Like everyone is saying, it's platform specific. If it gives you hope, I've
successfully done it. A few things...
- PCI enumeration occurs before BDS (boot device selection). PciBusDxe is
the driver that does it. Here is the source for the part that actually
loads the drivers if you're interested:
https://svn.code.sf.net/p/edk2/code/trunk/edk2/MdeModulePkg/Bus/Pci/PciBusDxe/PciOptionRomSupport.c
- If SecureBoot is on, all hope is not lost. You may have one of the
machines where SecureBoot doesn't check op roms (crazy, right?). Otherwise,
you'd have to have your driver signed.
- Make sure to use the efirom utility. Flashing just the driver won't work.
Also, from a security perspective, crashing because of improperly formatted
boot variables is really bad because it's so easy to do and so hard to fix
if you don't have IPMI or something. Let's say country A wants to damage
country B and it is known that country B uses a lot of computers that have
out of date browsers/java/adobe/etc and whose firmware crashes when
encountering corrupt boot variables. Country A creates malware that enters
through the browser or other app and corrupts the boot variables from the
OS (using SetFirmwareEnvironmentVariable in Windows, for example), thereby
bricking thousands of machines.
Even if that scenario seems far-fetched, it's still annoying and I've seen
a lot of firmware with this problem. As far as I can tell, the solution is
just to add code that handles bad input. Hopefully this gets improved.
Thomas Rognon
On Wed, Mar 5, 2014 at 8:02 PM, Andrew Fish <af...@apple.com> wrote:
>
> On Mar 5, 2014, at 5:53 PM, Bill Paul <wp...@windriver.com> wrote:
>
> Of all the gin joints in all the towns in all the world, Carsey, Jaben had
> to
> walk into mine at 17:26:07 on Wednesday 05 March 2014 and say:
>
> A driver is able to do this, but whether your driver gets loaded and run is
> a platform policy decision and may be different for your tablet.
>
>
> Can you elaborate? Where is the policy controlled from?
>
>
> The platform OEM. If you always new you would only support booting from
> internal devices, then disabling running a ROM from the PCIe slot improves
> security.
>
> Does your tablet have an RTC with a battery backup? Maybe you could pull
> the battery, and maybe reseting the RTC CMOS would trigger some kind of
> recovery action? Just a wild guess.
>
> On a Mac you do cmd-opt-P-R to reset this kind of thing, but you are in
> the area of platform specific behavior. So it is hard for us to give too
> much concrete advice....
>
> Good Luck,
>
> Andrew Fish
>
> I know that some UEFI firmware implementations have a setup menu option to
>
> enable/disable loading of option ROMs, but it's not clear to me if this
> applies only to BIOS option ROMs -- usually it affects whether or not the
> PXE
> ROM is loaded. And the setup menu on this tablet is very limited -- I'm
> pretty
> sure it didn't have any option to configure this.
>
> If you go ahead with it, you may borrow some code from the shell's BCFG
> command for BOOTXXXX variable manipulation.
>
>
> Oh I already know how to handle this with gBS->SetVariable(). (That's what
> got
> me into this mess in the first place.)
>
> -Bill
>
> -Jaben
>
> -----Original Message-----
> From: Bill Paul [mailto:wp...@windriver.com <wp...@windriver.com>]
> Sent: Wednesday, March 05, 2014 5:12 PM
> To: edk2-devel@lists.sourceforge.net
> Subject: [edk2] Question about firmware startup order of events
>
> You may recall that I mentioned that due to a mishap with some UEFI OS
> loader code I was developing, I managed to brick my UEFI-based tablet by
> setting an improperly formatted boot path variable as the default boot
> path.
>
> Unfortunately unplugging the internal SSD drive didn't have any effect, and
> I haven't been able to think of a way to directly re-whack the NVRAM, and
> I don't have a way to hook my JTAG probe to it. I did think of one
> potential way around the problem, but there's something I need to clarify
> first.
>
> The tablet has wifi support, in the form of an Atheros mini-PCIe adapter
> which is plugged into the main board. This adapter can be easily unplugged
> and replaced.
>
> What I'm considering is using the EDK2 to cobble together a UEFI driver
> with just enough code in it to erase the BootXXXX and BootOrder variables
> and flashing it to some device which I can fit into this mini-PCIe slot,
> in the hopes that I can get the firmware to run this code for me.
>
> But this will only work if the driver is loaded and executed before the
> firmware gets to the boot device selection code. Conceptually it would
> seem that this would be the case (I mean, you need to load the drivers for
> devices before you can use them as boot paths, right?) but I'm not
> positive if this so.
>
> Can anyone tell me if this idea has a chance of working? It costs me
> nothing to tinker around with the EDK2, but it would cost me a little do
> obtain a suitable PCIe device, so I want to check before I end up spending
> money for nothing.
>
> -Bill
>
> --
> ===========================================================================
> == -Bill Paul (510) 749-2329 | Senior Member of Technical
> Staff,
> wp...@windriver.com | Master of Unix-Fu - Wind River Systems
> ==========================================================================
> === "I put a dollar in a change machine. Nothing changed." - George Carlin
> ==========================================================================
> ===
>
> ---------------------------------------------------------------------------
> --- Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce. With Perforce, you get hassle-free workflows. Merge that
> actually works. Faster operations. Version large binaries. Built-in WAN
> optimization and the freedom to use Git, Perforce or both. Make the move
> to Perforce.
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clkt
> rk _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/edk2-devel
>
> ---------------------------------------------------------------------------
> --- Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce. With Perforce, you get hassle-free workflows. Merge that
> actually works. Faster operations. Version large binaries. Built-in WAN
> optimization and the freedom to use Git, Perforce or both. Make the move
> to Perforce.
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktr
> k _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/edk2-devel
>
>
> --
>
> =============================================================================
> -Bill Paul (510) 749-2329 | Senior Member of Technical Staff,
> wp...@windriver.com | Master of Unix-Fu - Wind River
> Systems
>
> =============================================================================
> "I put a dollar in a change machine. Nothing changed." - George Carlin
>
> =============================================================================
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries. Built-in WAN optimization and
> the
> freedom to use Git, Perforce or both. Make the move to Perforce.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/edk2-devel
>
>
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries. Built-in WAN optimization and
> the
> freedom to use Git, Perforce or both. Make the move to Perforce.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/edk2-devel
>
>
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries. Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
