├── .github └── workflows │ └── linux_gcc_edk2.yml ├── .gitmodules ├── License.txt └── README.md /.github/workflows/linux_gcc_edk2.yml: -------------------------------------------------------------------------------- 1 | name: Linux, gcc, EDK2 2 | 3 | on: 4 | push: 5 | tags: 6 | - '*' 7 | 8 | env: 9 | COMPILER: GCC5 10 | GCC5_ARM_PREFIX: arm-linux-gnueabi- 11 | GCC5_AARCH64_PREFIX: aarch64-linux-gnu- 12 | GCC5_RISCV64_PREFIX: riscv64-linux-gnu- 13 | GCC5_LOONGARCH64_PREFIX: loongarch64-unknown-linux-gnu- 14 | FULL_SHELL_GUID: EA4BB293-2D7F-4456-A681-1F22F42CD0BC 15 | BUILD_TYPES: DEBUG RELEASE 16 | ARCHS: X64 IA32 AARCH64 ARM RISCV64 LOONGARCH64 17 | # Shell versions: 18 | # 2.2 added on 2017.03.31 19 | # 2.1 added on 2014.08.05 20 | # 2.0 added on 2009.05.11 21 | EDK2_SHELL_VERSION_HEADER: edk2/MdePkg/Include/Protocol/Shell.h 22 | # Was edk2/ShellPkg/Include/Protocol/EfiShell.h prior to 2016.10.18 23 | # enum ShellVersion added on 2009.05.11 24 | 25 | jobs: 26 | build: 27 | runs-on: ubuntu-latest 28 | 29 | steps: 30 | - name: Checkout repository and submodules 31 | # Must happen first, else the LoongArch toolchain gets deleted (even with clean: false) 32 | uses: actions/checkout@v4 33 | with: 34 | # Need fetch-depth: 0 to obtain the EDK2 stable tag 35 | fetch-depth: 0 36 | submodules: recursive 37 | 38 | - name: Install toolchains 39 | run: | 40 | sudo apt-get update 41 | sudo apt-get -y --no-install-recommends install gcc-12-multilib gcc-12-aarch64-linux-gnu gcc-12-arm-linux-gnueabi gcc-12-riscv64-linux-gnu nasm genisoimage 42 | sudo ln -s /usr/bin/aarch64-linux-gnu-gcc-12 /usr/bin/aarch64-linux-gnu-gcc 43 | sudo ln -s /usr/bin/aarch64-linux-gnu-gcc-ar-12 /usr/bin/aarch64-linux-gnu-gcc-ar 44 | sudo ln -s /usr/bin/arm-linux-gnueabi-gcc-12 /usr/bin/arm-linux-gnueabi-gcc 45 | sudo ln -s /usr/bin/arm-linux-gnueabi-gcc-ar-12 /usr/bin/arm-linux-gnueabi-gcc-ar 46 | sudo ln -s /usr/bin/riscv64-linux-gnu-gcc-12 /usr/bin/riscv64-linux-gnu-gcc 47 | sudo ln -s /usr/bin/riscv64-linux-gnu-gcc-ar-12 /usr/bin/riscv64-linux-gnu-gcc-ar 48 | curl -L -O https://github.com/loongson/build-tools/releases/download/2024.11.01/x86_64-cross-tools-loongarch64-binutils_2.43.1-gcc_14.2.0-glibc_2.40.tar.xz 49 | tar -xJf x86_64-cross-tools-loongarch64-binutils_2.43.1-gcc_14.2.0-glibc_2.40.tar.xz 50 | echo "$PWD/cross-tools/bin" >> "$GITHUB_PATH" 51 | 52 | - name: Set version 53 | id: set_version 54 | run: | 55 | SHELL_MAJOR_VERSION=$(awk '/SHELL_MAJOR_VERSION/{sub("\r", "", $NF); sub(",", "", $NF); print $NF}' ${{ env.EDK2_SHELL_VERSION_HEADER }}) 56 | SHELL_MINOR_VERSION=$(awk '/SHELL_MINOR_VERSION/{sub("\r", "", $NF); print $NF}' ${{ env.EDK2_SHELL_VERSION_HEADER }}) 57 | # NB: The following only works if the shell is bash 58 | echo "shell_version=${SHELL_MAJOR_VERSION}.${SHELL_MINOR_VERSION}" >> $GITHUB_OUTPUT 59 | echo "shell_release=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT 60 | echo "edk2_tag=$(git --git-dir edk2/.git describe --tags)" >> $GITHUB_OUTPUT 61 | echo "build_date=$(date '+%Y.%m.%d')" >> $GITHUB_OUTPUT 62 | 63 | - name: Set up EDK2 64 | run: make -C edk2/BaseTools 65 | 66 | - name: Build UEFI binaries 67 | run: | 68 | cd edk2 69 | source edksetup.sh 70 | for BUILD_TYPE in ${{ env.BUILD_TYPES }}; do 71 | for ARCH in ${{ env.ARCHS }} ; do 72 | build -a $ARCH -b $BUILD_TYPE -t ${{ env.COMPILER }} -p ShellPkg/ShellPkg.dsc --pcd gEfiShellPkgTokenSpaceGuid.PcdShellScreenLogCount=8 --pcd gEfiShellPkgTokenSpaceGuid.PcdShellSupplier=L"${{ steps.set_version.outputs.edk2_tag }} (https://github.com/pbatard/UEFI-Shell)" 73 | done 74 | done 75 | 76 | - name: Create individual Shell binaries 77 | run: | 78 | for ARCH in ${{ env.ARCHS }}; do 79 | cp edk2/Build/Shell/RELEASE_${{ env.COMPILER }}/$ARCH/Shell_${{ env.FULL_SHELL_GUID }}.efi ./shell${ARCH,,}.efi 80 | done 81 | if [ -f ./shellaarch64.efi ]; then 82 | mv ./shellaarch64.efi ./shellaa64.efi 83 | fi 84 | 85 | - name: Download the latest Mosby release 86 | uses: robinraju/release-downloader@v1 87 | with: 88 | repository: pbatard/Mosby 89 | latest: