bzt
586ddf60ac
Updated FS/Z
|
1 рік тому | |
|---|---|---|
| .. | ||
| Makefile | 4 роки тому | |
| OLVASSEL.md | 4 роки тому | |
| README.md | 4 роки тому | |
| bootboot.c | 3 роки тому | |
| crt0-efi-x86_64.o | 6 роки тому | |
| efirom.c | 5 роки тому | |
| elf_x86_64_efi.lds | 6 роки тому | |
| fs.h | 1 рік тому | |
| libefi.a | 6 роки тому | |
| libgnuefi.a | 6 роки тому | |
| smp.S | 3 роки тому | |
| tinf.h | 6 роки тому | |
| tinflate.c | 6 роки тому | |
README.md
BOOTBOOT UEFI Implementation
See BOOTBOOT Protocol for common details.
On UEFI machines, the PCI Option ROM is created from the standard EFI OS loader application.
Machine state
IRQs masked. GDT unspecified, but valid, IDT unset. SSE, SMP enabled. Code is running in supervisor mode in ring 0 on all cores.
File system drivers
For boot partition, UEFI version relies on any file system that's supported by EFI Simple File System Protocol. This implementation supports both SHA-XOR-CBC and AES-256-CBC cipher.
Installation
UEFI disk: copy bootboot.efi to FS0:\EFI\BOOT\BOOTX64.EFI.
UEFI ROM: use bootboot.rom which is a standard PCI Option ROM image.
GRUB, UEFI Boot Manager: add bootboot.efi to boot options.
You can also run the loader in interactive mode from the EFI Shell, appending options to its command line.
FS0:\> EFI\BOOT\BOOTX64.EFI /?
BOOTBOOT LOADER (build Oct 11 2017)
SYNOPSIS
BOOTBOOT.EFI [ -h | -? | /h | /? | -s ] [ INITRDFILE [ ENVIRONFILE [...] ] ]
DESCRIPTION
Bootstraps an operating system via the BOOTBOOT Protocol.
If arguments not given, defaults to
FS0:\BOOTBOOT\INITRD as ramdisk image and
FS0:\BOOTBOOT\CONFIG for boot environment.
Additional "key=value" command line arguments will be appended to the
environment. If INITRD not found, it will use the first bootable partition
in GPT. If CONFIG not found, it will look for /sys/config inside the
INITRD (or partition). With -s it will scan the memory for an initrd ROM.
As this is a loader, it is not supposed to return control to the shell.
FS0:\>
Limitations
- Maps the first 16G of RAM.
- PCI Option ROM should be signed in order to work.
- Compressed initrd in ROM is limited to 16M.
Secure Boot
First of all, this does not mean Secure. The naming is just a fraud from the M$ Marketing department to lock-in machines to only boot Windoze. If you can, turn it off, it worths nothing anyway as rootkits can workaround it using the leaked Secure Boot Golden Key backdoor demanded by the FBI.
If despite that you insist, then to get it to work, you'll need a loader that is signed by Microsoft. It is not easy to get your custom loader signed, because M$ just won't do that even if you pay for it. So instead,
- download shim
- extract SHIMX64.EFI and MMX64.EFI to EFI\BOOT (these are signed by M$).
- rename
EFI\BOOT\SHIMX64.EFItoEFI\BOOT\BOOTX64.EFI. - create a public-private key pair and x509 cert with
openssl.openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -days 3650 -subj "/CN=BOOTBOOT/" -out MOK.crt openssl x509 -outform DER -in MOK.crt -out MOK.cer - sign bootboot.efi using an SHA-256 hash with
sbsign.sbsign --key MOK.key --cert MOK.crt --out EFI/BOOT/GRUBX64.EFI bootboot.efi - copy MOK.cer to the ESP partition.
- boot into UEFI, shim will call MOK Manager. There select "Enroll key from disk", find MOK.cer and add it. Then select "Enroll hash from disk", find GRUBX64.EFI and add it.
- enable Secure Boot.
After these steps BOOTBOOT loader will boot with Secure Boot enabled (shim will load the signed GRUBX64.EFI instead of the MOK Manager hereafter).