Hi Deb,
c)Our signed driver (.efi) when converted into .rom image fails to load from
the shell under secure boot.
Could you reproduce this issue on NT32 platform? if yes, please send out your
procedures.
Thanks,
Guo
From: Debabrata Chattopadhyay [mailto:debabrata.chattopadh...@pmcs.com]
Sent: Tuesday, September 03, 2013 5:41 PM
To: edk2-devel@lists.sourceforge.net
Subject: Re: [edk2] Not able to load Signed UEFI image from ROM.
Hi Guo and Tim,
Thanks for your replies.
> [Guo] Works as expected. The unsigned driver (.efi) can't run from EFI
> shell, right?
Yes right. Unsigned .efi wont load from shell while the signed .efi loads well
> [Guo] what's your meaning of ROM here? Device ROM(OptionROM) or BIOS ROM? How
> do you expect the EFI image is found from ROM?
> If it is device ROM, and you expect it is loaded by bus driver Load_File2,
> you should convert signed driver (.efi) into .rom image since .efi driver is
> not supported by bus driver Load_File2.
> If it is BIOS ROM, how it is found and loaded?
Yes I mean OptionROM here.And yes I have converted the .EFI to .ROM image using
Efirom.exe utility
> The Shell command "LoadPciRom" will strip away the option rom header before
> call BS LoadImage(). So
> from the result here the image doesn't pass image verification.
> You detail experimental procedures may help to find the root cause.
That's what it looks like. The image (.efi which is 'embedded' in the .rom) is
not passing the image verification. But the same .efi loads well as a EF under
secure boot.
Regards
Deb
Hi Tim,
Yes. The bus driver Load_File2 will strip away the header. From Deb's mail, the
word "ROM" is not clear.
Hi Deb,
Could you provide more details?
a)Our signed driver (.efi) loads very well under secure boot from the EFI shell.
[Guo] Works as expected. The unsigned driver (.efi) can't run from EFI shell,
right?
b)Our signed driver (.efi) when flashed into the ROM fails to load under
secure boot.
[Guo] what's your meaning of ROM here? Device ROM(OptionROM) or BIOS ROM? How
do you expect the EFI image is
found from ROM?
If it is device ROM, and you expect it is loaded by bus driver
Load_File2, you should convert signed driver
(.efi) into .rom image since .efi driver is not supported by bus driver
Load_File2.
If it is BIOS ROM, how it is found and loaded?
c)Our signed driver (.efi) when converted into .rom image fails to load from
the shell under secure boot.
[Guo] The Shell command "LoadPciRom" will strip away the option rom header
before call BS LoadImage(). So
from the result here the image doesn't pass image verification.
You detail experimental procedures may help to find the root cause.
Thanks,
Guo
-----Original Message-----
From: Tim Lewis [mailto:tim.lewis <at> insyde.com]
Sent: Tuesday, September 03, 2013 10:15 AM
To: edk2-devel <at> lists.sourceforge.net
Subject: Re: [edk2] Not able to load Signed UEFI image from ROM.
Guo --
If I remember correctly, the PCI bus driver will expose a LOAD_FILE2 protocol
on each PCI device that has the
option ROM. The LOAD_FILE2 should return the PE/COFF image, not the option ROM,
correct? Just like the
LoadFile() function in LOAD_FILE protocol. In fact, this is what
LocalLoadFile2() says (in
PciBusDxe/PciOptionRomSupport.c): "Load the EFI Image from Option ROM"
If this function correctly gets the "EFI image" from the Option ROM, then there
is no option ROM header
anymore because it has been stripped away. If there is no option ROM header,
then the BDS LoadImage() call
should process it like any other EFI Image, including checking for the
signature of the driver from the
option ROM, against the secure database?
What am I missing?
Tim
-----Original Message-----
From: Dong, Guo [mailto:guo.dong <at> intel.com]
Sent: Monday, September 02, 2013 7:05 PM
To: edk2-devel <at> lists.sourceforge.net
Subject: Re: [edk2] Not able to load Signed UEFI image from ROM.
Hi Deb,
The "Secure boot" only supports EFI file (*.efi) verification.
When converting signed driver (.efi) into .rom image, I think an option rom
header file is added to the
signed driver (.efi). So it can't be directly loaded from shell or other place
in "Secure boot" environment.
If there is another driver that could find and remove the option rom header
from .rom image, it could be
loaded by the driver in Secure boot environment.
Thanks,
Guo
-----Original Message-----
From: Debabrata [mailto:debabrata.chattopadhyay <at> pmcs.com]
Sent: Monday, September 02, 2013 7:00 PM
To: edk2-devel <at> lists.sourceforge.net
Subject: [edk2] Not able to load Signed UEFI image from ROM.
Hi,
I was working on "Secure Boot" for UEFI. So the idea is to sign our drivers and
load it in secure boot environment.
As of now for experimental purposes we are test signing our driver with our own
certificate,enrolling the
certificate in UEFI firmware ,enabling secure boot in UEFI firmware and trying
to load our test-signed driver.
What we see is :
a)Our signed driver (.efi) loads very well under secure boot from the EFI shell.
b)Our signed driver (.efi) when flashed into the ROM fails to load under
secure boot.
c)Our signed driver (.efi) when converted into .rom image fails to load from
the shell under secure boot.
d)When secure boot is disabled our signed driver loads well be it as .efi from
shell or as .rom from shell or as
flashed into ROM.
So long story short: Our signed driver does not boot from ROM or .rom image
In case of flashed ROM (case b) above ) I don't get any error but in case of
manual .rom loading (case c)
above) I do get an error at shell as : "Load image #1 error-Security
Violation". "Image bios.rom
loaded - Not found"
Can somebody throw some light into it , please ?
Regards
Deb
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies and
advance your career. Get
an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow.
Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
edk2-devel mailing list
edk2-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies and
advance your career. Get
an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow.
Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
edk2-devel mailing list
edk2-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies and
advance your career. Get
an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow.
Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
edk2-devel mailing list
edk2-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
edk2-devel mailing list
edk2-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