true 90 | fileName: Mosby*.zip 91 | 92 | - name: Extract the Mosby content 93 | run: | 94 | for BUILD_TYPE in ${{ env.BUILD_TYPES }}; do 95 | mkdir $BUILD_TYPE 96 | 7z x Mosby*.zip -o$BUILD_TYPE 97 | mv $BUILD_TYPE/README.md $BUILD_TYPE/Mosby.txt 98 | sed -i '1,5d' $BUILD_TYPE/Mosby.txt 99 | done 100 | 101 | - name: Create ISO filesystem structure 102 | run: | 103 | for BUILD_TYPE in ${{ env.BUILD_TYPES }}; do 104 | mkdir -p $BUILD_TYPE/efi/boot 105 | for ARCH in ${{ env.ARCHS }}; do 106 | mv edk2/Build/Shell/${BUILD_TYPE}_${{ env.COMPILER }}/$ARCH/Shell_${{ env.FULL_SHELL_GUID }}.efi $BUILD_TYPE/efi/boot/boot${ARCH,,}.efi 107 | done 108 | if [ -f $BUILD_TYPE/efi/boot/bootaarch64.efi ]; then 109 | mv $BUILD_TYPE/efi/boot/bootaarch64.efi $BUILD_TYPE/efi/boot/bootaa64.efi 110 | fi 111 | printf "*** UEFI Shell v%s, release %s%s ***\n\n" ${{ steps.set_version.outputs.shell_version }} ${{ steps.set_version.outputs.shell_release }} "$( [ $BUILD_TYPE == DEBUG ] && echo ' (DEBUG BUILD)')" > $BUILD_TYPE/README.txt 112 | printf "This bootable image contains builds of the official UEFI Shell, as provided by\n" >> $BUILD_TYPE/README.txt 113 | printf "the Open Source 'EDK2' project (https://github.com/tianocore/edk2).\n\n" >> $BUILD_TYPE/README.txt 114 | printf "More specifically, this release, which we call '%s', was produced using the\n" ${{ steps.set_version.outputs.shell_release }} >> $BUILD_TYPE/README.txt 115 | printf "'%s' version of the EDK2 source available at:\n" ${{ steps.set_version.outputs.edk2_tag }} >> $BUILD_TYPE/README.txt 116 | printf "https://github.com/tianocore/edk2/releases/tag/%s\n\n" ${{ steps.set_version.outputs.edk2_tag }} >> $BUILD_TYPE/README.txt 117 | printf "This image supports the following UEFI platform architectures:\n" >> $BUILD_TYPE/README.txt 118 | for ARCH in ${{ env.ARCHS }}; do 119 | printf "* %s\n" $ARCH >> $BUILD_TYPE/README.txt 120 | done 121 | printf "\nReleases of UEFI Shell now also include Mosby (https://github.com/pbatard/Mosby)\n" >> $BUILD_TYPE/README.txt 122 | printf "to help you update your Secure Boot variables as well as generate and install\n" >> $BUILD_TYPE/README.txt 123 | printf "your own Secure Boot signing key. Just type 'Mosby' to run it.\n" >> $BUILD_TYPE/README.txt 124 | printf "\nFor more information on how this release was produced, you are invited to\n" >> $BUILD_TYPE/README.txt 125 | printf "visit our official project page at https://github.com/pbatard/UEFI-Shell,\n" >> $BUILD_TYPE/README.txt 126 | printf "where you can also validate that all of the binaries contained in this image\n" >> $BUILD_TYPE/README.txt 127 | printf "were built from the unmodified EDK2 source, through an automated build process\n" >> $BUILD_TYPE/README.txt 128 | printf "that guarantees that no malicious code can have been injected.\n" >> $BUILD_TYPE/README.txt 129 | printf "\n" > Version.xml 130 | printf "\n" >> Version.xml 131 | printf " %s (%s)\n" ${{ steps.set_version.outputs.shell_release }} ${{ steps.set_version.outputs.edk2_tag }} >> Version.xml 132 | printf " %s\n" ${{ steps.set_version.outputs.shell_version }} >> Version.xml 133 | printf " %s\n" ${{ steps.set_version.outputs.build_date }} >> Version.xml 134 | printf " \n" >> Version.xml 135 | for ARCH in ${{ env.ARCHS }}; do 136 | printf " %s\n" $ARCH >> Version.xml 137 | done 138 | printf " \n" >> Version.xml 139 | printf "\n" >> Version.xml 140 | done 141 | 142 | - name: Generate ISO images 143 | run: | 144 | for BUILD_TYPE in ${{ env.BUILD_TYPES }}; do 145 | genisoimage -v -V "UEFI SHELL ${{ steps.set_version.outputs.shell_version }} ${{ steps.set_version.outputs.shell_release }} ($BUILD_TYPE)" -JR -o "UEFI-Shell-${{ steps.set_version.outputs.shell_version }}-${{ steps.set_version.outputs.shell_release }}-$BUILD_TYPE.iso" $BUILD_TYPE 146 | done 147 | 148 | - name: Display SHA-256 149 | run: | 150 | for BUILD_TYPE in ${{ env.BUILD_TYPES }}; do 151 | sha256sum $BUILD_TYPE/efi/boot/*.efi 152 | done 153 | sha256sum *.iso 154 | sha256sum *.efi 155 | 156 | - name: Upload ISO artifacts 157 | uses: actions/upload-artifact@v4 158 | with: 159 | name: ISOs 160 | path: ./*.iso 161 | 162 | - name: Create release blurb 163 | run: | 164 | printf "**UEFI Shell v%s, release %s**\n\n" ${{ steps.set_version.outputs.shell_version }} ${{ steps.set_version.outputs.shell_release }} > body.txt 165 | printf "Built from [%s](https://github.com/tianocore/edk2/releases/tag/%s) and supporting:\n" ${{ steps.set_version.outputs.edk2_tag }} ${{ steps.set_version.outputs.edk2_tag }} >> body.txt 166 | for ARCH in ${{ env.ARCHS }}; do 167 | printf "* \`%s\`\n" $ARCH >> body.txt 168 | done 169 | printf "\nsha256sums:\n" >> body.txt 170 | printf "\`\`\`\n" >> body.txt 171 | sha256sum ./*.efi >> body.txt 172 | sha256sum ./*.iso >> body.txt 173 | printf "\`\`\`\n" >> body.txt 174 | 175 | - name: Create release 176 | uses: softprops/action-gh-release@v2 177 | with: 178 | token: ${{ secrets.GITHUB_TOKEN }} 179 | body_path: ./body.txt 180 | files: | 181 | ./*.iso 182 | ./*.efi 183 | ./Version.xml 184 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "edk2"] 2 | path = edk2 3 | url = https://github.com/tianocore/edk2.git 4 | -------------------------------------------------------------------------------- /License.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019, TianoCore and contributors. All rights reserved. 2 | 3 | SPDX-License-Identifier: BSD-2-Clause-Patent 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions are met: 7 | 8 | 1. Redistributions of source code must retain the above copyright notice, 9 | this list of conditions and the following disclaimer. 10 | 11 | 2. Redistributions in binary form must reproduce the above copyright notice, 12 | this list of conditions and the following disclaimer in the documentation 13 | and/or other materials provided with the distribution. 14 | 15 | Subject to the terms and conditions of this license, each copyright holder 16 | and contributor hereby grants to those receiving rights under this license 17 | a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable 18 | (except for failure to satisfy the conditions of this license) patent 19 | license to make, have made, use, offer to sell, sell, import, and otherwise 20 | transfer this software, where such license applies only to those patent 21 | claims, already acquired or hereafter acquired, licensable by such copyright 22 | holder or contributor that are necessarily infringed by: 23 | 24 | (a) their Contribution(s) (the licensed copyrights of copyright holders and 25 | non-copyrightable additions of contributors, in source or binary form) 26 | alone; or 27 | 28 | (b) combination of their Contribution(s) with the work of authorship to 29 | which such Contribution(s) was added by such copyright holder or 30 | contributor, if, at the time the Contribution is added, such addition 31 | causes such combination to be necessarily infringed. The patent license 32 | shall not apply to any other combinations which include the 33 | Contribution. 34 | 35 | Except as expressly stated above, no rights or licenses from any copyright 36 | holder or contributor is granted under this license, whether expressly, by 37 | implication, estoppel or otherwise. 38 | 39 | DISCLAIMER 40 | 41 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 42 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE 45 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 46 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 47 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 48 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 49 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 51 | POSSIBILITY OF SUCH DAMAGE. 52 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | UEFI-Shell 2 | ========== 3 | 4 | [![Build status](https://img.shields.io/github/actions/workflow/status/pbatard/UEFI-Shell/linux_gcc_edk2.yml?label=Build%20Status&style=flat-square)](https://github.com/pbatard/UEFI-Shell/actions/workflows/linux_gcc_edk2.yml) 5 | [![Github stats](https://img.shields.io/github/downloads/pbatard/UEFI-Shell/total.svg?label=Downloads&style=flat-square)](https://github.com/pbatard/UEFI-Shell/releases) 6 | [![Release](https://img.shields.io/badge/Latest%20Release-24H2%20(edk2--stable202411)-blue.svg?style=flat-square)](https://github.com/pbatard/UEFI-Shell/releases) 7 | [![License](https://img.shields.io/badge/License-BSD%202--Clause-orange.svg)](https://opensource.org/licenses/BSD-2-Clause) 8 | 9 | This repository contains pre-built UEFI Shell binary images, generated from 10 | official [EDK2](https://github.com/tianocore/edk2) stable releases. 11 | 12 | ## Usage 13 | 14 | These images are mostly provided in the form of a bootable ISO, in order to 15 | make them easy to use with boot media creators such as [Rufus](https://rufus.ie). 16 | 17 | However, these can also readily used by: 18 | - Partitioning and formatting a media, such as a USB Flash drive, using a FAT 19 | file system. 20 | - Extracting the ISO content as is, onto the FAT partition. 21 | 22 | Once you have done that, and provided that your machine is set to boot from 23 | removable media (and runs a UEFI firmware that uses one of the architectures 24 | supported by the release), it should automatically boot into the UEFI Shell. 25 | 26 | Alternatively, you can download the individual UEFI Shell binary for your 27 | platform. 28 | 29 | Note that Secure Boot must be disabled for a UEFI Shell media to boot, as 30 | Microsoft does not allow an external UEFI Shell to be signed for Secure Boot. 31 | 32 | ## Inclusion of Mosby 33 | 34 | Starting with release 24H2, these ISO images also include [Mosby](https://github.com/pbatard/Mosby) 35 | **as an optional binary** that you can run by typing `Mosby` from the Shell 36 | command prompt. 37 | 38 | This is done because we believe that, with the planned expiration of current 39 | Secure Boot DB signing certificates for Microsoft Windows and UEFI Third Party 40 | **that will occur in 2026**, as well as the whole *BlackLotus* revocation mess, 41 | more and more people are going to be looking for a convenient way to update 42 | their UEFI Secure Boot databases, and Mosby is designed to accomplish just that. 43 | 44 | But again, it needs to be reiterated that the inclusion of Mosby does not 45 | change anything to the base UEFI Shell. It's just an extra command you can 46 | invoke, *should you decide to do so*. 47 | 48 | ## Binary validation 49 | 50 | These binaries are built in a fully transparent manner, in order to provide 51 | you with complete assurance that they do not contain anything malicious. 52 | 53 | To validate this claim, you can perform the following: 54 | 55 | 1. Locate the build action for the ISO you downloaded under 56 | https://github.com/pbatard/UEFI-Shell/actions. For instance, for the 21H1 57 | release, this would be https://github.com/pbatard/UEFI-Shell/actions/runs/1160237413. 58 | 2. Click on `build` to access the build log, and then look at the `Checkout 59 | repository and submodules` task. The last line for that task provides the 60 | SHA-1 of the repository commit that was used for the build process (for 21H1 61 | that would be `19803c2b2183849fc3a4d6f08cc3c0549232df0c`). 62 | 3. Append that SHA-1 to `https://github.com/pbatard/UEFI-Shell/commit/` to 63 | validate that you end up with one of the __public__ commits that were 64 | pushed to this repository. This validates that the build was not triggered 65 | by a "hidden" commit, that would perform something malicious, and that we 66 | would later delete, since it is impossible for anyone without an army of 67 | supercomputers to alter a git commit in order to "fake" a specific SHA-1. 68 | NB: You don't have to take our word for that last claim. Just google "SHA-1 69 | collision" and also look into the measures that git is taking to switch to 70 | SHA-256 so as to make the possibility of collision impossible. 71 | 4. At this stage, you have assurance that the commit that was used to build 72 | the binary is a public one. However, you must also further validate that 73 | the EDK2 source that was used for the build is also the public one that 74 | is published from https://github.com/tianocore/edk2, and not some private 75 | potentially malicious copy. To accomplish that, click the `Browse Files` 76 | button on the page you got from the URL that was constructed above and 77 | the click on the `edk2 @ #####` link that you see in the repository tree. 78 | For instance, for 21H1, that link will be labelled `edk2 @ e1999b2`. 79 | 5. Validate that this link takes you to a public commit from 80 | https://github.com/tianocore/edk2. Once you have done that, then you have 81 | validated that, not only the build cannot have been triggered by a hidden 82 | commit but also that the EDK2 source for the UEFI Shell that is produced 83 | by the build cannot have come from anywhere else but the public EDK2 84 | repository. 85 | 6. If you are familiar enough with the build process, you should now look at 86 | the GitHub actions `.yml` from the commit that was used to trigger the build 87 | to also validate that it is not doing anything suspiscious (such as 88 | discarding the built executables to replace them with pre-built malicious 89 | ones downloaded from a third-party server). Again, because you have already 90 | validated, with 100% certainty, that all the steps that are used for the 91 | build can only have come from a public commit which everyone has access to, 92 | it would simply be impossible for any such behaviour not to appear plainly 93 | in the `.yml`. 94 | 7. At this stage, you should have total confidence that the build process did 95 | produce binaries that can be __trusted__ to have been built only from the 96 | public unmodified EDK2 UEFI Shell source. Therefore, the one last item to 97 | check is to validate that the binaries proposed under this project's Release 98 | page __are__ the actual binaries that were produced from the build, rather 99 | than some malicious replacements (since the owner of any GitHub project has 100 | the ability to delete and replace release files). This last step is very 101 | easy to accomplish however: As part of the build process, we make sure to 102 | also display the SHA-256 for all of the UEFI binaries as well as for the 103 | ISO images being generated. 104 | Thus, depending on whether you extracted individual `.efi` files, or are 105 | working directly with a `.iso`, you can find the relevant SHA-256 displayed 106 | either under the `Display SHA-256` step or the `Generate ISO images` step 107 | within the build log (and you should of course have validated that the 108 | GitHub Actions' `.yml` that was used as part of the build was indeed set 109 | to perform an actual computation of the SHA-256 from the generated files, 110 | as opposed to mimicking the display of an SHA-256 computation in order to 111 | trick someone looking only at the log into thinking that a malicious file 112 | published under Releases, and that was not generated from the automated 113 | build process, did come from the build process). 114 | 8. Compare the SHA-256 from the build log with the one from the `.efi` or 115 | `.iso` you downloaded, and verify that they are the same. 116 | 117 | If you accomplish all the steps above, then you will have established, with 118 | __absolute__ certainty, that the binaries that are being published on our 119 | Releases page can be trusted not to contain malware (that is, provided you do 120 | accept that toolchains like `gcc` or GitHub employees can be trusted not to 121 | insert malware on their own, but this is outside of the scope of the kind of 122 | assurance that we can provide here). 123 | 124 | And the nice thing is that, because any failure of validation for the points we 125 | describe above is __very easy__ to detect, you can rest assured that, even if 126 | you do not go through these steps yourself, someone else is likely to, and is 127 | bound to say something if we ever are to do anything that looks contrary to 128 | our claim that the UEFI Shell binaries published here are 100% trustworthy. 129 | --------------------------------------------------------------------------------