Re: [edk2 ] MS signed EFI Shell

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: Laszlo Ersek <lersek@redhat.com>
To: vikash kumar <vickks.123@gmail.com>, edk2-devel@lists.01.org
Subject: Re: [edk2 ] MS signed EFI Shell
Date: Thu, 28 Jun 2018 15:51:54 +0200	[thread overview]
Message-ID: <ab1ed63e-3f29-8401-f4dd-bd23c6933b9b@redhat.com> (raw)
In-Reply-To: <CAAD3zSCqJUsqUZ1FR3a4t6So1GACvM51V9kk+bK0TOgUNvhwNw@mail.gmail.com>

On 06/28/18 12:09, vikash kumar wrote:
> Hi all,
> 
> From where I can download  Microsoft's signed efi shell (Shellx64.efi)?

You can't. The UEFI shell is a powerful tool that can do just about
anything; in particular what it does is dicated by the shell scripts
that it runs, and it might directly access hardware too. Signing the
UEFI shell would mean for Microsoft to blanket-sign all UEFI shell
scripts, current and future.

For the same reason, we have been advised to exlude the UEFI shell
binary from the FV (firmware volume) in our downstream Secure
Boot-enabled OVMF image, and so we do that in RHEL. We only provide an
unsigned UEFI shell, on a separate ISO image. If you have SB enabled,
the ISO won't boot; that's a feature. (If the shell were part of the FV,
it could be executed regardless of signature.)

Thanks,
Laszlo

     prev parent reply	other threads:[~2018-06-28 13:51 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-28 10:09 [edk2 ] MS signed EFI Shell vikash kumar
2018-06-28 13:51 ` Laszlo Ersek [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ab1ed63e-3f29-8401-f4dd-bd23c6933b9b@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox