Yossi: yes, this looks like the correct set of steps.
Thanks ... br
---
Brian Richardson -- [email protected] -- Twitter: intel_brian
From: Yossef Efraim [mailto:[email protected]]
Sent: Tuesday, February 05, 2013 4:22 PM
To: [email protected]
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)
Thanks Brian.
When i refer to .ROM it was just EFI driver.
To make sure i understood correctly:
1. I build -> i get .EFI file
2. I sign this .EFI file
3. I convert this file to .ROM using EfiRom utility (EDK2/BaseTools)
4. If i wish to combine the .ROM with legacy Option Rom - This is the step for
doing so.
I really appreciate your help,
Yossi
________________________________
From: Richardson, Brian [[email protected]]
Sent: Tuesday, February 05, 2013 7:53 PM
To: [email protected]<mailto:[email protected]>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)
Signed code should still run when UEFI Secure Boot is disabled. You may have a
problem when signing the driver or creating the combined OpROM.
When you refer to .ROM file ... is this just the EFI driver or is this the
combined EFI+Legacy Option ROM? You should not sign the entire Option ROM
(EFI+legacy) ... that will break the format of the PCI Option ROM. You only
need to sign the EFI driver before creating the combined Option ROM.
Before inserting the EFI driver in the OpROM, sign the EFI image and test it
with Secure Boot ON & OFF at the UEFI Shell (load/unload the driver file). Then
put the signed driver into the combined OpROM.
Thanks ... br
---
Brian Richardson --
[email protected]<mailto:[email protected]> -- Twitter:
intel_brian
From: Yossef Efraim [mailto:[email protected]]
Sent: Tuesday, February 05, 2013 12:10 PM
To: [email protected]<mailto:[email protected]>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)
Brian - Thank you!
I signed the .efi file, than converted it to .rom using EfiRom Utility.
I just want to make sure this process [using EfiRom after signing ] is not
breaking the format.
As I am trying to run the signed *.rom, and fails ( maybe because the platform
doesn't have the key).
Thanks!
From: Richardson, Brian [mailto:[email protected]]
Sent: Tuesday, February 05, 2013 5:49 PM
To: [email protected]<mailto:[email protected]>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)
Yossi:
You should be able to use the same UEFI Driver Image (.efi), just get it signed
by the UEFI CA using Microsoft's process. I recommend doing all of your testing
with the driver unsigned to verify functionality, only signing the driver after
the QA process is done.
You can do some preliminary testing by self-signing the driver, but this would
only work for testing on a system where you can manually enroll your custom
keys. Details on this process are in the "Signing UEFI Applications and Drivers
for UEFI Secure Boot" document at tianocore.org ...
http://sourceforge.net/projects/edk2/files/General%20Documentation/SigningUefiImages%20-v1dot30.pdf/download
Thanks ... br
---
Brian Richardson --
[email protected]<mailto:[email protected]> -- Twitter:
intel_brian
From: Yossef Efraim [mailto:[email protected]]
Sent: Tuesday, February 05, 2013 8:58 AM
To: [email protected]<mailto:[email protected]>
Subject: [edk2] Secure Boot - PCI device driver (NIC)
Hi all,
I want to my PCI device driver (NIC) to support secure boot.
Originally I thought that I only have to take the generated *.rom file and sign
it through MS UEFI FW signing.
1. Is it enough? Or should I add code \ definition ?
2. If I do have to add something does the EDK2 got any sample for this ?
Thanks!
Yossi
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel
