0.4.8 (??/??/2012):
-------------------
+- Added support for using Matthew Garrett's Shim program and its Machine
+ Owner Keys (MOKs) to extend Secure Boot capabilities. If rEFInd is
+ launched from Shim on a computer with Secure Boot active, rEFInd will
+ launch programs signed with either a standard UEFI Secure Boot key or a
+ MOK. For the moment, this feature works only on x86-64 systems.
+
+- Added new "dont_scan_files" (aka "don't_scan_files") token for
+ refind.conf. The effect is similar to dont_scan_dirs, but it creates a
+ blacklist of filenames within directories rather than directory names.
+ I'm initially using it to place shim.efi and MokManager.efi in the
+ blacklist to keep these programs out of the OS list. (MokManager.efi is
+ scanned separately as a tool; see below.) I've moved checks for
+ ebounce.efi, GraphicsConsole.efi, and TextMode.efi to this list. (These
+ three had previously been blacklisted by hard-coding in ScanLoaderDir().)
+
- Added the directory from which rEFInd launched to dont_scan_dirs. This
works around a bug in which rEFInd would show itself as a bogus Windows
entry if it's installed as EFI/Microsoft/boot/bootmgfw.efi.
- Added support for launching MokManager.efi for managing the Machine Owner
Keys (MOKs) maintained by the Shim boot loader developed by Fedora and
- SUSE.
+ SUSE. This program is scanned and presented as a second-row tool.
- Added support for Apple's Recovery HD partition: If it's detected, a new
icon appears on the second row. This icon can be removed by explicitly
<td>directory path(s)</td>
<td>Adds the specified directory or directories to a directory "blacklist"—these directories are <i>not</i> scanned for boot loaders, on <i>any</i> partition. This may be useful to keep duplicate boot loaders out of the menu (say, if <tt>EFI/Boot/bootx64.efi</tt> is a duplicate of another boot loader); or to keep drivers or utilities out of the boot menu, if you've stored them in a subdirectory of <tt>EFI</tt>. This option takes precedence over <tt>also_scan_dirs</tt>; if a directory appears in both lists, it will <i>not</i> be scanned.</td>
</tr>
+<tr>
+ <td><tt>dont_scan_files</tt> or <tt>don't_scan_files</tt></td>
+ <td>Filename(s)</td>
+ <td>Adds the specified filename or filenames to a filename "blacklist"—these files are <i>not</i> included as boot loader options even if they're found on the disk. This is useful to exclude support programs (such as <tt>shim.efi</tt> and <tt>MokManager.efi</tt>) and drivers from your OS list. The default value is <tt>shim.efi, MokManager.efi, TextMode.efi, ebounce.efi, GraphicsConsole.efi</tt>.</td>
+</tr>
<tr>
<td><tt>scan_all_linux_kernels</tt></td>
<td>None</td>
#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
#endif
-
-#include "PeImage2.h"
} GNUEFI_PE_COFF_LOADER_IMAGE_CONTEXT;
-
-//
-// Return status codes from the PE/COFF Loader services
-//
-#define IMAGE_ERROR_SUCCESS 0
-#define IMAGE_ERROR_IMAGE_READ 1
-#define IMAGE_ERROR_INVALID_PE_HEADER_SIGNATURE 2
-#define IMAGE_ERROR_INVALID_MACHINE_TYPE 3
-#define IMAGE_ERROR_INVALID_SUBSYSTEM 4
-#define IMAGE_ERROR_INVALID_IMAGE_ADDRESS 5
-#define IMAGE_ERROR_INVALID_IMAGE_SIZE 6
-#define IMAGE_ERROR_INVALID_SECTION_ALIGNMENT 7
-#define IMAGE_ERROR_SECTION_NOT_LOADED 8
-#define IMAGE_ERROR_FAILED_RELOCATION 9
-#define IMAGE_ERROR_FAILED_ICACHE_FLUSH 10
-
-#ifdef __MAKEWITH_GNUEFI
-#define RETURN_STATUS EFI_STATUS
-typedef UINT64 PHYSICAL_ADDRESS;
-#endif
-
#endif
# This can help some users who find that some of their disks
# (usually external or optical discs) aren't detected initially,
# but are detected after pressing Esc.
+# The default is 0.
#
#scan_delay 5
#
#dont_scan_dirs EFI/boot,EFI/Dell
+# Files that should NOT be included as EFI boot loaders (on the
+# first line of the display). If you're using a boot loader that
+# relies on support programs or drivers that are installed alongside
+# the main binary or if you want to "blacklist" certain loaders by
+# name rather than location, use this option. Note that this will
+# NOT prevent certain binaries from showing up in the second-row
+# set of tools. Most notably, MokManager.efi is in this blacklist,
+# but will show up as a tool if present in certain directories. You
+# can control the tools row with the showtools token.
+# The default is shim.efi,MokManager.efi,TextMode.efi,ebounce.efi,GraphicsConsole.efi
+#
+#dont_scan_files shim.efi,MokManager.efi
+
# Scan for Linux kernels that lack a ".efi" filename extension. This is
# useful for better integration with Linux distributions that provide
# kernels with EFI stub loaders but that don't give those kernels filenames
if (EFI_ERROR(Status))
return;
- GlobalConfig.DontScan = StrDuplicate(SelfDirPath);
+ MyFreePool(GlobalConfig.DontScanDirs);
+ GlobalConfig.DontScanDirs = StrDuplicate(SelfDirPath);
+ MyFreePool(GlobalConfig.DontScanFiles);
+ GlobalConfig.DontScanFiles = DONT_SCAN_FILES;
for (;;) {
TokenCount = ReadTokenLine(&File, &TokenList);
HandleStrings(TokenList, TokenCount, &(GlobalConfig.AlsoScan));
} else if ((StriCmp(TokenList[0], L"don't_scan_dirs") == 0) || (StriCmp(TokenList[0], L"dont_scan_dirs") == 0)) {
- HandleStrings(TokenList, TokenCount, &(GlobalConfig.DontScan));
+ HandleStrings(TokenList, TokenCount, &(GlobalConfig.DontScanDirs));
+
+ } else if ((StriCmp(TokenList[0], L"don't_scan_files") == 0) || (StriCmp(TokenList[0], L"dont_scan_files") == 0)) {
+ HandleStrings(TokenList, TokenCount, &(GlobalConfig.DontScanFiles));
} else if (StriCmp(TokenList[0], L"scan_driver_dirs") == 0) {
HandleStrings(TokenList, TokenCount, &(GlobalConfig.DriverDirs));
#define HIDEUI_FLAG_ARROWS (0x0010)
#define HIDEUI_ALL ((0xffff))
+#define DONT_SCAN_FILES L"shim.efi,MokManager.efi,TextMode.efi,ebounce.efi,GraphicsConsole.efi"
+
EFI_STATUS ReadFile(IN EFI_FILE_HANDLE BaseDir, CHAR16 *FileName, REFIT_FILE *File, UINTN *size);
VOID ReadConfig(VOID);
VOID ScanUserConfigured(VOID);
CHAR16 *SelectionBigFileName;
CHAR16 *DefaultSelection;
CHAR16 *AlsoScan;
- CHAR16 *DontScan;
+ CHAR16 *DontScanDirs;
+ CHAR16 *DontScanFiles;
CHAR16 *DriverDirs;
CHAR16 *IconsDir;
UINTN ShowTools[NUM_TOOLS];
#define DRIVER_DIRS L"drivers"
#endif
-#define MOK_NAMES L"\\EFI\\tools\\MokManager.efi,\\EFI\\redhat\\MokManager.efi"
+#define MOK_NAMES L"\\EFI\\tools\\MokManager.efi,\\EFI\\redhat\\MokManager.efi,\\EFI\\ubuntu\\MokManager.efi,\\EFI\\suse\\MokManager"
// Filename patterns that identify EFI boot loaders. Note that a single case (either L"*.efi" or
// L"*.EFI") is fine for most systems; but Gigabyte's buggy Hybrid EFI does a case-sensitive
static REFIT_MENU_SCREEN AboutMenu = { L"About", NULL, 0, NULL, 0, NULL, 0, NULL };
REFIT_CONFIG GlobalConfig = { FALSE, FALSE, 0, 0, 20, 0, 0, GRAPHICS_FOR_OSX, LEGACY_TYPE_MAC, 0,
- NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
{TAG_SHELL, TAG_APPLE_RECOVERY, TAG_MOK_TOOL, TAG_ABOUT, TAG_SHUTDOWN, TAG_REBOOT, 0, 0, 0, 0, 0 }};
// Structure used to hold boot loader filenames and time stamps in
struct LOADER_LIST *LoaderList = NULL, *NewLoader;
if ((!SelfDirPath || !Path || ((StriCmp(Path, SelfDirPath) == 0) && Volume->DeviceHandle != SelfVolume->DeviceHandle) ||
- (StriCmp(Path, SelfDirPath) != 0)) && (!IsIn(Path, GlobalConfig.DontScan))) {
+ (StriCmp(Path, SelfDirPath) != 0)) && (!IsIn(Path, GlobalConfig.DontScanDirs))) {
// look through contents of the directory
DirIterOpen(Volume->RootDir, Path, &DirIter);
while (DirIterNext(&DirIter, 2, Pattern, &DirEntry)) {
Extension = FindExtension(DirEntry->FileName);
if (DirEntry->FileName[0] == '.' ||
- StriCmp(DirEntry->FileName, L"TextMode.efi") == 0 ||
- StriCmp(DirEntry->FileName, L"ebounce.efi") == 0 ||
- StriCmp(DirEntry->FileName, L"GraphicsConsole.efi") == 0 ||
StriCmp(Extension, L".icns") == 0 ||
- StriSubCmp(L"shell", DirEntry->FileName))
+ StriSubCmp(L"shell", DirEntry->FileName) ||
+ IsIn(DirEntry->FileName, GlobalConfig.DontScanFiles))
continue; // skip this
if (Path)
if ((Volume->RootDir != NULL) && (Volume->VolName != NULL)) {
// check for Mac OS X boot loader
- if (!IsIn(L"\\System\\Library\\CoreServices", GlobalConfig.DontScan)) {
+ if (!IsIn(L"\\System\\Library\\CoreServices", GlobalConfig.DontScanDirs)) {
StrCpy(FileName, MACOSX_LOADER_PATH);
- if (FileExists(Volume->RootDir, FileName)) {
+ if (FileExists(Volume->RootDir, FileName) && !IsIn(L"boot.efi", GlobalConfig.DontScanFiles)) {
AddLoaderEntry(FileName, L"Mac OS X", Volume);
}
// check for XOM
StrCpy(FileName, L"\\System\\Library\\CoreServices\\xom.efi");
- if (FileExists(Volume->RootDir, FileName)) {
+ if (FileExists(Volume->RootDir, FileName) && !IsIn(L"boot.efi", GlobalConfig.DontScanFiles)) {
AddLoaderEntry(FileName, L"Windows XP (XoM)", Volume);
}
- } // if Mac directory not in GlobalConfig.DontScan list
+ } // if Mac directory not in GlobalConfig.DontScanDirs list
// check for Microsoft boot loader/menu
StrCpy(FileName, L"\\EFI\\Microsoft\\Boot\\Bootmgfw.efi");
- if (FileExists(Volume->RootDir, FileName) && !IsIn(L"\\EFI\\Microsoft\\Boot", GlobalConfig.DontScan)) {
+ if (FileExists(Volume->RootDir, FileName) && !IsIn(L"\\EFI\\Microsoft\\Boot", GlobalConfig.DontScanDirs) &&
+ !IsIn(L"bootmgfw.efi", GlobalConfig.DontScanFiles)) {
AddLoaderEntry(FileName, L"Microsoft EFI boot", Volume);
}
#include "../include/PeImage.h"
+#include "../include/PeImage2.h"
#define SHIM_LOCK_GUID \
{ 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }