Re: UEFI Shell + startup.nsh

Rafael Machado

Thanks a lot for the help Laszlo!
Will take a look. (Also agree about having a signed UEFI Shell not being a
good idea.)

Best Regards

Em qui, 24 de jan de 2019 às 10:47, Laszlo Ersek <lersek@...>

On 01/24/19 13:22, Rafael Machado wrote:
Hi everyone.

I have a question.
Considering I have a PXE server that my client downloads a shell.efi app.
Considering also that I need to execute a .nsh script, but I their is no
media at the system. (no usb or storage device attached)

Is there any way to embed a startup.nsh at the shell.efi application?
As far as I know with PXE just one file is downloaded and executed. (I am
also checking how to use the EfiRamDisk protocol to create a temporary
place for the .nsh generated files.)

PS.: I don't know to much about HttpBoot. Does HttpBoot has this
of downloading a single file at startup?
With HttpBoot, you can solve this. The Wiki article (and the relevant
section) are at:

Here's how:

(1) First, create a FAT image such that the UEFI shell is in the default
boot loader location, according to the architecture. (e.g.
EFI/BOOT/BOOTAA64.EFI). Second, place "startup.nsh" in the FAT image
such that the shell find it, according to the UEFI shell spec.

For this, you can use "mkdosfs" (for formatting the image) and mmd and
mcopy (from the mtools package) for copying stuff into the image.
Alternatively, you can use "guestfish", or even just loop-mount the FAT
image on Linux. (If you create the image in the first place, then it's
trustworthy; no need to worry about filesystem driver attacks.)

(2) Once you have the FAT image, let's call it "fat.img", use
"genisoimage" to generate an ISO image that has "fat.img" as its
ElTorito boot image.

genisoimage -input-charset ASCII -efi-boot fat.img -no-emul-boot \
-o stuff.iso -- fat.img

(3) Serve "stuff.iso" over HTTP.

I really hope you are doing this on a trusted, local network!

Secure Boot wouldn't be of much help here; the UEFI shell binary is not
signed. (And, signing it would be dumb, given that the shell does not
check signatures on shell scripts, so the scripts can cause the shell to
do basically anything at all.) HTTPS would likely count as an improvement.


Join to automatically receive all group messages.