Vladimir: what system are you using for testing?
Thanks ... br
---
Brian Richardson -- [email protected] -- Twitter: intel_brian
From: Vladimir Sokolovsky [mailto:[email protected]]
Sent: Wednesday, March 06, 2013 8:57 AM
To: [email protected]
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)
"Deny Execute" is set for Option ROM under image execution policy.
Thanks,
Vladimir
On Wed, Mar 6, 2013 at 8:17 AM, Prakash, Sathya
<[email protected]<mailto:[email protected]>> wrote:
Do you have separate settings in setup for loading images from OptionROM,
images from the fixed media and removable media, if so whether the OptionROM is
not set to Never Execute?. I have created OptionROM multiple times using
signed efi and efirom and never seen an issue.
Thanks
Sathya
From: El-Haj-Mahmoud, Samer
[mailto:[email protected]<mailto:[email protected]>]
Sent: Tuesday, March 05, 2013 9:01 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)
Did you check the platform PCDs for loading OptionROMs when SecureBoot is
enabled?
## Pcd for OptionRom.
# Image verification policy settings:
# ALWAYS_EXECUTE 0x00000000
# NEVER_EXECUTE 0x00000001
# ALLOW_EXECUTE_ON_SECURITY_VIOLATION 0x00000002
# DEFER_EXECUTE_ON_SECURITY_VIOLATION 0x00000003
# DENY_EXECUTE_ON_SECURITY_VIOLATION 0x00000004
# QUERY_USER_ON_SECURITY_VIOLATION 0x00000005
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00|UINT32|0x00000001
From: Richardson, Brian [mailto:[email protected]]
Sent: Tuesday, March 05, 2013 9:09 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)
The EfiRom program doesn't alter the UEFI Driver, it only packages the driver
as part of the PCI Option ROM. If you used the signed driver with EfiRom then
that's what gets bundled into the OpROM image.
Thanks ... br
---
Brian Richardson --
[email protected]<mailto:[email protected]> -- Twitter:
intel_brian
From: Vladimir Sokolovsky [mailto:[email protected]]
Sent: Tuesday, March 05, 2013 10:01 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)
>From the PCI Option ROM.
Regards,
Vladimir
On Tue, Mar 5, 2013 at 4:58 PM, Richardson, Brian
<[email protected]<mailto:[email protected]>> wrote:
Did it load from the shell or from the PCI Option ROM?
Thanks ... br
---
Brian Richardson --
[email protected]<mailto:[email protected]> -- Twitter:
intel_brian
From: Vladimir Sokolovsky
[mailto:[email protected]<mailto:[email protected]>]
Sent: Tuesday, March 05, 2013 9:45 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)
Yes,
When Secure boot is disabled UEFI driver successfully loaded.
Regards,
Vladimir
On Tue, Mar 5, 2013 at 4:15 PM, Richardson, Brian
<[email protected]<mailto:[email protected]>> wrote:
The EfiRom command should not strip the signature from the signed driver. Can
you confirm that the PCI Option ROM loads the UEFI Driver when UEFI secure Boot
is disabled?
Thanks ... br
---
Brian Richardson --
[email protected]<mailto:[email protected]> -- Twitter:
intel_brian
From: Vladimir Sokolovsky
[mailto:[email protected]<mailto:[email protected]>]
Sent: Tuesday, March 05, 2013 6:04 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [edk2] Secure Boot - PCI device driver (NIC)
Hi Brian,
Is there any specific flag for EfiRom that should keep the signature of the EFI
file?
I run the following command:
# EfiRom.exe -f 0x15b3 -i 0x1003 -e 0a.01.10_uefi.efi -o 0a.01.10_uefi.rom
Then I see that the ROM image fails to be loaded during POST when UEFI Secure
boot mode is enabled while the original signed efi image can be successfully
loaded from the UEFI Shell.
Thanks,
Vladimir
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
edk2-devel mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
edk2-devel mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
edk2-devel mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel
