edera-dev · azenla · Oct 31, 2025 · Oct 31, 2025 · Oct 31, 2025
@@ -18,7 +18,7 @@ existing UEFI bootloader or booted by the hardware directly.
 
 Sprout is licensed under Apache 2.0 and is open to modifications and contributions.
 
-**IMPORTANT WARNING**: Sprout does not support UEFI Secure Boot yet.
+**IMPORTANT WARNING**: Sprout does not support all of UEFI Secure Boot yet.
 See [this issue](https://github.com/edera-dev/sprout/issues/20) for updates.
 
 ## Background
@@ -65,13 +65,13 @@ The boot menu mechanism is very rudimentary.
 - [x] Load Linux initrd from disk
 - [x] Basic boot menu
 - [x] BLS autoconfiguration support
+- [x] [Secure Boot support](https://github.com/edera-dev/sprout/issues/20): partial
 
 ### Roadmap
 
 - [ ] [Bootloader interface support](https://github.com/edera-dev/sprout/issues/21)
 - [ ] [BLS specification conformance](https://github.com/edera-dev/sprout/issues/2)
 - [ ] [Full-featured boot menu](https://github.com/edera-dev/sprout/issues/1)
-- [ ] [Secure Boot support](https://github.com/edera-dev/sprout/issues/20): work in progress
 - [ ] [UKI support](https://github.com/edera-dev/sprout/issues/6): partial
 - [ ] [multiboot2 support](https://github.com/edera-dev/sprout/issues/7)
 - [ ] [Linux boot protocol (boot without EFI stub)](https://github.com/edera-dev/sprout/issues/7)

@@ -2,7 +2,7 @@
 
 ## Prerequisites
 
-- Secure Boot disabled
+- Secure Boot is disabled or configured to allow Sprout
 - UEFI Windows installation
 
 ## Step 1: Base Installation

@@ -1,5 +1,6 @@
 use crate::context::SproutContext;
 use crate::integrations::bootloader_interface::BootloaderInterface;
+use crate::integrations::shim::{ShimInput, ShimSupport};
 use crate::utils;
 use crate::utils::media_loader::MediaLoaderHandle;
 use crate::utils::media_loader::constants::linux::LINUX_EFI_INITRD_MEDIA_GUID;
@@ -35,20 +36,14 @@ pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfigurat
 
     // Resolve the path to the image to chainload.
     let resolved = utils::resolve_path(
-        context.root().loaded_image_path()?,
+        Some(context.root().loaded_image_path()?),
         &context.stamp(&configuration.path),
     )
     .context("unable to resolve chainload path")?;
 
-    // Load the image to chainload.
-    let image = uefi::boot::load_image(
-        sprout_image,
-        uefi::boot::LoadImageSource::FromDevicePath {
-            device_path: &resolved.full_path,
-            boot_policy: uefi::proto::BootPolicy::ExactMatch,
-        },
-    )
-    .context("unable to load image")?;
+    // Load the image to chainload using the shim support integration.
+    // It will determine if the image needs to be loaded via the shim or can be loaded directly.
+    let image = ShimSupport::load(sprout_image, ShimInput::ResolvedPath(&resolved))?;
 
     // Open the LoadedImage protocol of the image to chainload.
     let mut loaded_image_protocol = uefi::boot::open_protocol_exclusive::<LoadedImage>(image)
@@ -95,8 +90,9 @@ pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfigurat
     // If an initrd is provided, register it with the EFI stack.
     let mut initrd_handle = None;
     if let Some(linux_initrd) = initrd {
-        let content = utils::read_file_contents(context.root().loaded_image_path()?, &linux_initrd)
-            .context("unable to read linux initrd")?;
+        let content =
+            utils::read_file_contents(Some(context.root().loaded_image_path()?), &linux_initrd)
+                .context("unable to read linux initrd")?;
         let handle =
             MediaLoaderHandle::register(LINUX_EFI_INITRD_MEDIA_GUID, content.into_boxed_slice())
                 .context("unable to register linux initrd")?;

