jiazhang0 / SELoader
Licence: other
Secure EFI Loader designed to authenticate the non-PE files
Stars: ✭ 38
Programming Languages
Projects that are alternatives of or similar to SELoader
sicherboot
Unmaintained systemd-boot integration with secure boot support; consider https://github.com/Foxboron/sbctl instead.
Stars: ✭ 31 (-18.42%)
Mutual labels: bootloader, efi, secure-boot
meta-secure-core
OpenEmbedded layer for the use cases on secure boot, integrity and encryption
Stars: ✭ 80 (+110.53%)
Mutual labels: integrity, efi, secure-boot
Veracrypt Dcs
VeraCrypt EFI Bootloader for EFI Windows system encryption (LGPL)
Stars: ✭ 81 (+113.16%)
Mutual labels: bootloader, efi
Initium
A modern bootloader with no legacy components
Stars: ✭ 15 (-60.53%)
Mutual labels: bootloader, efi
Hackintosh
Hackintosh long-term maintenance model EFI and installation tutorial
Stars: ✭ 6,589 (+17239.47%)
Mutual labels: bootloader, efi
Hackintosh-ASUS-A455LF-Notebook
EFI Folder for ASUS A455LF-WX039D Notebook Series with Clover/OpenCore Legacy or UEFI
Stars: ✭ 27 (-28.95%)
Mutual labels: bootloader, efi
AttestationServer
Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a remote attestation implementation with email alerts to go along with the local implementation based on QR code scanning in the app.
Stars: ✭ 64 (+68.42%)
Mutual labels: integrity, secure-boot
efi
Ergonomic Rust framework for writing UEFI applications.
Stars: ✭ 44 (+15.79%)
Mutual labels: bootloader, efi
AttestationSamples
A small subset of the submitted sample data from https://github.com/GrapheneOS/Auditor. It has a sample attestation certificate chain per device model (ro.product.model) along with a subset of the system properties from the sample as supplementary information.
Stars: ✭ 25 (-34.21%)
Mutual labels: integrity, secure-boot
EFI-B360m d2v OpenCore dvi uhd630
OC引导 技嘉B360m d2v 核显DVI、VGA, I5-8400
Stars: ✭ 19 (-50%)
Mutual labels: efi
Motorola-Moto-E-condor-unbrick
Tools for Motorola Moto E XT1021, XT1022, XT1025 condor unbrick
Stars: ✭ 31 (-18.42%)
Mutual labels: bootloader
Lenovo-Y9000X-Hackintosh
Lenovo LEGION Y9000X 2020 (Lenovo LEGION S740-15IRH) Hackintosh
Stars: ✭ 57 (+50%)
Mutual labels: efi
efi shell flash bios
use efi shell to flash_bios uefi shell强刷bios grub efi shell 解锁bios 隐藏菜单选项 ami
Stars: ✭ 38 (+0%)
Mutual labels: efi
Gigabyte-Z490-Vision-G-Hackintosh-OpenCore
Hackintosh OpenCore and Clover EFI folders for running macOS on the Gigabyte Z490 Visison G Board with an Intel i9 10850K Processor. Supported macOS: Mojava, Catalina, Big Sur and Monterey.
Stars: ✭ 71 (+86.84%)
Mutual labels: efi
Hack-Z370-HD3P-i5-8400
My main Hackintosh running Monterey with a i5-8400 and a Gigabyte Z370-HD3P.
Stars: ✭ 56 (+47.37%)
Mutual labels: efi
Secure EFI Loader ================= The SELoader is designed to authenticate the non-PE files, such as grub configuration, initrd, grub modules, which cannot be verified by the MOK Verify Protocol registered by shim loader. In order to conveniently authenticate the PE file with gBS->LoadImage() and gBS->StartImage(), the SELoader hooks EFI Security2 Architectural Protocol and employs MOK Verify Protocol to verify the PE file. If only UEFI Secure Boot is enabled, the SELoader just simplily calls gBS->LoadImage() and gBS->StartImage() to allow BIOS to verify PE file. The SELoader publishes MOK2 Verify Protocol which provides a flexible interface to allow the bootloader to verify the file, file buffer or memory buffer without knowing the file format. In order to establish the chain of trust, the SELoader is required to be signed by a private key corresponding to a DB certificate, the shim certificate, the vendor certificate or a shim MOK certificate. The specific key is determined by the Secure Boot scheme you will use. Using UEFI Secure Boot, MOK Verify Protocol and the SELoader together, the boot process is completely trustworthy. ESP Layout ---------- A typical ESP layout for x86-64 looks like below, e.g, . ├── EFI │ └── BOOT │ ├── bootx64.efi │ ├── grub.cfg │ ├── grub.cfg.p7b │ ├── grubx64.efi │ ├── Hash2DxeCrypto.efi │ ├── LockDown.efi │ ├── mmx64.efi │ ├── Pkcs7VerifyDxe.efi │ ├── SELoaderx64.efi │ └── x86_64-efi │ ├── ... │ ├── mok2verify.mod │ └── ... ├── images │ ├── bzImage │ ├── bzImage.p7b │ ├── initrd │ └── initrd.p7b └── startup.nsh where: - bootx64.efi The first stage shim loader, signed by DB key and authenticated by UEFI BIOS boot manager. - SELoaderx64.efi The second stage loader, authenticated by the shim loader with the vendor certificate, shim certificate, MOK certificate or DB certificate. - grubx64.efi The third stage loader, authenticated by the SELoader with the same objects as mentioned in SELoaderx64.efi. - grub.cfg grub configuration file. - grub.cfg.p7b The signature file of grub.cfg, authenticated by the SELoader. - mok2verify.mod Providing MOK2 Verify Protocol support, allowing the grub loader to call SELoader to verify grub.cfg.p7b, bzImage.p7b and initrd.p7b. - bzImage Linux kernel. - bzImage.p7b The signature file of bzImage, authenticated by the SELoader. - initrd initramfs image. - initrd.p7b The signature file of initrd, authenticated by the SELoader. - LockDown.efi Run the automatical certificate provision for UEFI Secure Boot. - mmx64.efi MOK Secure Boot manager, authenticated by the shim loader. - Pkcs7VerifyDxe.efi Providing EFI Pkcs7 Verify Protocol support, authenticated by the SELoader. - Hash2DxeCrypto.efi Providing EFI Hash2 Protocol support, authenticated by the SELoader. - startup.nsh UEFI shell bootstrap script. All efi binaries are signed with either DB.key or vendor_cert.key per the secure boot scheme you choose. Refer to meta-secure-env for practical secure boot implementation, and the signing tool sbsigntool. Note that the SELoader can be also used alone without the shim loader. EFI Pkcs7 Verify Protocol ------------------------- The SELoader employs EFI PKCS7 Verify Protocol available since UEFI Specification version 2.5 to verify the signature to prove the integrity of checked file. If your BIOS doesn't support this protocol, it is recommended to update the BIOS to the latest. If the latest still doesn't support the protocol, the SELoader is able to load the Pkcs7VerifyDxe.efi driver if available. Usually, the Pkcs7VerifyDxe.efi driver is located in the directory where the SELoader resides on ESP. You can build the Pkcs7VerifyDxe.efi driver from the scratch if you would like to do it. Refer to Bin/README for the instructions. Known Issues ------------ - The PKCS#7 detached signature format (.p7s) is not supported. References ---------- libsign - the signing tool used to generate SELoader PKCS#7 signature https://github.com/jiazhang0/libsign grub - Mok2Verify patch to verify the grub.cfg, linux kernel and initrd https://github.com/jiazhang0/meta-secure-core/blob/master/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch shim - implement MOK verify protocol https://github.com/rhboot/shim meta-secure-core - a practical secure boot implementation based on oe-core https://github.com/jiazhang0/meta-secure-core SecureCore - a complete OpenEmbedded/Poky-compatible reference implementation based on meta-secure-core https://github.com/jiazhang0/SecureCore
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].