From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:4864:20::341; helo=mail-ot1-x341.google.com; envelope-from=rafaelrodrigues.machado@gmail.com; receiver=edk2-devel@lists.01.org Received: from mail-ot1-x341.google.com (mail-ot1-x341.google.com [IPv6:2607:f8b0:4864:20::341]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 7E33B211B158C for ; Thu, 24 Jan 2019 04:58:20 -0800 (PST) Received: by mail-ot1-x341.google.com with SMTP id i20so5156681otl.0 for ; Thu, 24 Jan 2019 04:58:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+KS8Hmbo0UqtvUYxlHXzQ6kagUeoIsISwp+CH3Pn9ps=; b=RzSpLWazGSYP6NH2olcSYwh1HvdWrjRHimGev1lUzviPGohCcfBc6OB87iJZpAlKa5 pi4W6nLzt7m6P9pF4CbLsw4Gx8r2I5iuZMTAv0ASc9ljghppMC4kwH/ODQSHxP4sNo3L NntfI5lpyJoMs9Zsj0saSBYt4lM3K4+n6wUeqP9C6XKjIrIBEa0hF85OUx546N3V5E9l DeyHDBHV7nsvdvFbiVHJQSQ5cEHK8uc6bntW3rY4pWFEqJTEEZNKgyBhn/77ivBghG4H +FaZEFJh/VQKGhZ23EmY3uF+1DvY0vEnd5ZdUb4SvAWsHGCLLhBDekvJxV/nlN8s64T5 HoQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+KS8Hmbo0UqtvUYxlHXzQ6kagUeoIsISwp+CH3Pn9ps=; b=SwB0y1POYrJOqZIP0NWX4nM7klig3NsIYvI5yXTxOqjxXYxq/2ZGgNnPp+rnDf/zVv RpyaU+cMslCfvc5jnPa4nRaCTIJovJKXEAtuc1OgwtTLdS5OreQnWpLW17XYfYeBULW4 dga8Xpfyp+wkZHIVmXvheJIEAh+020ttP51bV7q16RTDGYSmdu1FZLCjTWgHxRfs9ifa lusCcYLAUKW39Uurz+XiksMA02BXTJm0A5jWbqVLyLSWNmeMBHF3GiNdCt9j25XbVXvm ZBsLtk4DAO11QZd+OaLE1C/MLctQS+TyKUdv7v2t6gnRIaae+PSUb0WaQTFLqih4/D6Q fyYw== X-Gm-Message-State: AJcUukf2UnYRbdcruQ2yL/Ak3ceMhr3CGPHZDxK1KIa1PGKaKejJa0gb 7L5iZxJbPxiPOFMzsJNs+Ju93vWpW5MUE9s/66o= X-Google-Smtp-Source: ALg8bN7SxcsOY4CH3q3AxaNcvmN0Q/XyQKEubDEFWuhzDGX0fZf2MWU78UXaYjWw1KFMFWbuQ8qxih2BaevFWGphwj8= X-Received: by 2002:a9d:430:: with SMTP id 45mr4522263otc.75.1548334699267; Thu, 24 Jan 2019 04:58:19 -0800 (PST) MIME-Version: 1.0 References: <9fd91792-10d4-75a8-b396-1fcc72712014@redhat.com> In-Reply-To: <9fd91792-10d4-75a8-b396-1fcc72712014@redhat.com> From: Rafael Machado Date: Thu, 24 Jan 2019 10:58:08 -0200 Message-ID: To: Laszlo Ersek Cc: "edk2-devel@lists.01.org" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: Re: UEFI Shell + startup.nsh X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2019 12:58:20 -0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks a lot for the help Laszlo! Will take a look. (Also agree about having a signed UEFI Shell not being a good idea.) Best Regards Rafael Em qui, 24 de jan de 2019 =C3=A0s 10:47, Laszlo Ersek escreveu: > On 01/24/19 13:22, Rafael Machado wrote: > > Hi everyone. > > > > I have a question. > > Considering I have a PXE server that my client downloads a shell.efi ap= p. > > Considering also that I need to execute a .nsh script, but I their is = no > > media at the system. (no usb or storage device attached) > > > > Is there any way to embed a startup.nsh at the shell.efi application? > > As far as I know with PXE just one file is downloaded and executed. (I = am > > also checking how to use the EfiRamDisk protocol to create a temporary > > place for the .nsh generated files.) > > > > PS.: I don't know to much about HttpBoot. Does HttpBoot has this > limitation > > of downloading a single file at startup? > > With HttpBoot, you can solve this. The Wiki article (and the relevant > section) are at: > > > https://github.com/tianocore/tianocore.github.io/wiki/HTTP-Boot#ram-disk-= boot-from-http > > Here's how: > > (1) First, create a FAT image such that the UEFI shell is in the default > boot loader location, according to the architecture. (e.g. > EFI/BOOT/BOOTAA64.EFI). Second, place "startup.nsh" in the FAT image > such that the shell find it, according to the UEFI shell spec. > > For this, you can use "mkdosfs" (for formatting the image) and mmd and > mcopy (from the mtools package) for copying stuff into the image. > Alternatively, you can use "guestfish", or even just loop-mount the FAT > image on Linux. (If you create the image in the first place, then it's > trustworthy; no need to worry about filesystem driver attacks.) > > (2) Once you have the FAT image, let's call it "fat.img", use > "genisoimage" to generate an ISO image that has "fat.img" as its > ElTorito boot image. > > genisoimage -input-charset ASCII -efi-boot fat.img -no-emul-boot \ > -o stuff.iso -- fat.img > > (3) Serve "stuff.iso" over HTTP. > > > I really hope you are doing this on a trusted, local network! > > Secure Boot wouldn't be of much help here; the UEFI shell binary is not > signed. (And, signing it would be dumb, given that the shell does not > check signatures on shell scripts, so the scripts can cause the shell to > do basically anything at all.) HTTPS would likely count as an improvement= . > > HTH > Laszlo >