@@ -98,7 +98,7 @@ fn register_media_loader_file(
     // Stamp the path to the file.
     let path = context.stamp(path);
     // Read the file contents.
-    let content = utils::read_file_contents(context.root().loaded_image_path()?, &path)
+    let content = utils::read_file_contents(Some(context.root().loaded_image_path()?), &path)
         .context(format!("unable to read {} file", what))?;
     // Register the media loader.
     let handle = MediaLoaderHandle::register(guid, content.into_boxed_slice())

@@ -143,7 +143,7 @@ pub fn splash(context: Rc<SproutContext>, configuration: &SplashConfiguration) -
     // Stamp the image path value.
     let image = context.stamp(&configuration.image);
     // Read the image contents.
-    let image = read_file_contents(context.root().loaded_image_path()?, &image)?;
+    let image = read_file_contents(Some(context.root().loaded_image_path()?), &image)?;
     // Decode the image as a PNG.
     let image = ImageReader::with_format(Cursor::new(image), ImageFormat::Png)
         .decode()

@@ -19,7 +19,7 @@ fn load_raw_config(options: &SproutOptions) -> Result<Vec<u8>> {
     info!("configuration file: {}", options.config);
 
     // Read the contents of the sprout config file.
-    let content = utils::read_file_contents(&path, &options.config)
+    let content = utils::read_file_contents(Some(&path), &options.config)
         .context("unable to read sprout config file")?;
     // Return the contents of the sprout config file.
     Ok(content)

@@ -1,12 +1,12 @@
 use crate::context::SproutContext;
+use crate::integrations::shim::{ShimInput, ShimSupport};
 use crate::utils;
 use anyhow::{Context, Result};
 use log::info;
 use serde::{Deserialize, Serialize};
 use std::collections::BTreeMap;
 use std::rc::Rc;
 use uefi::boot::SearchType;
-use uefi::proto::device_path::LoadedImageDevicePath;
 
 /// Declares a driver configuration.
 /// Drivers allow extending the functionality of Sprout.
@@ -23,28 +23,17 @@ pub struct DriverDeclaration {
 fn load_driver(context: Rc<SproutContext>, driver: &DriverDeclaration) -> Result<()> {
     // Acquire the handle and device path of the loaded image.
     let sprout_image = uefi::boot::image_handle();
-    let image_device_path_protocol =
-        uefi::boot::open_protocol_exclusive::<LoadedImageDevicePath>(sprout_image)
-            .context("unable to open loaded image device path protocol")?;
 
-    // Get the device path root of the sprout image.
-    let mut full_path = utils::device_path_root(&image_device_path_protocol)?;
-
-    // Push the path of the driver from the root.
-    full_path.push_str(&context.stamp(&driver.path));
-
-    // Convert the path to a device path.
-    let device_path = utils::text_to_device_path(&full_path)?;
-
-    // Load the driver image.
-    let image = uefi::boot::load_image(
-        sprout_image,
-        uefi::boot::LoadImageSource::FromDevicePath {
-            device_path: &device_path,
-            boot_policy: uefi::proto::BootPolicy::ExactMatch,
-        },
+    // Resolve the path to the driver image.
+    let resolved = utils::resolve_path(
+        Some(context.root().loaded_image_path()?),
+        &context.stamp(&driver.path),
     )
-    .context("unable to load image")?;
+    .context("unable to resolve path to driver")?;
+
+    // Load the driver image using the shim support integration.
+    // It will determine if the image needs to be loaded via the shim or can be loaded directly.
+    let image = ShimSupport::load(sprout_image, ShimInput::ResolvedPath(&resolved))?;
 
     // Start the driver image, this is expected to return control to sprout.
     // There is no guarantee that the driver will actually return control as it is

@@ -49,7 +49,7 @@ pub fn generate(context: Rc<SproutContext>, bls: &BlsConfiguration) -> Result<Ve
     let path = context.stamp(&bls.path);
 
     // Resolve the path to the BLS directory.
-    let bls_resolved = utils::resolve_path(context.root().loaded_image_path()?, &path)
+    let bls_resolved = utils::resolve_path(Some(context.root().loaded_image_path()?), &path)
         .context("unable to resolve bls path")?;
 
     // Construct a filesystem path to the BLS entries directory.

@@ -1,2 +1,4 @@
 /// Implements support for the bootloader interface specification.
 pub mod bootloader_interface;
+/// Implements support for the shim loader application for Secure Boot.
+pub mod shim;