Hi Guo and Tim,
Thanks for your replies.
> [Guo] Works as expected. The unsigned driver (.efi) can't run from
EFI shell, right?
Yes right. Unsigned .efi wont load from shell while the signed .efi
loads well
> [Guo] what's your meaning of ROM here? Device ROM(OptionROM) or BIOS
ROM? How do you expect the EFI image is found from ROM?
> If it is device ROM, and you expect it is loaded by bus driver
Load_File2, you should convert signed driver (.efi) into .rom image
since .efi driver is not supported by bus driver Load_File2.
> If it is BIOS ROM, how it is found and loaded?
Yes I mean OptionROM here.And yes I have converted the .EFI to .ROM
image using Efirom.exe utility
> The Shell command "LoadPciRom" will strip away the option rom header
before call BS LoadImage(). So
> from the result here the image doesn't pass image verification.
> You detail experimental procedures may help to find the root cause.
That's what it looks like. The image (.efi which is 'embedded' in the
.rom) is not passing the image verification. But the same .efi loads
well as a EF under secure boot.
Regards
Deb
Hi Tim,
Yes. The bus driver Load_File2 will strip away the header. From Deb's
mail, the word "ROM" is not clear.
Hi Deb,
Could you provide more details?
a)Our signed driver (.efi) loads very well under secure boot from the
EFI shell.
[Guo] Works as expected. The unsigned driver (.efi) can't run from EFI
shell, right?
b)Our signed driver (.efi) when flashed into the ROM fails to load
under secure boot.
[Guo] what's your meaning of ROM here? Device ROM(OptionROM) or BIOS
ROM? How do you expect the EFI image is
found from ROM?
If it is device ROM, and you expect it is loaded by bus driver
Load_File2, you should convert signed driver
(.efi) into .rom image since .efi driver is not supported by bus driver
Load_File2.
If it is BIOS ROM, how it is found and loaded?
c)Our signed driver (.efi) when converted into .rom image fails to load
from the shell under secure boot.
[Guo] The Shell command "LoadPciRom" will strip away the option rom
header before call BS LoadImage(). So
from the result here the image doesn't pass image verification.
You detail experimental procedures may help to find the root
cause.
Thanks,
Guo
-----Original Message-----
From: Tim Lewis [mailto:tim.lewis <at> insyde.com]
Sent: Tuesday, September 03, 2013 10:15 AM
To: edk2-devel <at> lists.sourceforge.net
Subject: Re: [edk2] Not able to load Signed UEFI image from ROM.
Guo --
If I remember correctly, the PCI bus driver will expose a LOAD_FILE2
protocol on each PCI device that has the
option ROM. The LOAD_FILE2 should return the PE/COFF image, not the
option ROM, correct? Just like the
LoadFile() function in LOAD_FILE protocol. In fact, this is what
LocalLoadFile2() says (in
PciBusDxe/PciOptionRomSupport.c): "Load the EFI Image from Option ROM"
If this function correctly gets the "EFI image" from the Option ROM,
then there is no option ROM header
anymore because it has been stripped away. If there is no option ROM
header, then the BDS LoadImage() call
should process it like any other EFI Image, including checking for the
signature of the driver from the
option ROM, against the secure database?
What am I missing?
Tim
-----Original Message-----
From: Dong, Guo [mailto:guo.dong <at> intel.com]
Sent: Monday, September 02, 2013 7:05 PM
To: edk2-devel <at> lists.sourceforge.net
Subject: Re: [edk2] Not able to load Signed UEFI image from ROM.
Hi Deb,
The "Secure boot" only supports EFI file (*.efi) verification.
When converting signed driver (.efi) into .rom image, I think an option
rom header file is added to the
signed driver (.efi). So it can't be directly loaded from shell or
other place in "Secure boot" environment.
If there is another driver that could find and remove the option rom
header from .rom image, it could be
loaded by the driver in Secure boot environment.
Thanks,
Guo
-----Original Message-----
From: Debabrata [mailto:debabrata.chattopadhyay <at> pmcs.com]
Sent: Monday, September 02, 2013 7:00 PM
To: edk2-devel <at> lists.sourceforge.net
Subject: [edk2] Not able to load Signed UEFI image from ROM.
Hi,
I was working on "Secure Boot" for UEFI. So the idea is to sign our
drivers and load it in secure boot environment.
As of now for experimental purposes we are test signing our driver with
our own certificate,enrolling the
certificate in UEFI firmware ,enabling secure boot in UEFI firmware and
trying to load our test-signed driver.
What we see is :
a)Our signed driver (.efi) loads very well under secure boot from the
EFI shell.
b)Our signed driver (.efi) when flashed into the ROM fails to load
under secure boot.
c)Our signed driver (.efi) when converted into .rom image fails to load
from the shell under secure boot.
d)When secure boot is disabled our signed driver loads well be it as
.efi from shell or as .rom from shell or as
flashed into ROM.
So long story short: Our signed driver does not boot from ROM or .rom
image
In case of flashed ROM (case b) above ) I don't get any error but in
case of manual .rom loading (case c)
above) I do get an error at shell as : "Load image #1 error-Security
Violation". "Image bios.rom
loaded - Not found"
Can somebody throw some light into it , please ?
Regards
Deb
------------------------------------------------------------------------
------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft
technologies and advance your career. Get
an incredible 1,500+ hours of step-by-step tutorial videos with
LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clk
trk
<http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.cl
ktrk>
_______________________________________________
edk2-devel mailing list
edk2-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
<https://lists.sourceforge.net/lists/listinfo/edk2-devel>
------------------------------------------------------------------------
------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft
technologies and advance your career. Get
an incredible 1,500+ hours of step-by-step tutorial videos with
LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clk
trk
<http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.cl
ktrk>
_______________________________________________
edk2-devel mailing list
edk2-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
<https://lists.sourceforge.net/lists/listinfo/edk2-devel>
------------------------------------------------------------------------
------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft
technologies and advance your career. Get
an incredible 1,500+ hours of step-by-step tutorial videos with
LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clk
trk
<http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.cl
ktrk>
_______________________________________________
edk2-devel mailing list
edk2-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
<https://lists.sourceforge.net/lists/listinfo/edk2-devel>
------------------------------------------------------------------------
------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft
technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clk
trk
<http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.cl
ktrk>
_______________________________________________
edk2-devel mailing list
edk2-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
<https://lists.sourceforge.net/lists/listinfo/edk2-devel>
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel
