iPXE
Functions | Variables
efi_shim.h File Reference

UEFI shim special handling. More...

#include <ipxe/image.h>
#include <ipxe/efi/efi.h>

Go to the source code of this file.

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 
int efi_shim_install (struct image *shim, EFI_HANDLE handle, wchar_t **cmdline)
 Install UEFI shim special handling. More...
 
void efi_shim_uninstall (void)
 Uninstall UEFI shim special handling. More...
 

Variables

int efi_shim_require_loader
 Require use of a third party loader binary. More...
 
int efi_shim_allow_pxe
 Allow use of PXE base code protocol. More...
 
int efi_shim_allow_sbat
 Allow SBAT variable access. More...
 
struct image_tag efi_shim __image_tag
 Image selected for execution. More...
 

Detailed Description

UEFI shim special handling.

Definition in file efi_shim.h.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

◆ efi_shim_install()

int efi_shim_install ( struct image shim,
EFI_HANDLE  handle,
wchar_t **  cmdline 
)

Install UEFI shim special handling.

Parameters
shimShim image
handleEFI device handle
cmdlineCommand line to update
Return values
rcReturn status code

Definition at line 353 of file efi_shim.c.

354  {
355  EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
356  EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
357  int rc;
358 
359  /* Stop PXE base code */
360  if ( ( ! efi_shim_allow_pxe ) &&
361  ( ( rc = efi_shim_inhibit_pxe ( handle ) ) != 0 ) ) {
362  return rc;
363  }
364 
365  /* Update command line */
366  if ( ( rc = efi_shim_cmdline ( shim, cmdline ) ) != 0 )
367  return rc;
368 
369  /* Record original boot and runtime services functions */
370  efi_shim_orig_get_memory_map = bs->GetMemoryMap;
371  efi_shim_orig_set_variable = rs->SetVariable;
372  efi_shim_orig_get_variable = rs->GetVariable;
373 
374  /* Wrap relevant boot and runtime services functions */
375  bs->GetMemoryMap = efi_shim_get_memory_map;
376  rs->SetVariable = efi_shim_set_variable;
377  rs->GetVariable = efi_shim_get_variable;
378  DBGC ( &efi_shim, "SHIM installed wrappers\n" );
379 
380  return 0;
381 }
EFI_SYSTEM_TABLE::BootServices
EFI_BOOT_SERVICES * BootServices
A pointer to the EFI Boot Services Table.
Definition: UefiSpec.h:2081
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
DBGC
#define DBGC(...)
Definition: compiler.h:505
efi_shim_orig_set_variable
static EFI_SET_VARIABLE efi_shim_orig_set_variable
Original SetVariable() function.
Definition: efi_shim.c:116
efi_shim_orig_get_memory_map
static EFI_GET_MEMORY_MAP efi_shim_orig_get_memory_map
Original GetMemoryMap() function.
Definition: efi_shim.c:113
efi_shim_get_memory_map
static EFIAPI EFI_STATUS efi_shim_get_memory_map(UINTN *len, EFI_MEMORY_DESCRIPTOR *map, UINTN *key, UINTN *desclen, UINT32 *descver)
Wrap GetMemoryMap()
Definition: efi_shim.c:237
efi_shim_cmdline
static int efi_shim_cmdline(struct image *shim, wchar_t **cmdline)
Update command line.
Definition: efi_shim.c:320
efi_shim_allow_pxe
int efi_shim_allow_pxe
Allow use of PXE base code protocol.
Definition: efi_shim.c:85
EFI_RUNTIME_SERVICES::SetVariable
EFI_SET_VARIABLE SetVariable
Definition: UefiSpec.h:1891
EFI_RUNTIME_SERVICES::GetVariable
EFI_GET_VARIABLE GetVariable
Definition: UefiSpec.h:1889
EFI_RUNTIME_SERVICES
EFI Runtime Services Table.
Definition: UefiSpec.h:1866
EFI_BOOT_SERVICES
EFI Boot Services Table.
Definition: UefiSpec.h:1917
EFI_BOOT_SERVICES::GetMemoryMap
EFI_GET_MEMORY_MAP GetMemoryMap
Definition: UefiSpec.h:1934
efi_shim_orig_get_variable
static EFI_GET_VARIABLE efi_shim_orig_get_variable
Original GetVariable() function.
Definition: efi_shim.c:119
EFI_SYSTEM_TABLE::RuntimeServices
EFI_RUNTIME_SERVICES * RuntimeServices
A pointer to the EFI Runtime Services Table.
Definition: UefiSpec.h:2077
efi_shim_get_variable
static EFI_STATUS EFIAPI efi_shim_get_variable(CHAR16 *name, EFI_GUID *guid, UINT32 *attrs, UINTN *len, VOID *data)
Wrap GetVariable()
Definition: efi_shim.c:199
efi_systab
EFI_SYSTEM_TABLE * efi_systab
cmdline
uint32_t cmdline
Definition: multiboot.h:16
handle
uint16_t handle
Handle.
Definition: smbios.h:16
shim
int shim(struct image *image, int require_loader, int allow_pxe, int allow_sbat)
Set shim image.
Definition: shimmgmt.c:45
efi_shim_set_variable
static EFI_STATUS EFIAPI efi_shim_set_variable(CHAR16 *name, EFI_GUID *guid, UINT32 attrs, UINTN len, VOID *data)
Wrap SetVariable()
Definition: efi_shim.c:171
efi_shim_inhibit_pxe
static int efi_shim_inhibit_pxe(EFI_HANDLE handle)
Inhibit use of PXE base code.
Definition: efi_shim.c:274

References EFI_SYSTEM_TABLE::BootServices, cmdline, DBGC, efi_shim_allow_pxe, efi_shim_cmdline(), efi_shim_get_memory_map(), efi_shim_get_variable(), efi_shim_inhibit_pxe(), efi_shim_orig_get_memory_map, efi_shim_orig_get_variable, efi_shim_orig_set_variable, efi_shim_set_variable(), efi_systab, EFI_BOOT_SERVICES::GetMemoryMap, EFI_RUNTIME_SERVICES::GetVariable, handle, rc, EFI_SYSTEM_TABLE::RuntimeServices, EFI_RUNTIME_SERVICES::SetVariable, and shim().

Referenced by efi_image_exec().

◆ efi_shim_uninstall()

void efi_shim_uninstall ( void  )

Uninstall UEFI shim special handling.

Definition at line 387 of file efi_shim.c.

387  {
388  EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
389  EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
390 
391  /* Restore original boot and runtime services functions */
392  bs->GetMemoryMap = efi_shim_orig_get_memory_map;
393  rs->SetVariable = efi_shim_orig_set_variable;
394  rs->GetVariable = efi_shim_orig_get_variable;
395  DBGC ( &efi_shim, "SHIM uninstalled wrappers\n" );
396 }
EFI_SYSTEM_TABLE::BootServices
EFI_BOOT_SERVICES * BootServices
A pointer to the EFI Boot Services Table.
Definition: UefiSpec.h:2081
DBGC
#define DBGC(...)
Definition: compiler.h:505
efi_shim_orig_set_variable
static EFI_SET_VARIABLE efi_shim_orig_set_variable
Original SetVariable() function.
Definition: efi_shim.c:116
efi_shim_orig_get_memory_map
static EFI_GET_MEMORY_MAP efi_shim_orig_get_memory_map
Original GetMemoryMap() function.
Definition: efi_shim.c:113
EFI_RUNTIME_SERVICES::SetVariable
EFI_SET_VARIABLE SetVariable
Definition: UefiSpec.h:1891
EFI_RUNTIME_SERVICES::GetVariable
EFI_GET_VARIABLE GetVariable
Definition: UefiSpec.h:1889
EFI_RUNTIME_SERVICES
EFI Runtime Services Table.
Definition: UefiSpec.h:1866
EFI_BOOT_SERVICES
EFI Boot Services Table.
Definition: UefiSpec.h:1917
EFI_BOOT_SERVICES::GetMemoryMap
EFI_GET_MEMORY_MAP GetMemoryMap
Definition: UefiSpec.h:1934
efi_shim_orig_get_variable
static EFI_GET_VARIABLE efi_shim_orig_get_variable
Original GetVariable() function.
Definition: efi_shim.c:119
EFI_SYSTEM_TABLE::RuntimeServices
EFI_RUNTIME_SERVICES * RuntimeServices
A pointer to the EFI Runtime Services Table.
Definition: UefiSpec.h:2077
efi_systab
EFI_SYSTEM_TABLE * efi_systab

References EFI_SYSTEM_TABLE::BootServices, DBGC, efi_shim_orig_get_memory_map, efi_shim_orig_get_variable, efi_shim_orig_set_variable, efi_systab, EFI_BOOT_SERVICES::GetMemoryMap, EFI_RUNTIME_SERVICES::GetVariable, EFI_SYSTEM_TABLE::RuntimeServices, and EFI_RUNTIME_SERVICES::SetVariable.

Referenced by efi_image_exec().

Variable Documentation

◆ efi_shim_require_loader

int efi_shim_require_loader

Require use of a third party loader binary.

The UEFI shim is gradually becoming less capable of directly executing a Linux kernel image, due to an ever increasing list of assumptions that it will only ever be used in conjunction with a second stage loader binary such as GRUB.

For example: shim will erroneously complain if the image that it loads and executes does not in turn call in to the "shim lock protocol" to verify a separate newly loaded binary before calling ExitBootServices(), even if no such separate binary is used or required.

Experience shows that there is unfortunately no point in trying to get a fix for this upstreamed into shim. We therefore default to reducing the Secure Boot attack surface by removing, where possible, this spurious requirement for the use of an additional second stage loader.

This option may be used to require the use of an additional second stage loader binary, in case this behaviour is ever desirable.

Definition at line 67 of file efi_shim.c.

Referenced by efi_shim_get_memory_map(), and shim().

◆ efi_shim_allow_pxe

int efi_shim_allow_pxe

Allow use of PXE base code protocol.

We provide shim with access to all of the relevant downloaded files via our EFI_SIMPLE_FILE_SYSTEM_PROTOCOL interface. However, shim will instead try to redownload the files via TFTP since it prefers to use the EFI_PXE_BASE_CODE_PROTOCOL installed on the same handle.

Experience shows that there is unfortunately no point in trying to get a fix for this upstreamed into shim. We therefore default to working around this undesirable behaviour by stopping the PXE base code protocol before invoking shim.

This option may be used to allow shim to use the PXE base code protocol, in case this behaviour is ever desirable.

Definition at line 85 of file efi_shim.c.

Referenced by efi_shim_install(), and shim().

◆ efi_shim_allow_sbat

int efi_shim_allow_sbat

Allow SBAT variable access.

The UEFI shim implements a fairly nicely designed revocation mechanism designed around the concept of security generations. Unfortunately nobody in the shim community has thus far added the relevant metadata to the Linux kernel, with the result that current versions of shim are incapable of booting current versions of the Linux kernel.

Experience shows that there is unfortunately no point in trying to get a fix for this upstreamed into shim. We therefore default to working around this undesirable behaviour by patching data read from the "SbatLevel" variable used to hold SBAT configuration.

This option may be used to allow shim unpatched access to the "SbatLevel" variable, in case this behaviour is ever desirable.

Definition at line 105 of file efi_shim.c.

Referenced by efi_shim_get_variable(), and shim().

◆ __image_tag

struct image_tag efi_shim __image_tag

Image selected for execution.

Currently-executing image.

Image selected for execution.

Definition at line 60 of file image.c.

Generated by   doxygen 1.8.15