"Deny Execute" is set for Option ROM under image execution policy.
Thanks,
Vladimir
On Wed, Mar 6, 2013 at 8:17 AM, Prakash, Sathya <[email protected]>wrote:
> Do you have separate settings in setup for loading images from OptionROM,
> images from the fixed media and removable media, if so whether the
> OptionROM is not set to Never Execute?. I have created OptionROM multiple
> times using signed efi and efirom and never seen an issue.****
>
> ** **
>
> Thanks****
>
> Sathya****
>
> ** **
>
> *From:* El-Haj-Mahmoud, Samer [mailto:[email protected]]
> *Sent:* Tuesday, March 05, 2013 9:01 AM
>
> *To:* [email protected]
> *Subject:* Re: [edk2] Secure Boot - PCI device driver (NIC)****
>
> ** **
>
> Did you check the platform PCDs for loading OptionROMs when SecureBoot is
> enabled?****
>
> ** **
>
> *## Pcd for OptionRom.*****
>
> *# Image verification policy settings:*****
>
> *# ALWAYS_EXECUTE 0x00000000*****
>
> *# NEVER_EXECUTE 0x00000001*****
>
> *# ALLOW_EXECUTE_ON_SECURITY_VIOLATION 0x00000002*****
>
> *# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003*****
>
> *# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004*****
>
> *# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005 *****
>
> gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0
> x00|UINT32|0x00000001****
>
> ** **
>
> ** **
>
> *From:* Richardson, Brian
> [mailto:[email protected]<[email protected]>]
>
> *Sent:* Tuesday, March 05, 2013 9:09 AM
> *To:* [email protected]
> *Subject:* Re: [edk2] Secure Boot - PCI device driver (NIC)****
>
> ** **
>
> The EfiRom program doesn’t alter the UEFI Driver, it only packages the
> driver as part of the PCI Option ROM. If you used the signed driver with
> EfiRom then that’s what gets bundled into the OpROM image.****
>
> ** **
>
> Thanks ... br****
>
> ---****
>
> Brian Richardson -- [email protected] -- Twitter: intel_brian****
>
> ** **
>
> *From:* Vladimir Sokolovsky
> [mailto:[email protected]<[email protected]>]
>
> *Sent:* Tuesday, March 05, 2013 10:01 AM
> *To:* [email protected]
> *Subject:* Re: [edk2] Secure Boot - PCI device driver (NIC)****
>
> ** **
>
> From the PCI Option ROM.
>
> Regards,
> Vladimir ****
>
> On Tue, Mar 5, 2013 at 4:58 PM, Richardson, Brian <
> [email protected]> wrote:****
>
> Did it load from the shell or from the PCI Option ROM?****
>
> ****
>
> Thanks ... br****
>
> ---****
>
> Brian Richardson -- [email protected] -- Twitter: intel_brian****
>
> ****
>
> *From:* Vladimir Sokolovsky [mailto:[email protected]]
> *Sent:* Tuesday, March 05, 2013 9:45 AM****
>
>
> *To:* [email protected]
> *Subject:* Re: [edk2] Secure Boot - PCI device driver (NIC)****
>
> ****
>
> Yes,
> When Secure boot is disabled UEFI driver successfully loaded.
>
> Regards,
> Vladimir****
>
> On Tue, Mar 5, 2013 at 4:15 PM, Richardson, Brian <
> [email protected]> wrote:****
>
> The EfiRom command should not strip the signature from the signed driver.
> Can you confirm that the PCI Option ROM loads the UEFI Driver when UEFI
> secure Boot is disabled?****
>
> ****
>
> Thanks ... br****
>
> ---****
>
> Brian Richardson -- [email protected] -- Twitter: intel_brian****
>
> ****
>
> *From:* Vladimir Sokolovsky [mailto:[email protected]]
> *Sent:* Tuesday, March 05, 2013 6:04 AM****
>
>
> *To:* [email protected]
> *Subject:* Re: [edk2] Secure Boot - PCI device driver (NIC)****
>
> ****
>
> Hi Brian,****
>
>
> Is there any specific flag for EfiRom that should keep the signature of
> the EFI file?
> I run the following command:
> # EfiRom.exe -f 0x15b3 -i 0x1003 -e 0a.01.10_uefi.efi -o 0a.01.10_uefi.rom
>
> Then I see that the ROM image fails to be loaded during POST when UEFI
> Secure boot mode is enabled while the original signed efi image can be
> successfully loaded from the UEFI Shell.
>
> Thanks,
> Vladimir****
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> edk2-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/edk2-devel****
>
> ****
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> edk2-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/edk2-devel****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> edk2-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/edk2-devel
>
>
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel
