From: Rafael Machado <rafaelrodrigues.machado@gmail.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: UEFI Shell + startup.nsh
Date: Thu, 24 Jan 2019 10:58:08 -0200 [thread overview]
Message-ID: <CACgnt78N_vK5Kn9jwTzo5MFYQY1G2JgGFgLkp7Yb4JJEr4M=Fw@mail.gmail.com> (raw)
In-Reply-To: <9fd91792-10d4-75a8-b396-1fcc72712014@redhat.com>
Thanks a lot for the help Laszlo!
Will take a look. (Also agree about having a signed UEFI Shell not being a
good idea.)
Best Regards
Rafael
Em qui, 24 de jan de 2019 às 10:47, Laszlo Ersek <lersek@redhat.com>
escreveu:
> On 01/24/19 13:22, Rafael Machado wrote:
> > Hi everyone.
> >
> > I have a question.
> > Considering I have a PXE server that my client downloads a shell.efi app.
> > Considering also that I need to execute a .nsh script, but I their is no
> > media at the system. (no usb or storage device attached)
> >
> > Is there any way to embed a startup.nsh at the shell.efi application?
> > As far as I know with PXE just one file is downloaded and executed. (I am
> > also checking how to use the EfiRamDisk protocol to create a temporary
> > place for the .nsh generated files.)
> >
> > PS.: I don't know to much about HttpBoot. Does HttpBoot has this
> limitation
> > of downloading a single file at startup?
>
> With HttpBoot, you can solve this. The Wiki article (and the relevant
> section) are at:
>
>
> https://github.com/tianocore/tianocore.github.io/wiki/HTTP-Boot#ram-disk-boot-from-http
>
> Here's how:
>
> (1) First, create a FAT image such that the UEFI shell is in the default
> boot loader location, according to the architecture. (e.g.
> EFI/BOOT/BOOTAA64.EFI). Second, place "startup.nsh" in the FAT image
> such that the shell find it, according to the UEFI shell spec.
>
> For this, you can use "mkdosfs" (for formatting the image) and mmd and
> mcopy (from the mtools package) for copying stuff into the image.
> Alternatively, you can use "guestfish", or even just loop-mount the FAT
> image on Linux. (If you create the image in the first place, then it's
> trustworthy; no need to worry about filesystem driver attacks.)
>
> (2) Once you have the FAT image, let's call it "fat.img", use
> "genisoimage" to generate an ISO image that has "fat.img" as its
> ElTorito boot image.
>
> genisoimage -input-charset ASCII -efi-boot fat.img -no-emul-boot \
> -o stuff.iso -- fat.img
>
> (3) Serve "stuff.iso" over HTTP.
>
>
> I really hope you are doing this on a trusted, local network!
>
> Secure Boot wouldn't be of much help here; the UEFI shell binary is not
> signed. (And, signing it would be dumb, given that the shell does not
> check signatures on shell scripts, so the scripts can cause the shell to
> do basically anything at all.) HTTPS would likely count as an improvement.
>
> HTH
> Laszlo
>
prev parent reply other threads:[~2019-01-24 12:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-24 12:22 UEFI Shell + startup.nsh Rafael Machado
2019-01-24 12:32 ` Paulo Alcantara
2019-01-24 12:47 ` Laszlo Ersek
2019-01-24 12:58 ` Rafael Machado [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACgnt78N_vK5Kn9jwTzo5MFYQY1G2JgGFgLkp7Yb4JJEr4M=Fw@mail.gmail.com' \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox