Re: [edk2] Secure Boot - PCI device driver (NIC)

[Prakash, Sathya]

Do you have separate settings in setup  for loading images from OptionROM, 
images from the fixed media and removable media, if so whether the OptionROM is 
not set to Never Execute?.  I have created OptionROM multiple times using 
signed efi and efirom and never seen an issue.

Thanks
Sathya

From: El-Haj-Mahmoud, Samer [mailto:samer.el-haj-mahm...@hp.com]
Sent: Tuesday, March 05, 2013 9:01 AM
To: edk2-devel@lists.sourceforge.net
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)

Did you check the platform PCDs for loading OptionROMs when SecureBoot is 
enabled?

  ## Pcd for OptionRom.
  #  Image verification policy settings:
  #  ALWAYS_EXECUTE                         0x00000000
  #  NEVER_EXECUTE                          0x00000001
  #  ALLOW_EXECUTE_ON_SECURITY_VIOLATION    0x00000002
  #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003
  #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004
  #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005
  
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00|UINT32|0x00000001


From: Richardson, Brian [mailto:brian.richard...@intel.com]
Sent: Tuesday, March 05, 2013 9:09 AM
To: edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)

The EfiRom program doesn't alter the UEFI Driver, it only packages the driver 
as part of the PCI Option ROM. If you used the signed driver with EfiRom then 
that's what gets bundled into the OpROM image.

Thanks ... br
---
Brian Richardson -- 
brian.richard...@intel.com<mailto:brian.richard...@intel.com> -- Twitter: 
intel_brian

From: Vladimir Sokolovsky [mailto:v...@dev.mellanox.co.il]
Sent: Tuesday, March 05, 2013 10:01 AM
To: edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)

>From the PCI Option ROM.

Regards,
Vladimir
On Tue, Mar 5, 2013 at 4:58 PM, Richardson, Brian 
<brian.richard...@intel.com<mailto:brian.richard...@intel.com>> wrote:
Did it load from the shell or from the PCI Option ROM?

Thanks ... br
---
Brian Richardson -- 
brian.richard...@intel.com<mailto:brian.richard...@intel.com> -- Twitter: 
intel_brian

From: Vladimir Sokolovsky 
[mailto:v...@dev.mellanox.co.il<mailto:v...@dev.mellanox.co.il>]
Sent: Tuesday, March 05, 2013 9:45 AM

To: edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)

Yes,
When Secure boot is disabled UEFI driver successfully loaded.

Regards,
Vladimir
On Tue, Mar 5, 2013 at 4:15 PM, Richardson, Brian 
<brian.richard...@intel.com<mailto:brian.richard...@intel.com>> wrote:
The EfiRom command should not strip the signature from the signed driver. Can 
you confirm that the PCI Option ROM loads the UEFI Driver when UEFI secure Boot 
is disabled?

Thanks ... br
---
Brian Richardson -- 
brian.richard...@intel.com<mailto:brian.richard...@intel.com> -- Twitter: 
intel_brian

From: Vladimir Sokolovsky 
[mailto:v...@dev.mellanox.co.il<mailto:v...@dev.mellanox.co.il>]
Sent: Tuesday, March 05, 2013 6:04 AM

To: edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)

Hi Brian,

Is there any specific flag for EfiRom that should keep the signature of the EFI 
file?
I run the following command:
# EfiRom.exe -f 0x15b3 -i 0x1003 -e 0a.01.10_uefi.efi -o 0a.01.10_uefi.rom

Then I see that the ROM image fails to be loaded during POST when UEFI Secure 
boot mode is enabled while the original signed efi image can be successfully 
loaded from the UEFI Shell.

Thanks,
Vladimir

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/edk2-devel


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/edk2-devel


------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel