boot/shim: new package

This commit adds a package for 'shim', an EFI bootloader for secure boot chain loading. While gnu-efi supports 32bit ARM, this is currently broken in shim. Patches to fix this have been submitted upstream but are not included here for now. https://github.com/rhboot/shim/pull/162 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> [Thomas: use BR2_PACKAGE_GNU_EFI_ARCH_SUPPORTS, add separate depends on to exclude ARM32 build.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2025-07-28 05:36:32 +00:00 · 2019-01-11 11:01:11 +01:00 · 2019-01-11 11:01:11 +01:00 · 18c463e124
commit 18c463e124
parent 8064b12ff9
5 changed files with 55 additions and 0 deletions
--- a/1
+++ b/1
@ -1649,6 +1649,7 @@ F:	board/openblocks/a6/
 F:	board/orangepi/
 F:	board/pandaboard/
 F:	board/roseapplepi/
 F:	boot/shim/
 F:	configs/minnowboard_max-graphical_defconfig
 F:	configs/minnowboard_max_defconfig
 F:	configs/nexbox_a95x_defconfig
--- a/boot/Config.in
+++ b/boot/Config.in
@ -15,6 +15,7 @@ source "boot/mv-ddr-marvell/Config.in"
 source "boot/mxs-bootlets/Config.in"
 source "boot/riscv-pk/Config.in"
 source "boot/s500-bootloader/Config.in"
 source "boot/shim/Config.in"
 source "boot/syslinux/Config.in"
 source "boot/ts4800-mbrboot/Config.in"
 source "boot/uboot/Config.in"
--- a/boot/shim/Config.in
+++ b/boot/shim/Config.in
@ -0,0 +1,19 @@
 config BR2_TARGET_SHIM
 	bool "shim"
 	depends on BR2_PACKAGE_GNU_EFI_ARCH_SUPPORTS
 	# ARM32 build currently broken
 	depends on !BR2_ARM_CPU_HAS_ARM
 	select BR2_PACKAGE_GNU_EFI
 	help
 	  Boot loader to chain-load signed boot loaders under Secure
 	  Boot.
 	  This package provides a minimalist boot loader which allows
 	  verifying signatures of other UEFI binaries against either
 	  the Secure Boot DB/DBX or against a built-in signature
 	  database.  Its purpose is to allow a small,
 	  infrequently-changing binary to be signed by the UEFI CA,
 	  while allowing an OS distributor to revision their main
 	  bootloader independently of the CA.
 	  https://github.com/rhboot/shim
--- a/boot/shim/shim.hash
+++ b/boot/shim/shim.hash
@ -0,0 +1,3 @@
 # locally computed hash
 sha256 279d19cc95b9974ea2379401a6a0653d949c3fa3d61f0c4bd6a7b9e840bdc425  shim-15.tar.gz
 sha256 15edf527919ddcb2f514ab9d16ad07ef219e4bb490e0b79560be510f0c159cc2  COPYRIGHT
--- a/boot/shim/shim.mk
+++ b/boot/shim/shim.mk
@ -0,0 +1,31 @@
 ################################################################################
 #
 # shim
 #
 ################################################################################
 SHIM_VERSION = 15
 SHIM_SITE = $(call github,rhboot,shim,$(SHIM_VERSION))
 SHIM_LICENSE = BSD-2-Clause
 SHIM_LICENSE_FILES = COPYRIGHT
 SHIM_DEPENDENCIES = gnu-efi
 SHIM_INSTALL_TARGET = NO
 SHIM_INSTALL_IMAGES = YES
 SHIM_MAKE_OPTS = \
 	ARCH="$(GNU_EFI_PLATFORM)" \
 	CROSS_COMPILE="$(TARGET_CROSS)" \
 	DASHJ="-j$(PARALLEL_JOBS)" \
 	EFI_INCLUDE="$(STAGING_DIR)/usr/include/efi" \
 	EFI_PATH="$(STAGING_DIR)/usr/lib" \
 	LIBDIR="$(STAGING_DIR)/usr/lib"
 define SHIM_BUILD_CMDS
 	$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) $(SHIM_MAKE_OPTS)
 endef
 define SHIM_INSTALL_IMAGES_CMDS
 	$(INSTALL) -m 0755 -t $(BINARIES_DIR) $(@D)/*.efi
 endef
 $(eval $(generic-package))