iPXE
Functions | Variables
efi_shim.h File Reference

UEFI shim special handling. More...

#include <ipxe/image.h>
#include <ipxe/efi/efi.h>

Go to the source code of this file.

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 FILE_SECBOOT (PERMITTED)
int efi_shim_install (struct image *shim, EFI_HANDLE handle, wchar_t **cmdline)
 Install UEFI shim special handling.
void efi_shim_uninstall (void)
 Uninstall UEFI shim special handling.

Variables

int efi_shim_require_loader
 Require use of a third party loader binary.
int efi_shim_allow_pxe
 Allow use of PXE base code protocol.
int efi_shim_allow_sbat
 Allow SBAT variable access.
struct image_tag efi_shim __image_tag
 The downloaded flattened device tree tag.

Detailed Description

UEFI shim special handling.

Definition in file efi_shim.h.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

References __image_tag, cmdline, EFI_HANDLE, efi_shim_allow_pxe, efi_shim_allow_sbat, efi_shim_require_loader, handle, and shim().

◆ efi_shim_install()

int efi_shim_install ( struct image * shim,
EFI_HANDLE handle,
wchar_t ** cmdline )
extern

Install UEFI shim special handling.

Parameters
shimShim image
handleEFI device handle
cmdlineCommand line to update
Return values
rcReturn status code

Definition at line 366 of file efi_shim.c.

367 {
368 EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
369 EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
370 int rc;
371
372 /* Stop PXE base code */
373 if ( ( ! efi_shim_allow_pxe ) &&
374 ( ( rc = efi_shim_inhibit_pxe ( handle ) ) != 0 ) ) {
375 return rc;
376 }
377
378 /* Update command line */
379 if ( ( rc = efi_shim_cmdline ( shim, cmdline ) ) != 0 )
380 return rc;
381
382 /* Record original boot and runtime services functions */
383 efi_shim_orig_get_memory_map = bs->GetMemoryMap;
384 efi_shim_orig_set_variable = rs->SetVariable;
385 efi_shim_orig_get_variable = rs->GetVariable;
386
387 /* Wrap relevant boot and runtime services functions */
388 bs->GetMemoryMap = efi_shim_get_memory_map;
389 rs->SetVariable = efi_shim_set_variable;
390 rs->GetVariable = efi_shim_get_variable;
391 DBGC ( &efi_shim, "SHIM installed wrappers\n" );
392
393 return 0;
394}
rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3
efi_shim_cmdline
static int efi_shim_cmdline(struct image *shim, wchar_t **cmdline)
Update command line.
Definition efi_shim.c:333
efi_shim_orig_set_variable
static EFI_SET_VARIABLE efi_shim_orig_set_variable
Original SetVariable() function.
Definition efi_shim.c:118
efi_shim_allow_pxe
int efi_shim_allow_pxe
Allow use of PXE base code protocol.
Definition efi_shim.c:87
efi_shim_orig_get_memory_map
static EFI_GET_MEMORY_MAP efi_shim_orig_get_memory_map
Original GetMemoryMap() function.
Definition efi_shim.c:115
efi_shim_get_variable
static EFI_STATUS EFIAPI efi_shim_get_variable(CHAR16 *name, EFI_GUID *guid, UINT32 *attrs, UINTN *len, VOID *data)
Wrap GetVariable()
Definition efi_shim.c:226
efi_shim_inhibit_pxe
static int efi_shim_inhibit_pxe(EFI_HANDLE handle)
Inhibit use of PXE base code.
Definition efi_shim.c:301
efi_shim_get_memory_map
static EFIAPI EFI_STATUS efi_shim_get_memory_map(UINTN *len, EFI_MEMORY_DESCRIPTOR *map, UINTN *key, UINTN *desclen, UINT32 *descver)
Wrap GetMemoryMap()
Definition efi_shim.c:264
efi_shim_set_variable
static EFI_STATUS EFIAPI efi_shim_set_variable(CHAR16 *name, EFI_GUID *guid, UINT32 attrs, UINTN len, VOID *data)
Wrap SetVariable()
Definition efi_shim.c:198
efi_shim_orig_get_variable
static EFI_GET_VARIABLE efi_shim_orig_get_variable
Original GetVariable() function.
Definition efi_shim.c:121
DBGC
#define DBGC(...)
Definition compiler.h:505
efi_systab
EFI_SYSTEM_TABLE * efi_systab
handle
uint16_t handle
Handle.
Definition smbios.h:5
cmdline
uint32_t cmdline
Definition multiboot.h:4
shim
int shim(struct image *image, int require_loader, int allow_pxe, int allow_sbat)
Set shim image.
Definition shimmgmt.c:46
EFI_BOOT_SERVICES
EFI Boot Services Table.
Definition UefiSpec.h:1931
EFI_BOOT_SERVICES::GetMemoryMap
EFI_GET_MEMORY_MAP GetMemoryMap
Definition UefiSpec.h:1948
EFI_RUNTIME_SERVICES
EFI Runtime Services Table.
Definition UefiSpec.h:1880
EFI_RUNTIME_SERVICES::SetVariable
EFI_SET_VARIABLE SetVariable
Definition UefiSpec.h:1905
EFI_RUNTIME_SERVICES::GetVariable
EFI_GET_VARIABLE GetVariable
Definition UefiSpec.h:1903

References cmdline, DBGC, EFI_HANDLE, efi_shim_allow_pxe, efi_shim_cmdline(), efi_shim_get_memory_map(), efi_shim_get_variable(), efi_shim_inhibit_pxe(), efi_shim_orig_get_memory_map, efi_shim_orig_get_variable, efi_shim_orig_set_variable, efi_shim_set_variable(), efi_systab, EFI_BOOT_SERVICES::GetMemoryMap, EFI_RUNTIME_SERVICES::GetVariable, handle, rc, EFI_RUNTIME_SERVICES::SetVariable, and shim().

Referenced by efi_image_exec().

◆ efi_shim_uninstall()

void efi_shim_uninstall ( void )
extern

Uninstall UEFI shim special handling.

Definition at line 400 of file efi_shim.c.

400 {
401 EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
402 EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
403
404 /* Restore original boot and runtime services functions */
405 bs->GetMemoryMap = efi_shim_orig_get_memory_map;
406 rs->SetVariable = efi_shim_orig_set_variable;
407 rs->GetVariable = efi_shim_orig_get_variable;
408 DBGC ( &efi_shim, "SHIM uninstalled wrappers\n" );
409}

References DBGC, efi_shim_orig_get_memory_map, efi_shim_orig_get_variable, efi_shim_orig_set_variable, efi_systab, EFI_BOOT_SERVICES::GetMemoryMap, EFI_RUNTIME_SERVICES::GetVariable, and EFI_RUNTIME_SERVICES::SetVariable.

Referenced by efi_image_exec().

Variable Documentation

◆ efi_shim_require_loader

int efi_shim_require_loader
extern

Require use of a third party loader binary.

The UEFI shim is gradually becoming less capable of directly executing a Linux kernel image, due to an ever increasing list of assumptions that it will only ever be used in conjunction with a second stage loader binary such as GRUB.

For example: shim will erroneously complain if the image that it loads and executes does not in turn call in to the "shim lock protocol" to verify a separate newly loaded binary before calling ExitBootServices(), even if no such separate binary is used or required.

Experience shows that there is unfortunately no point in trying to get a fix for this upstreamed into shim. We therefore default to reducing the Secure Boot attack surface by removing, where possible, this spurious requirement for the use of an additional second stage loader.

This option may be used to require the use of an additional second stage loader binary, in case this behaviour is ever desirable.

Definition at line 69 of file efi_shim.c.

Referenced by efi_shim_get_memory_map(), FILE_SECBOOT(), and shim().

◆ efi_shim_allow_pxe

int efi_shim_allow_pxe
extern

Allow use of PXE base code protocol.

We provide shim with access to all of the relevant downloaded files via our EFI_SIMPLE_FILE_SYSTEM_PROTOCOL interface. However, shim will instead try to redownload the files via TFTP since it prefers to use the EFI_PXE_BASE_CODE_PROTOCOL installed on the same handle.

Experience shows that there is unfortunately no point in trying to get a fix for this upstreamed into shim. We therefore default to working around this undesirable behaviour by stopping the PXE base code protocol before invoking shim.

This option may be used to allow shim to use the PXE base code protocol, in case this behaviour is ever desirable.

Definition at line 87 of file efi_shim.c.

Referenced by efi_shim_install(), FILE_SECBOOT(), and shim().

◆ efi_shim_allow_sbat

int efi_shim_allow_sbat
extern

Allow SBAT variable access.

The UEFI shim implements a fairly nicely designed revocation mechanism designed around the concept of security generations. Unfortunately nobody in the shim community has thus far added the relevant metadata to the Linux kernel, with the result that current versions of shim are incapable of booting current versions of the Linux kernel.

Experience shows that there is unfortunately no point in trying to get a fix for this upstreamed into shim. We therefore default to working around this undesirable behaviour by patching data read from the "SbatLevel" variable used to hold SBAT configuration.

This option may be used to allow shim unpatched access to the "SbatLevel" variable, in case this behaviour is ever desirable.

Definition at line 107 of file efi_shim.c.

Referenced by efi_shim_get_variable(), FILE_SECBOOT(), and shim().

◆ __image_tag

struct image_tag efi_shim __image_tag
extern

The downloaded flattened device tree tag.

The downloaded flattened device tree tag.

Currently-executing image.

The downloaded flattened device tree tag.

Definition at line 48 of file fdt.c.

48 {
49 .name = "FDT",
50};
Generated by doxygen 1.14.0