Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/pbatard/uefi-shell
UEFI Shell binary images, generated from EDK2 stable
https://github.com/pbatard/uefi-shell
aa64 aarch64 amd64 arm arm64 edk2 riscv64 uefi uefi-shell x86 x86-32 x86-64
Last synced: about 1 month ago
JSON representation
UEFI Shell binary images, generated from EDK2 stable
- Host: GitHub
- URL: https://github.com/pbatard/uefi-shell
- Owner: pbatard
- License: other
- Created: 2021-08-22T13:08:45.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-11-24T01:51:30.000Z (2 months ago)
- Last Synced: 2024-11-24T02:31:29.553Z (2 months ago)
- Topics: aa64, aarch64, amd64, arm, arm64, edk2, riscv64, uefi, uefi-shell, x86, x86-32, x86-64
- Homepage:
- Size: 23.4 KB
- Stars: 316
- Watchers: 18
- Forks: 41
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: License.txt
Awesome Lists containing this project
README
UEFI-Shell
==========
[](https://github.com/pbatard/UEFI-Shell/actions/workflows/linux_gcc_edk2.yml)
[](https://github.com/pbatard/UEFI-Shell/releases)
[-blue.svg?style=flat-square)](https://github.com/pbatard/UEFI-Shell/releases)
[](https://opensource.org/licenses/BSD-2-Clause)
This repository contains pre-built UEFI Shell binary images, generated from
official [EDK2](https://github.com/tianocore/edk2) stable releases.
## Usage
These images are mostly provided in the form of a bootable ISO, in order to
make them easy to use with boot media creators such as [Rufus](https://rufus.ie).
However, these can also readily used by:
- Partitioning and formatting a media, such as a USB Flash drive, using a FAT
file system.
- Extracting the ISO content as is, onto the FAT partition.
Once you have done that, and provided that your machine is set to boot from
removable media (and runs a UEFI firmware that uses one of the architectures
supported by the release), it should automatically boot into the UEFI Shell.
Alternatively, you can download the individual UEFI Shell binary for your
platform.
Note that Secure Boot must be disabled for a UEFI Shell media to boot, as
Microsoft does not allow an external UEFI Shell to be signed for Secure Boot.
## Inclusion of Mosby
Starting with release 24H2, these ISO images also include [Mosby](https://github.com/pbatard/Mosby)
**as an optional binary** that you can run by typing `Mosby` from the Shell
command prompt.
This is done because we believe that, with the planned expiration of current
Secure Boot DB signing certificates for Microsoft Windows and UEFI Third Party
**that will occur in 2026**, as well as the whole *BlackLotus* revocation mess,
more and more people are going to be looking for a convenient way to update
their UEFI Secure Boot databases, and Mosby is designed to accomplish just that.
But again, it needs to be reiterated that the inclusion of Mosby does not
change anything to the base UEFI Shell. It's just an extra command you can
invoke, *should you decide to do so*.
## Binary validation
These binaries are built in a fully transparent manner, in order to provide
you with complete assurance that they do not contain anything malicious.
To validate this claim, you can perform the following:
1. Locate the build action for the ISO you downloaded under
https://github.com/pbatard/UEFI-Shell/actions. For instance, for the 21H1
release, this would be https://github.com/pbatard/UEFI-Shell/actions/runs/1160237413.
2. Click on `build` to access the build log, and then look at the `Checkout
repository and submodules` task. The last line for that task provides the
SHA-1 of the repository commit that was used for the build process (for 21H1
that would be `19803c2b2183849fc3a4d6f08cc3c0549232df0c`).
3. Append that SHA-1 to `https://github.com/pbatard/UEFI-Shell/commit/` to
validate that you end up with one of the __public__ commits that were
pushed to this repository. This validates that the build was not triggered
by a "hidden" commit, that would perform something malicious, and that we
would later delete, since it is impossible for anyone without an army of
supercomputers to alter a git commit in order to "fake" a specific SHA-1.
NB: You don't have to take our word for that last claim. Just google "SHA-1
collision" and also look into the measures that git is taking to switch to
SHA-256 so as to make the possibility of collision impossible.
4. At this stage, you have assurance that the commit that was used to build
the binary is a public one. However, you must also further validate that
the EDK2 source that was used for the build is also the public one that
is published from https://github.com/tianocore/edk2, and not some private
potentially malicious copy. To accomplish that, click the `Browse Files`
button on the page you got from the URL that was constructed above and
the click on the `edk2 @ #####` link that you see in the repository tree.
For instance, for 21H1, that link will be labelled `edk2 @ e1999b2`.
5. Validate that this link takes you to a public commit from
https://github.com/tianocore/edk2. Once you have done that, then you have
validated that, not only the build cannot have been triggered by a hidden
commit but also that the EDK2 source for the UEFI Shell that is produced
by the build cannot have come from anywhere else but the public EDK2
repository.
6. If you are familiar enough with the build process, you should now look at
the GitHub actions `.yml` from the commit that was used to trigger the build
to also validate that it is not doing anything suspiscious (such as
discarding the built executables to replace them with pre-built malicious
ones downloaded from a third-party server). Again, because you have already
validated, with 100% certainty, that all the steps that are used for the
build can only have come from a public commit which everyone has access to,
it would simply be impossible for any such behaviour not to appear plainly
in the `.yml`.
7. At this stage, you should have total confidence that the build process did
produce binaries that can be __trusted__ to have been built only from the
public unmodified EDK2 UEFI Shell source. Therefore, the one last item to
check is to validate that the binaries proposed under this project's Release
page __are__ the actual binaries that were produced from the build, rather
than some malicious replacements (since the owner of any GitHub project has
the ability to delete and replace release files). This last step is very
easy to accomplish however: As part of the build process, we make sure to
also display the SHA-256 for all of the UEFI binaries as well as for the
ISO images being generated.
Thus, depending on whether you extracted individual `.efi` files, or are
working directly with a `.iso`, you can find the relevant SHA-256 displayed
either under the `Display SHA-256` step or the `Generate ISO images` step
within the build log (and you should of course have validated that the
GitHub Actions' `.yml` that was used as part of the build was indeed set
to perform an actual computation of the SHA-256 from the generated files,
as opposed to mimicking the display of an SHA-256 computation in order to
trick someone looking only at the log into thinking that a malicious file
published under Releases, and that was not generated from the automated
build process, did come from the build process).
8. Compare the SHA-256 from the build log with the one from the `.efi` or
`.iso` you downloaded, and verify that they are the same.
If you accomplish all the steps above, then you will have established, with
__absolute__ certainty, that the binaries that are being published on our
Releases page can be trusted not to contain malware (that is, provided you do
accept that toolchains like `gcc` or GitHub employees can be trusted not to
insert malware on their own, but this is outside of the scope of the kind of
assurance that we can provide here).
And the nice thing is that, because any failure of validation for the points we
describe above is __very easy__ to detect, you can rest assured that, even if
you do not go through these steps yourself, someone else is likely to, and is
bound to say something if we ever are to do anything that looks contrary to
our claim that the UEFI Shell binaries published here are 100% trustworthy.