public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [edk2 ] MS signed EFI Shell
@ 2018-06-28 10:09 vikash kumar
  2018-06-28 13:51 ` Laszlo Ersek
  0 siblings, 1 reply; 2+ messages in thread
From: vikash kumar @ 2018-06-28 10:09 UTC (permalink / raw)
  To: edk2-devel

Hi all,

>From where I can download  Microsoft's signed efi shell (Shellx64.efi)?



Thanks in advance
Vikash


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [edk2 ] MS signed EFI Shell
  2018-06-28 10:09 [edk2 ] MS signed EFI Shell vikash kumar
@ 2018-06-28 13:51 ` Laszlo Ersek
  0 siblings, 0 replies; 2+ messages in thread
From: Laszlo Ersek @ 2018-06-28 13:51 UTC (permalink / raw)
  To: vikash kumar, edk2-devel

On 06/28/18 12:09, vikash kumar wrote:
> Hi all,
> 
> From where I can download  Microsoft's signed efi shell (Shellx64.efi)?

You can't. The UEFI shell is a powerful tool that can do just about
anything; in particular what it does is dicated by the shell scripts
that it runs, and it might directly access hardware too. Signing the
UEFI shell would mean for Microsoft to blanket-sign all UEFI shell
scripts, current and future.

For the same reason, we have been advised to exlude the UEFI shell
binary from the FV (firmware volume) in our downstream Secure
Boot-enabled OVMF image, and so we do that in RHEL. We only provide an
unsigned UEFI shell, on a separate ISO image. If you have SB enabled,
the ISO won't boot; that's a feature. (If the shell were part of the FV,
it could be executed regardless of signature.)

Thanks,
Laszlo


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-06-28 13:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-28 10:09 [edk2 ] MS signed EFI Shell vikash kumar
2018-06-28 13:51 ` Laszlo Ersek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox