1. 13 Sep, 2017 1 commit
  2. 06 Oct, 2014 1 commit
  3. 02 Oct, 2013 1 commit
  4. 01 Oct, 2013 3 commits
    • Peter Jones's avatar
      Include shim's vendor_cert in MokListRT · 4185c7d6
      Peter Jones authored
      There needs to be some way to communicate to the kernel that it's a
      trusted key, and since this mechanism already exists, it's by far the
    • Peter Jones's avatar
      Harden shim against non-participating bootloaders. · cbef697a
      Peter Jones authored
      It works like this: during startup of shim, we hook into the system's
      ExitBootServices() and StartImage().  If the system's StartImage() is
      called, we automatically unhook, because we're chainloading to something
      the system can verify.
      When shim's verify is called, we record what kind of certificate the
      image was verified against.  If the call /succeeds/, we remove our
      If ExitBootServices() is called, we check how the bootloader verified
      whatever it is loading.  If it was verified by its hash, we unhook
      everything and call the system's EBS().  If it was verified by
      certificate, we check if it has called shim_verify().  If it has, we
      unhook everything and call the system's EBS()
      If the bootloader has not verified anything, and is itself verified by
      a certificate, we display a security violation warning and halt the
    • Peter Jones's avatar
  5. 23 Sep, 2013 3 commits
  6. 29 Aug, 2012 1 commit
  7. 09 Jul, 2012 1 commit
  8. 18 Jun, 2012 2 commits
  9. 31 May, 2012 1 commit