From patchwork Thu Aug 28 02:07:16 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 156
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1756346891;
	bh=EULpu+jY4LmC9tXfOHuWhTz2oUwl7ZL9Sy+jdvtZXXk=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=r3gveVsDvqiKeVOt8EiPIk6kxpHSjGciDKDHmM3CJ5Fh0F6hhJvZPVWTbLPyfDqGy
	 Ewhp1FpUsSuZmfpWge/ZKDVv+drvX1iHbnn5EFbAAwpmbHTgO0E73jEQy/zDAmSfKc
	 Mk8aw6zPXIVP+V8ALFGJM7jX2HeoOXqIFBSvxI1PmLf/9MVq0D7G8hjSC1ynT4Krsn
	 qjlzlvXclUaZ61WqEk/ZxH2P+BjD0hCpdz0EEFr1iYMEujzKDSEJS4xRpcDj/JcaNO
	 NY7bywshBD/SPJV5ye4RlGmPlBVzSsT9dsd9/8sFM0fr7F1oOYCke7VGPv3bIqCDZM
	 VFqFD82PsN49Q==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 73ABF67828
	for <u-boot-concept@u-boot.org>; Wed, 27 Aug 2025 20:08:11 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id 2afLLqGVSYiT for <u-boot-concept@u-boot.org>;
 Wed, 27 Aug 2025 20:08:11 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1756346889;
	bh=EULpu+jY4LmC9tXfOHuWhTz2oUwl7ZL9Sy+jdvtZXXk=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=iGRfDeWHlUMy4fA2GH+Si3+9/v8zmNsuXXibkPcMt4MXcyNsiDyI1B14lJTCFY3Kq
	 /Iw0dhAY9uQHkQzTdYYdCpatoaAmAIFFIYPDeS+Va77ahnaCVhGN1+vRHWj3js0/Bq
	 K/xmcp5Gc5jfNYY24vTVXMJWNSPpEMpq8iQFC8r2pMxdtB5mNRCnZidXCZmELcSEw8
	 KJYe2HeWWmbvD1DFvvaS25kGgim/C3J6mYcV94F7KPqLTJSrLPMPWkcaejPtiN1fv8
	 Uiv+LmWjKzWkuj9x4SftOQ8rbP8kHvM6AaKavKNHlhyF6xJ7k3TJMfXKcWZO9onBRz
	 W+bRXyLLR0Rug==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 7FFAC6782E
	for <u-boot-concept@u-boot.org>; Wed, 27 Aug 2025 20:08:09 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1756346886;
	bh=7ZR7Ebx8xHyrK5/uupzxw89qT/je1L0WT3ym1lhR7Ic=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=ElWF4MlTVhWe0wMI8m5Gd3KluYiOlubz8jfftX0LOAM6qmpw8VN38nQPa4ElquvFL
	 /J3G/wLC97c3BaZ8GTHFvRsJA4hyMWguxuZxgvhqPGyVCQ70m4Q9WP1EWjNgPNR/zu
	 5ZHAF2j5HPpPHS/8midrwOaaF0o0oB0zOlb1iEJsI/eeFRNeiQg5qsFeEARyja7j6l
	 IbxH0LseXtT57CFgpQsscOUvHVw6+R3tANqIMoFzlqFXrisiKzdNx0qeqp2Rey4ql5
	 vVI+YnRGH50sJ4y1rEz/mTVbjpnAHyHBHjbFmxhZjv80HI7Xgg0yoOa9aL/CuAfWCG
	 KaFUGDf8hJ7/A==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id B48A4677CB;
	Wed, 27 Aug 2025 20:08:06 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id m9bPxRdn2SgR; Wed, 27 Aug 2025 20:08:06 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1756346886;
	bh=mvgMYr1mbFXewv4TJsp7Smq1LnoaroFwjjGUx/oGLQc=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=rr7c8zmI9ZbMWG2i5cj3H6EOKHKa1cE5vBchuZ8DSpGlkcpxGDaNQDLK9MV+D6Awb
