From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 432D6211B158C for ; Thu, 24 Jan 2019 04:47:51 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2435DD7D66; Thu, 24 Jan 2019 12:47:51 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-237.rdu2.redhat.com [10.10.120.237]) by smtp.corp.redhat.com (Postfix) with ESMTP id 67FB25D6A9; Thu, 24 Jan 2019 12:47:50 +0000 (UTC) To: Rafael Machado References: From: Laszlo Ersek Cc: "edk2-devel@lists.01.org" Message-ID: <9fd91792-10d4-75a8-b396-1fcc72712014@redhat.com> Date: Thu, 24 Jan 2019 13:47:49 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 24 Jan 2019 12:47:51 +0000 (UTC) Subject: Re: UEFI Shell + startup.nsh X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2019 12:47:52 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 01/24/19 13:22, Rafael Machado wrote: > Hi everyone. > > I have a question. > Considering I have a PXE server that my client downloads a shell.efi app. > Considering also that I need to execute a .nsh script, but I their is no > media at the system. (no usb or storage device attached) > > Is there any way to embed a startup.nsh at the shell.efi application? > As far as I know with PXE just one file is downloaded and executed. (I am > also checking how to use the EfiRamDisk protocol to create a temporary > place for the .nsh generated files.) > > PS.: I don't know to much about HttpBoot. Does HttpBoot has this limitation > of downloading a single file at startup? With HttpBoot, you can solve this. The Wiki article (and the relevant section) are at: https://github.com/tianocore/tianocore.github.io/wiki/HTTP-Boot#ram-disk-boot-from-http Here's how: (1) First, create a FAT image such that the UEFI shell is in the default boot loader location, according to the architecture. (e.g. EFI/BOOT/BOOTAA64.EFI). Second, place "startup.nsh" in the FAT image such that the shell find it, according to the UEFI shell spec. For this, you can use "mkdosfs" (for formatting the image) and mmd and mcopy (from the mtools package) for copying stuff into the image. Alternatively, you can use "guestfish", or even just loop-mount the FAT image on Linux. (If you create the image in the first place, then it's trustworthy; no need to worry about filesystem driver attacks.) (2) Once you have the FAT image, let's call it "fat.img", use "genisoimage" to generate an ISO image that has "fat.img" as its ElTorito boot image. genisoimage -input-charset ASCII -efi-boot fat.img -no-emul-boot \ -o stuff.iso -- fat.img (3) Serve "stuff.iso" over HTTP. I really hope you are doing this on a trusted, local network! Secure Boot wouldn't be of much help here; the UEFI shell binary is not signed. (And, signing it would be dumb, given that the shell does not check signatures on shell scripts, so the scripts can cause the shell to do basically anything at all.) HTTPS would likely count as an improvement. HTH Laszlo