi_shim_orig_set_variable, efi_shim_require_loader, efi_shim_set_variable(), efi_shim_unlock(), efi_systab, EFI_RUNTIME_SERVICES::GetVariable, key, len, map, EFI_SYSTEM_TABLE::RuntimeServices, and EFI_RUNTIME_SERVICES::SetVariable.

Referenced by efi_shim_install().

◆ efi_shim_inhibit_pxe()

static int efi_shim_inhibit_pxe ( EFI_HANDLE  handle)
static

Inhibit use of PXE base code.

Parameters
handleEFI handle
Return values
rcReturn status code

Definition at line 274 of file efi_shim.c.

274  {
275  EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
276  union {
277  EFI_PXE_BASE_CODE_PROTOCOL *pxe;
278  void *interface;
279  } u;
280  EFI_STATUS efirc;
281  int rc;
282 
283  /* Locate PXE base code */
284  if ( ( efirc = bs->OpenProtocol ( handle,
285  &efi_pxe_base_code_protocol_guid,
286  &u.interface, efi_image_handle, NULL,
287  EFI_OPEN_PROTOCOL_GET_PROTOCOL ))!=0){
288  rc = -EEFI ( efirc );
289  DBGC ( &efi_shim, "SHIM could not open PXE base code: %s\n",
290  strerror ( rc ) );
291  goto err_no_base;
292  }
293 
294  /* Stop PXE base code */
295  if ( ( efirc = u.pxe->Stop ( u.pxe ) ) != 0 ) {
296  rc = -EEFI ( efirc );
297  DBGC ( &efi_shim, "SHIM could not stop PXE base code: %s\n",
298  strerror ( rc ) );
299  goto err_stop;
300  }
301 
302  /* Success */
303  rc = 0;
304  DBGC ( &efi_shim, "SHIM stopped PXE base code\n" );
305 
306  err_stop:
307  bs->CloseProtocol ( handle, &efi_pxe_base_code_protocol_guid,
308  efi_image_handle, NULL );
309  err_no_base:
310  return rc;
311 }
EFI_SYSTEM_TABLE::BootServices
EFI_BOOT_SERVICES * BootServices
A pointer to the EFI Boot Services Table.
Definition: UefiSpec.h:2081
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
EEFI
#define EEFI(efirc)
Convert an EFI status code to an iPXE status code.
Definition: efi.h:171
DBGC
#define DBGC(...)
Definition: compiler.h:505
efi_pxe_base_code_protocol_guid
EFI_GUID efi_pxe_base_code_protocol_guid
PXE base code protocol GUID.
Definition: efi_guid.c:291
EFI_BOOT_SERVICES::CloseProtocol
EFI_CLOSE_PROTOCOL CloseProtocol
Definition: UefiSpec.h:1987
interface
An object interface.
Definition: interface.h:124
EFI_OPEN_PROTOCOL_GET_PROTOCOL
#define EFI_OPEN_PROTOCOL_GET_PROTOCOL
Definition: UefiSpec.h:1344
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
EFI_BOOT_SERVICES
EFI Boot Services Table.
Definition: UefiSpec.h:1917
efi_image_handle
EFI_HANDLE efi_image_handle
Image handle passed to entry point.
Definition: efi_init.c:34
EFI_STATUS
RETURN_STATUS EFI_STATUS
Function return status for EFI API.
Definition: UefiBaseType.h:31
u
union @17 u
efi_systab
EFI_SYSTEM_TABLE * efi_systab
EFI_BOOT_SERVICES::OpenProtocol
EFI_OPEN_PROTOCOL OpenProtocol
Definition: UefiSpec.h:1986
_EFI_PXE_BASE_CODE_PROTOCOL
The EFI_PXE_BASE_CODE_PROTOCOL is used to control PXE-compatible devices.
Definition: PxeBaseCode.h:908
handle
uint16_t handle
Handle.
Definition: smbios.h:16
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References EFI_SYSTEM_TABLE::BootServices, EFI_BOOT_SERVICES::CloseProtocol, DBGC, EEFI, efi_image_handle, EFI_OPEN_PROTOCOL_GET_PROTOCOL, efi_pxe_base_code_protocol_guid, efi_systab, handle, NULL, EFI_BOOT_SERVICES::OpenProtocol, rc, strerror(), and u.

Referenced by efi_shim_install().

◆ efi_shim_cmdline()

static int efi_shim_cmdline ( struct image shim,
wchar_t **  cmdline 
)
static

Update command line.

Parameters
shimShim image
cmdlineCommand line to update
Return values
rcReturn status code

Definition at line 320 of file efi_shim.c.

320  {
321  wchar_t *shimcmdline;
322  int len;
323  int rc;
324 
325  /* Construct new command line */
326  len = ( shim->cmdline ?
327  efi_asprintf ( &shimcmdline, "%s %s", shim->name,
328  shim->cmdline ) :
329  efi_asprintf ( &shimcmdline, "%s %ls", shim->name,
330  *cmdline ) );
331  if ( len < 0 ) {
332  rc = len;
333  DBGC ( &efi_shim, "SHIM could not construct command line: "
334  "%s\n", strerror ( rc ) );
335  return rc;
336  }
337 
338  /* Replace command line */
339  free ( *cmdline );
340  *cmdline = shimcmdline;
341 
342  return 0;
343 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
name
const char * name
Definition: ath9k_hw.c:1984
DBGC
#define DBGC(...)
Definition: compiler.h:505
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
len
uint32_t len
Length.
Definition: ena.h:14
efi_asprintf
int efi_asprintf(wchar_t **wstrp, const char *fmt,...)
Write a formatted string to newly allocated memory.
Definition: efi_strings.c:188
cmdline
uint32_t cmdline
Definition: multiboot.h:16
shim
int shim(struct image *image, int require_loader, int allow_pxe, int allow_sbat)
Set shim image.
Definition: shimmgmt.c:45

References cmdline, DBGC, efi_asprintf(), free, len, rc, shim(), and strerror().

Referenced by efi_shim_install().

◆ efi_shim_install()

int efi_shim_install ( struct image shim,
EFI_HANDLE  handle,
wchar_t **  cmdline 
)

Install UEFI shim special handling.

Parameters
shimShim image
handleEFI device handle
cmdlineCommand line to update
Return values
rcReturn status code

Definition at line 353 of file efi_shim.c.

354  {
355  EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
356  EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
357  int rc;
358 
359  /* Stop PXE base code */
360  if ( ( ! efi_shim_allow_pxe ) &&
361  ( ( rc = efi_shim_inhibit_pxe ( handle ) ) != 0 ) ) {
362  return rc;
363  }
364 
365  /* Update command line */
366  if ( ( rc = efi_shim_cmdline ( shim, cmdline ) ) != 0 )
367  return rc;
368 
369  /* Record original boot and runtime services functions */
370  efi_shim_orig_get_memory_map = bs->GetMemoryMap;
371  efi_shim_orig_set_variable = rs->SetVariable;
372  efi_shim_orig_get_variable = rs->GetVariable;
373 
374  /* Wrap relevant boot and runtime services functions */
375  bs->GetMemoryMap = efi_shim_get_memory_map;
376  rs->SetVariable = efi_shim_set_variable;
377  rs->GetVariable = efi_shim_get_variable;
378  DBGC ( &efi_shim, "SHIM installed wrappers\n" );
379 
380  return 0;
381 }
EFI_SYSTEM_TABLE::BootServices
EFI_BOOT_SERVICES * BootServices
A pointer to the EFI Boot Services Table.
Definition: UefiSpec.h:2081
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
DBGC
#define DBGC(...)
Definition: compiler.h:505
efi_shim_orig_set_variable
static EFI_SET_VARIABLE efi_shim_orig_set_variable
Original SetVariable() function.
Definition: efi_shim.c:116
efi_shim_orig_get_memory_map
static EFI_GET_MEMORY_MAP efi_shim_orig_get_memory_map
Original GetMemoryMap() function.
Definition: efi_shim.c:113
efi_shim_get_memory_map
static EFIAPI EFI_STATUS efi_shim_get_memory_map(UINTN *len, EFI_MEMORY_DESCRIPTOR *map, UINTN *key, UINTN *desclen, UINT32 *descver)
Wrap GetMemoryMap()
Definition: efi_shim.c:237
efi_shim_cmdline
static int efi_shim_cmdline(struct image *shim, wchar_t **cmdline)
Update command line.
Definition: efi_shim.c:320
efi_shim_allow_pxe
int efi_shim_allow_pxe
Allow use of PXE base code protocol.
Definition: efi_shim.c:85
EFI_RUNTIME_SERVICES::SetVariable
EFI_SET_VARIABLE SetVariable
Definition: UefiSpec.h:1891
EFI_RUNTIME_SERVICES::GetVariable
EFI_GET_VARIABLE GetVariable
Definition: UefiSpec.h:1889
EFI_RUNTIME_SERVICES
EFI Runtime Services Table.
Definition: UefiSpec.h:1866
EFI_BOOT_SERVICES
EFI Boot Services Table.
Definition: UefiSpec.h:1917
EFI_BOOT_SERVICES::GetMemoryMap
EFI_GET_MEMORY_MAP GetMemoryMap
Definition: UefiSpec.h:1934
efi_shim_orig_get_variable
static EFI_GET_VARIABLE efi_shim_orig_get_variable
Original GetVariable() function.
Definition: efi_shim.c:119
EFI_SYSTEM_TABLE::RuntimeServices
EFI_RUNTIME_SERVICES * RuntimeServices
A pointer to the EFI Runtime Services Table.
Definition: UefiSpec.h:2077
efi_shim_get_variable
static EFI_STATUS EFIAPI efi_shim_get_variable(CHAR16 *name, EFI_GUID *guid, UINT32 *attrs, UINTN *len, VOID *data)
Wrap GetVariable()
Definition: efi_shim.c:199
efi_systab
EFI_SYSTEM_TABLE * efi_systab
cmdline
uint32_t cmdline
Definition: multiboot.h:16
handle
uint16_t handle
Handle.
Definition: smbios.h:16
shim
int shim(struct image *image, int require_loader, int allow_pxe, int allow_sbat)
Set shim image.
Definition: shimmgmt.c:45
efi_shim_set_variable
static EFI_STATUS EFIAPI efi_shim_set_variable(CHAR16 *name, EFI_GUID *guid, UINT32 attrs, UINTN len, VOID *data)
Wrap SetVariable()
Definition: efi_shim.c:171
efi_shim_inhibit_pxe
static int efi_shim_inhibit_pxe(EFI_HANDLE handle)
Inhibit use of PXE base code.
Definition: efi_shim.c:274

References EFI_SYSTEM_TABLE::BootServices, cmdline, DBGC, efi_shim_allow_pxe, efi_shim_cmdline(), efi_shim_get_memory_map(), efi_shim_get_variable(), efi_shim_inhibit_pxe(), efi_shim_orig_get_memory_map, efi_shim_orig_get_variable, efi_shim_orig_set_variable, efi_shim_set_variable(), efi_systab, EFI_BOOT_SERVICES::GetMemoryMap, EFI_RUNTIME_SERVICES::GetVariable, handle, rc, EFI_SYSTEM_TABLE::RuntimeServices, EFI_RUNTIME_SERVICES::SetVariable, and shim().

Referenced by efi_image_exec().

◆ efi_shim_uninstall()

void efi_shim_uninstall ( void  )

Uninstall UEFI shim special handling.

Definition at line 387 of file efi_shim.c.

387  {
388  EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
389  EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
390 
391  /* Restore original boot and runtime services functions */
392  bs->GetMemoryMap = efi_shim_orig_get_memory_map;
393  rs->SetVariable = efi_shim_orig_set_variable;
394  rs->GetVariable = efi_shim_orig_get_variable;
395  DBGC ( &efi_shim, "SHIM uninstalled wrappers\n" );
396 }
EFI_SYSTEM_TABLE::BootServices
EFI_BOOT_SERVICES * BootServices
A pointer to the EFI Boot Services Table.
Definition: UefiSpec.h:2081
DBGC
#define DBGC(...)
Definition: compiler.h:505
efi_shim_orig_set_variable
static EFI_SET_VARIABLE efi_shim_orig_set_variable
Original SetVariable() function.
Definition: efi_shim.c:116
efi_shim_orig_get_memory_map
static EFI_GET_MEMORY_MAP efi_shim_orig_get_memory_map
Original GetMemoryMap() function.
Definition: efi_shim.c:113
EFI_RUNTIME_SERVICES::SetVariable
EFI_SET_VARIABLE SetVariable
Definition: UefiSpec.h:1891
EFI_RUNTIME_SERVICES::GetVariable
EFI_GET_VARIABLE GetVariable
Definition: UefiSpec.h:1889
EFI_RUNTIME_SERVICES
EFI Runtime Services Table.
Definition: UefiSpec.h:1866
EFI_BOOT_SERVICES
EFI Boot Services Table.
Definition: UefiSpec.h:1917
EFI_BOOT_SERVICES::GetMemoryMap
EFI_GET_MEMORY_MAP GetMemoryMap
Definition: UefiSpec.h:1934
efi_shim_orig_get_variable
static EFI_GET_VARIABLE efi_shim_orig_get_variable
Original GetVariable() function.
Definition: efi_shim.c:119
EFI_SYSTEM_TABLE::RuntimeServices
EFI_RUNTIME_SERVICES * RuntimeServices
A pointer to the EFI Runtime Services Table.
Definition: UefiSpec.h:2077
efi_systab
EFI_SYSTEM_TABLE * efi_systab

References EFI_SYSTEM_TABLE::BootServices, DBGC, efi_shim_orig_get_memory_map, efi_shim_orig_get_variable, efi_shim_orig_set_variable, efi_systab, EFI_BOOT_SERVICES::GetMemoryMap, EFI_RUNTIME_SERVICES::GetVariable, EFI_SYSTEM_TABLE::RuntimeServices, and EFI_RUNTIME_SERVICES::SetVariable.

Referenced by efi_image_exec().

Variable Documentation

◆ efi_shim_require_loader

int efi_shim_require_loader = 0

Require use of a third party loader binary.

The UEFI shim is gradually becoming less capable of directly executing a Linux kernel image, due to an ever increasing list of assumptions that it will only ever be used in conjunction with a second stage loader binary such as GRUB.

For example: shim will erroneously complain if the image that it loads and executes does not in turn call in to the "shim lock protocol" to verify a separate newly loaded binary before calling ExitBootServices(), even if no such separate binary is used or required.

Experience shows that there is unfortunately no point in trying to get a fix for this upstreamed into shim. We therefore default to reducing the Secure Boot attack surface by removing, where possible, this spurious requirement for the use of an additional second stage loader.

This option may be used to require the use of an additional second stage loader binary, in case this behaviour is ever desirable.

Definition at line 67 of file efi_shim.c.

Referenced by efi_shim_get_memory_map(), and shim().

◆ efi_shim_allow_pxe

int efi_shim_allow_pxe = 0

Allow use of PXE base code protocol.

We provide shim with access to all of the relevant downloaded files via our EFI_SIMPLE_FILE_SYSTEM_PROTOCOL interface. However, shim will instead try to redownload the files via TFTP since it prefers to use the EFI_PXE_BASE_CODE_PROTOCOL installed on the same handle.

Experience shows that there is unfortunately no point in trying to get a fix for this upstreamed into shim. We therefore default to working around this undesirable behaviour by stopping the PXE base code protocol before invoking shim.

This option may be used to allow shim to use the PXE base code protocol, in case this behaviour is ever desirable.

Definition at line 85 of file efi_shim.c.

Referenced by efi_shim_install(), and shim().

◆ efi_shim_allow_sbat

int efi_shim_allow_sbat = 0

Allow SBAT variable access.

The UEFI shim implements a fairly nicely designed revocation mechanism designed around the concept of security generations. Unfortunately nobody in the shim community has thus far added the relevant metadata to the Linux kernel, with the result that current versions of shim are incapable of booting current versions of the Linux kernel.

Experience shows that there is unfortunately no point in trying to get a fix for this upstreamed into shim. We therefore default to working around this undesirable behaviour by patching data read from the "SbatLevel" variable used to hold SBAT configuration.

This option may be used to allow shim unpatched access to the "SbatLevel" variable, in case this behaviour is ever desirable.

Definition at line 105 of file efi_shim.c.

Referenced by efi_shim_get_variable(), and shim().

◆ __image_tag

struct image_tag efi_shim __image_tag
Initial value:
= {
.name = "SHIM",
}

UEFI shim image.

Image selected for execution.

Definition at line 108 of file efi_shim.c.

◆ efi_shim_orig_get_memory_map

EFI_GET_MEMORY_MAP efi_shim_orig_get_memory_map
static

Original GetMemoryMap() function.

Definition at line 113 of file efi_shim.c.

Referenced by efi_shim_get_memory_map(), efi_shim_install(), and efi_shim_uninstall().

◆ efi_shim_orig_set_variable

EFI_SET_VARIABLE efi_shim_orig_set_variable
static

Original SetVariable() function.

Definition at line 116 of file efi_shim.c.

Referenced by efi_shim_get_memory_map(), efi_shim_install(), efi_shim_set_variable(), and efi_shim_uninstall().

◆ efi_shim_orig_get_variable

EFI_GET_VARIABLE efi_shim_orig_get_variable
static

Original GetVariable() function.

Definition at line 119 of file efi_shim.c.

Referenced by efi_shim_get_memory_map(), efi_shim_get_variable(), efi_shim_install(), and efi_shim_uninstall().

◆ efi_shim_sbatlevel_verify

int efi_shim_sbatlevel_verify
static

Verify read from SbatLevel variable.

Definition at line 122 of file efi_shim.c.

Referenced by efi_shim_get_variable(), and efi_shim_set_variable().

Generated by   doxygen 1.8.15