	 sfGzmI3QQ8nxFiyQbujvAYEjFodbYYxHUBfYEJAkOq/R9kbCsHW/8Oo3KWyQiCTjVL
	 759HO3mPr3E/pnUiBI7DsfK9O+UZqjo+tFl6M3rQvioid1DF0Cw/FPu2uhvZXJfDud
	 G9hRfl763/QgHitOtov1jrvTKOc8MNwQkp5QdGPp9byD1NI17ffZ4JumEdIT+mknDw
	 igJ2aia47JkPuM5onzgBaf0TF0q17JPB5v9uAi1k2831afcuewLX6UExPcawqBWpRC
	 BT8swU7pDr5iA==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id EBE616777E;
	Wed, 27 Aug 2025 20:08:05 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Wed, 27 Aug 2025 20:07:16 -0600
Message-ID: <20250828020732.981415-14-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20250828020732.981415-1-sjg@u-boot.org>
References: <20250828020732.981415-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: SQM6FEMCMAKSLJMWDBEDYZUD2YRMAD7Z
X-Message-ID-Hash: SQM6FEMCMAKSLJMWDBEDYZUD2YRMAD7Z
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Heinrich Schuchardt <xypron.glpk@gmx.de>, Simon Glass <sjg@chromium.org>,
 Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 13/20] efi: Add a command to help with shim
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/SQM6FEMCMAKSLJMWDBEDYZUD2YRMAD7Z/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Shim is a program which normally comes before U-Boot in the boot
process. But when the app runs first, it can sometimes chain Shim since
that is what is contained within the bootaa64.efi file, for example.

Add a simple command for dealing with shim. For now it only supports
enabling verbosity.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 cmd/Kconfig            |   9 ++++
 cmd/Makefile           |   1 +
 cmd/shim.c             |  65 ++++++++++++++++++++++++++
 doc/usage/cmd/shim.rst | 101 +++++++++++++++++++++++++++++++++++++++++
 doc/usage/index.rst    |   1 +
 include/efi.h          |   3 ++
 include/efi_api.h      |   4 ++
 include/shim.h         |  13 ++++++
 lib/efi/device_path.c  |   2 +
 9 files changed, 199 insertions(+)
 create mode 100644 cmd/shim.c
 create mode 100644 doc/usage/cmd/shim.rst
 create mode 100644 include/shim.h

diff --git a/cmd/Kconfig b/cmd/Kconfig
index 99101ff6c82..6a3ef56b3b9 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -547,6 +547,15 @@ config SYS_XIMG_LEN
 	  It should be large enough to fit uncompressed size of
 	  FIT piece we are extracting.
 
+config CMD_SHIM
+	bool "shim"
+	depends on CMD_NVEDIT_EFI
+	default y if SANDBOX || EFI_APP
+	help
+	  Provides a few commands for dealing with Shim being in the boot
+	  chain. This can be useful when debugging booting, particularly on
+	  x86 machines.
+
 config CMD_SPL
 	bool "spl export - Export boot information for Falcon boot"
 	depends on SPL
diff --git a/cmd/Makefile b/cmd/Makefile
index 407056b778b..bc381905729 100644
--- a/cmd/Makefile
+++ b/cmd/Makefile
@@ -174,6 +174,7 @@ obj-$(CONFIG_CMD_SHA1SUM) += sha1sum.o
 obj-$(CONFIG_CMD_SEAMA) += seama.o
 obj-$(CONFIG_CMD_SETEXPR) += setexpr.o
 obj-$(CONFIG_CMD_SETEXPR_FMT) += printf.o
+obj-$(CONFIG_CMD_SHIM) += shim.o
 obj-$(CONFIG_CMD_SPI) += spi.o
 obj-$(CONFIG_CMD_STRINGS) += strings.o
 obj-$(CONFIG_CMD_SMBIOS) += smbios.o
diff --git a/cmd/shim.c b/cmd/shim.c
new file mode 100644
index 00000000000..903f1823f19
--- /dev/null
+++ b/cmd/shim.c
@@ -0,0 +1,65 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Control of settings for Shim
+ *
+ * Copyright 2025 Simon Glass <sjg@chromium.org>
+ */
+
+#define __efi_runtime
+
+#include <abuf.h>
+#include <command.h>
+#include <efi.h>
+#include <efi_variable.h>
+#include <errno.h>
+#include <shim.h>
+#include <vsprintf.h>
+
+static int do_shim_debug(struct cmd_tbl *cmdtp, int flag, int argc,
+			 char *const argv[])
+{
+	efi_status_t eret;
+	struct abuf buf;
+	const char *sub;
+	u32 value;
+	int ret;
+
+	sub = cmd_arg1(argc, argv);
+	if (!sub) {
+		ret = efi_read_var(SHIM_VERBOSE_VAR_NAME, &efi_shim_lock, NULL,
+				   &buf, NULL);
+		if (ret == -ENOENT) {
+			value = 0;
+		} else if (ret) {
+			printf("Failed to read variable (err=%dE)\n", ret);
+			goto fail;
+		} else if (buf.size != sizeof(value)) {
+			printf("Invalid value size %zd\n", buf.size);
+			goto fail;
+		} else {
+			value = *(typeof(value) *)buf.data;
+		}
+		printf("%d\n", value);
+	} else {
+		value = hextoul(sub, NULL) ? 1 : 0;
+		eret = efi_set_variable_int(SHIM_VERBOSE_VAR_NAME,
+					    &efi_shim_lock,
+					    EFI_VARIABLE_BOOTSERVICE_ACCESS,
+					    sizeof(value), &value, false);
+		if (eret) {
+			printf("Failed to write variable (err=%lx)\n", eret);
+			goto fail;
+		}
+	}
+
+	return 0;
+
+fail:
+	return 1;
+}
+
+U_BOOT_LONGHELP(shim,
+	"debug [<0/1>]  - Enable / disable debug verbose mode");
+
+U_BOOT_CMD_WITH_SUBCMDS(shim, "Shim utilities", shim_help_text,
+	U_BOOT_SUBCMD_MKENT(debug, 3, 1, do_shim_debug));
diff --git a/doc/usage/cmd/shim.rst b/doc/usage/cmd/shim.rst
new file mode 100644
index 00000000000..285dd200558
--- /dev/null
+++ b/doc/usage/cmd/shim.rst
@@ -0,0 +1,101 @@
+.. SPDX-License-Identifier: GPL-2.0+
+
+shim command
+============
+
+Synopsis
+--------
+
+::
+
+    shim debug [<0/1>]
+
+Description
+-----------
+
+The ``shim`` command provides utilities for controlling and configuring the
+UEFI Shim bootloader when U-Boot is running as an EFI application. Shim is a
+UEFI bootloader that is used to verify and boot signed operating system
+loaders, commonly used in secure boot environments.
+
+The ``shim debug`` subcommand manages the Shim verbose debugging mode through
+the ``SHIM_VERBOSE`` EFI variable.
+
+Subcommands
+~~~~~~~~~~~
+
+shim debug
+^^^^^^^^^^
+
+Controls the Shim verbose debugging mode.
+
+**Usage:**
+
+::
+
+    shim debug          # Display current debug state (0 or 1)
+    shim debug 0        # Disable verbose debugging
+    shim debug 1        # Enable verbose debugging
+
+The command reads from or writes to the ``SHIM_VERBOSE`` EFI variable in the
+Shim Lock GUID namespace. When verbose mode is enabled (value = 1), Shim will
+output additional debugging information during the boot process. When disabled
+(value = 0 or variable doesn't exist), Shim operates silently.
+
+**Parameters:**
+
+* ``<0/1>`` - Optional parameter to set debug mode:
+
+  * ``0`` - Disable verbose debugging
+  * ``1`` - Enable verbose debugging
+  * If omitted, displays current debug state
+
+**Return value:**
+
+The command returns 0 on success, 1 on failure.
+
+**Examples:**
+
+Check current debug state::
+
+    => shim debug
+    0
+
+Enable verbose debugging::
+
+    => shim debug 1
+
+Disable verbose debugging::
+
+    => shim debug 0
+
+Configuration
+~~~~~~~~~~~~~
+
+The shim command is available when:
+
+* ``CONFIG_CMD_SHIM`` is enabled
+* U-Boot is running as an EFI application
+* EFI-variable support is available
+
+Implementation Details
+~~~~~~~~~~~~~~~~~~~~~~
+
+The command uses the EFI variable services to read and write the
+``SHIM_VERBOSE`` variable with the following characteristics:
+
+* **Variable Name:** ``SHIM_VERBOSE`` (Unicode string)
+* **GUID:** EFI Shim Lock GUID (``605dab50-e046-4300-abb6-3dd810dd8b23``)
+* **Attributes:** ``EFI_VARIABLE_BOOTSERVICE_ACCESS``
+* **Data Type:** 32-bit unsigned integer (4 bytes)
+* **Values:** 0 (disabled) or 1 (enabled)
+
+The variable is stored in the EFI variable store and persists across reboots
+until explicitly changed or the variable store is cleared.
+
+See Also
+~~~~~~~~
+
+* :doc:`efidebug` - EFI debugging utilities
+* :doc:`bootefi` - Boot EFI applications
+* :doc:`/develop/uefi/u-boot_on_efi`
diff --git a/doc/usage/index.rst b/doc/usage/index.rst
index 585aa3f9784..3b45d443d5c 100644
--- a/doc/usage/index.rst
+++ b/doc/usage/index.rst
@@ -115,6 +115,7 @@ Shell commands
    cmd/seama
    cmd/setexpr
    cmd/sf
+   cmd/shim
    cmd/size
    cmd/sleep
    cmd/sm
diff --git a/include/efi.h b/include/efi.h
index 07d07050c01..2ca7cc30d52 100644
--- a/include/efi.h
+++ b/include/efi.h
@@ -163,6 +163,9 @@ extern const efi_guid_t efi_guid_component_name2;
 /* GUIDs for authentication - most of these are still in efi_loader.h */
 extern const efi_guid_t efi_guid_image_security_database;
 
+/* Access to Shim variables */
+extern const efi_guid_t efi_shim_lock;
+
 /* Generic EFI table header */
 struct efi_table_hdr {
 	u64 signature;
diff --git a/include/efi_api.h b/include/efi_api.h
index b3f6172e97a..00a9d29b8fe 100644
--- a/include/efi_api.h
+++ b/include/efi_api.h
@@ -487,6 +487,10 @@ struct efi_runtime_services {
 	EFI_GUID(0x6a7a5cff, 0xe8d9, 0x4f70, \
 		 0xba, 0xda, 0x75, 0xab, 0x30, 0x25, 0xce, 0x14)
 
+#define EFI_SHIM_LOCK_GUID \
+	EFI_GUID(0x605dab50, 0xe046, 0x4300, \
+		 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
+
 /**
  * struct efi_configuration_table - EFI Configuration Table
  *
diff --git a/include/shim.h b/include/shim.h
new file mode 100644
index 00000000000..23061398933
--- /dev/null
+++ b/include/shim.h
@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Shim features and settings
+ *
+ * Copyright 2025 Simon Glass <sjg@chromium.org>
+ */
+
+#ifndef __SHIM_H
+#define __SHIM_H
+
+#define SHIM_VERBOSE_VAR_NAME	L"SHIM_VERBOSE"
+
+#endif
diff --git a/lib/efi/device_path.c b/lib/efi/device_path.c
index bae9e5c537a..b09ea030341 100644
--- a/lib/efi/device_path.c
+++ b/lib/efi/device_path.c
@@ -43,6 +43,8 @@ const efi_guid_t efi_guid_component_name2 = EFI_COMPONENT_NAME2_PROTOCOL_GUID;
 const efi_guid_t efi_guid_image_security_database =
 		EFI_IMAGE_SECURITY_DATABASE_GUID;
 
+const efi_guid_t efi_shim_lock = EFI_SHIM_LOCK_GUID;
+
 /* template EFI_DP_END node: */
 const struct efi_device_path EFI_DP_END = {
 	.type     = DEVICE_PATH_TYPE_END,