On 06/28/18 12:09, vikash kumar wrote:
> Hi all,
>
> From where I can download Microsoft's signed efi shell (Shellx64.efi)?
You can't. The UEFI shell is a powerful tool that can do just about
anything; in particular what it does is dicated by the shell scripts
that it runs, and it might directly access hardware too. Signing the
UEFI shell would mean for Microsoft to blanket-sign all UEFI shell
scripts, current and future.
For the same reason, we have been advised to exlude the UEFI shell
binary from the FV (firmware volume) in our downstream Secure
Boot-enabled OVMF image, and so we do that in RHEL. We only provide an
unsigned UEFI shell, on a separate ISO image. If you have SB enabled,
the ISO won't boot; that's a feature. (If the shell were part of the FV,
it could be executed regardless of signature.)
Thanks,
Laszlo
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
