<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@vertical+block@17657869ce6e4ba683ebce25c07426ae" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@c42ec24a4d6d4098ac55dc5f62dbf87c">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@c42ec24a4d6d4098ac55dc5f62dbf87c" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><p>Let's make sure we have:</p>
<ul>
<li>Source Level Debugging enabled (please check Practice #2)</li>
<li>Gathered whole <code>debug.log</code> from boot process</li>
<li>Run QEMU</li>
</ul>
<div class="codehilite">
<pre><span></span><code>qemu-system-x86_64 -nographic -bios Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd -chardev file,path<span class="o">=</span>debug.log,id<span class="o">=</span>edk2-debug -device isa-debugcon,iobase<span class="o">=</span>0x402,chardev<span class="o">=</span>edk2-debug
</code></pre>
</div>
<ul>
<li>Wait until <code>Shell></code> and exit <code>Ctrl-a x</code>.</li>
<li>Debug log should be in known file <code>debug.log</code></li>
</ul>
<h2>Exercise #1: Find where each UEFI boot phase starts</h2>
<ul>
<li>Grep for case insensitive <code>SEC</code>, <code>PEI</code>, <code>DXE</code> and <code>BDS</code></li>
<li><p>SEC</p>
<ul>
<li><p>There is only one entry talking about SEC phase, others are not related to UEFI phase, which is known:</p>
<div class="codehilite">
<pre><span></span><code>SecCoreStartupWithStack<span class="o">(</span>0xFFFCC000, 0x820000<span class="o">)</span>
</code></pre>
</div></li>
<li><p>Please note above log, so we can explore C code related to it in further exercises in this lab</p></li>
</ul></li>
<li><p>PEI </p>
<ul>
<li>When looking for PEI we get way more occuracnes, including a lot of PEIM Loading, PPI notify and discovery of volumes.</li>
<li><p>First occurance of Pei is in following log:</p>
<div class="codehilite">
<pre><span></span><code>DiscoverPeimsAndOrderWithApriori<span class="o">()</span>: Found 0x7 PEI FFS files <span class="k">in</span> the 0th FV
</code></pre>
</div></li>
<li><p>But, is it really PEI phase start? We will try to figure out in next exercise.</p></li>
</ul></li>
<li><p>DXE</p>
<ul>
<li>First occurance is loading of DXE IPL (Initial Program Loader), which prints following log:
<div class="codehilite">
<pre><span></span><code>DXE IPL Entry
</code></pre>
</div></li>
</ul></li>
<li><p>BDS</p>
<ul>
<li>First occurance is loading of BDS DXE, which prints following log:
<div class="codehilite">
<pre><span></span><code><span class="o">[</span>Bds<span class="o">]</span> Entry...
</code></pre>
</div></li>
</ul></li>
</ul>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@572fd0a6f5374acf9320391cb0685f11">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@572fd0a6f5374acf9320391cb0685f11" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@495d84919ea04ee7b8c683e88e22cb07">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@495d84919ea04ee7b8c683e88e22cb07" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>
<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@vertical+block@9c11a3b908644634bf6548aa492201b7" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@bfa7049164a242b599a88e71420b964d">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@bfa7049164a242b599a88e71420b964d" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><p>Let's step over OVMF SEC phase</p>
<h2>Exercise #2: Break at known logging point and step over to PEI hand-off</h2>
<ul>
<li>From Practice #1 Exercise #2 you should know the file where log appears</li>
<li>Use Practice #1 Exercise #3 to break at function with mentioned log</li>
<li>Find the place where control is hand over to PEI core, feel free to use <code>tui enable</code> since code comments may help identify place where controler is transfer</li>
<li>Please note the name of the function called during the hand off from SEC to PEI (w will refere to it as <code><SEC_TO_PEI_HO></code>)</li>
</ul>
<p>If you continue step in to PEI core GDB will not recognize code it is with, because of that we have to load appropriate symbols.</p>
<h2>Exercise #3: Load PEI core symbols by finding information in build output files</h2>
<ul>
<li>Let's find where in OvmfPkg <code><SEC_TO_PEI_HO></code> is used</li>
</ul>
<div class="codehilite">
<pre><span></span><code>grep <SEC_TO_PEI_HO> OvmfPkg/ -r
</code></pre>
</div>
<ul>
<li>It will give us C source file where function is used</li>
<li>In that way we should figure out type of this entry point and find header which define that function type, it is in <code>MdePkg/Include/Pi/PiPeiCis.h</code></li>
<li><p>But what implementation of that function is used in our case? And here there is complexity of EDKII and UEFI:</p>
<ul>
<li>Let's first note what parameters our function use based on definition in <code>MdePkg/Include/Pi/PiPeiCis.h</code> - small suggestion, there are two of them</li>
<li><p>Let's use grep magic:</p>
<div class="codehilite">
<pre><span></span><code>grep <span class="s2">"IN CONST <FIRST_PARAM>"</span> --include<span class="o">=</span><span class="se">\*</span>.c . -r -A <span class="m">1</span> --exclude-dir<span class="o">=</span>Build<span class="p">|</span>grep <span class="s2">"IN CONST <SECOND_PARAM>"</span> -B <span class="m">1</span>
</code></pre>
</div></li>
<li><p>To explain above it say: please look for <code><FIRST_PARAM></code> recursively (<code>-r</code>) in all C files (<code>--include=\*.c</code>), except Builb directory (<code>--exclude-dir=Build</code>) and show one line after occurance
pipe the result and grep output buffer looking for occurances of <code><SECOND_PARAM></code>, which should happen in added line, when found print occurance and one line before</p></li>
<li>Yay! We found two implementations of our <code><SEC_TO_PEI_HO></code> function, let's have a closer look at source code we will find that second implementation is required by the EFI Bytecode Compiler (EBC), which at this point is not something interesting to us.</li>
<li>Our function is compiled as library, what can be verified, by checking INF file, it typically can be found in the same directory or one level above. How we know we looking at correct INF file? It contains our C source code file name in <code>[Sources]</code> section. So in INF file we can find <code>LIBRARY_CLASS = ...</code>, let's remember <code>BASE_NAME</code> of this library</li>
</ul></li>
<li><p>Where our library is used?</p>
<ul>
<li><p>Little bit more grep magic</p>
<div class="codehilite">
<pre><span></span><code>grep <BASE_NAME> --include<span class="o">=</span><span class="se">\*</span>.inf . -rw --exclude-dir<span class="o">=</span>Build --exclude<span class="o">=</span><BASE_NAME>.inf
</code></pre>
</div></li>
<li><p>It looks like there is only one module where library is used and if we will look for <code>BASE_NAME</code> of this module in map files we will find BaseAddress, which can be used to load debug binary</p>
<div class="codehilite">
<pre><span></span><code>grep <MOD_USING_LIB_BASE_NAME> --include<span class="o">=</span><span class="se">\*</span>.map . -rw<span class="p">|</span>grep BaseAddress
</code></pre>
</div></li>
<li><p>We are little bit lucky at the end, because we dealing with UEFI phase not some random driver, that's why it is visible in map files</p></li>
</ul></li>
</ul>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@6c2ab0da519f4a2c8e20fe710a20a39d">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@6c2ab0da519f4a2c8e20fe710a20a39d" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@3b1aaf703aeb4785991035da91d327e6">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@3b1aaf703aeb4785991035da91d327e6" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>
<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@vertical+block@dd816c41d5f7469785094409c1e2910d" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@195cf7a548024d6c9de495b2832b8fe2">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@195cf7a548024d6c9de495b2832b8fe2" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><h2>Exercise #4: Load PEI core symbols by finding information runtime during debugging</h2>
<ul>
<li>Let's find where in OvmfPkg <code><SEC_TO_PEI_HO></code> is used</li>
</ul>
<div class="codehilite">
<pre><span></span><code>grep <SEC_TO_PEI_HO> OvmfPkg/ -r
</code></pre>
</div>
<ul>
<li>It will give us C source file where function is used</li>
<li>Let's note the name of the functions that calls <code><SEC_TO_PEI_HO></code>, let's call it <code><SEC_TO_PEI_HO_CALLER></code></li>
<li>Let's start debugging session</li>
<li>From Practice #1 Exercise #2 you should know the file where log appears</li>
<li>Use Practice #1 Exercise #3 to break at <code><SEC_TO_PEI_HO_CALLER></code> with mentioned log</li>
<li>What is of interest to us is function which finds entry points, since inside it other function find PEI core image base, which we need to load symbols</li>
<li>Where are the symbols to PEI core? Please check <code>./Build/OvmfX64/DEBUG_GCC5/Ovmf.map</code></li>
</ul>
<h2>Exercise #5: Analyze debug.log</h2>
<ul>
<li>In SEC phase OVMF do not print anything else then <code>SecCoreStartupWithStack</code> information, to get more information we have to add our logs or switch to PEI</li>
</ul>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@342de69e6c8d47a8b480623a02f8438b">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@342de69e6c8d47a8b480623a02f8438b" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@3ac119e3936c4403bb49a6b78e767eaf">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@3ac119e3936c4403bb49a6b78e767eaf" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>
<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@vertical+block@17cdee277c934cb9bd0836d50953ba02" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@aa619d320f204d5da581c9c62764ef37">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@aa619d320f204d5da581c9c62764ef37" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><h2>Exercise #6: Jump to PEI</h2>
<ul>
<li>Based on exrcise #5 we know PEI base address, so we can load into open session new file and symbols</li>
<li>Let's start QEMU:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>qemu-system-x86_64 -nographic -bios Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd -chardev file,path<span class="o">=</span>debug.log,id<span class="o">=</span>edk2-debug -device isa-debugcon,iobase<span class="o">=</span>0x402,chardev<span class="o">=</span>edk2-debug -s -S
</code></pre>
</div>
<ul>
<li>Let's start GDB and load symbols:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>add-symbol-file Build/OvmfX64/DEBUG_GCC5/X64/SecMain.debug <span class="o">(</span>0x00fffcc094+0x0000000000000240<span class="o">)</span> -s .data <span class="o">(</span>0x00fffcc094+0x00000000000088c0<span class="o">)</span>
add-symbol-file Build/OvmfX64/DEBUG_GCC5/X64/PeiCore.debug <span class="o">(</span>0x0000820140+0x0000000000000240<span class="o">)</span> -s .data <span class="o">(</span>0x0000820140+0x000000000000af40<span class="o">)</span>
target remote :1234
<span class="nb">break</span> SecStartupPhase2
</code></pre>
</div>
<p>Please note above addresses could change, if you using different code base or different compilation parameters.</p>
<ul>
<li>Step into (gdb <code>si</code>) <code>PeiCoreEntryPoint</code> and you are in PEI phase</li>
</ul>
<h2>Exercise #7: Review PEI debug.log</h2>
<ul>
<li>Continue debug session from Exercise #6 by stepping in (gdb <code>si</code>) <code>ProcessModuleEntryPointList</code> and then you can step over (gdb <code>n</code>) steps in <code>PeiCore</code> function</li>
<li>Please note that first PPI (PEIM to PEIM Interfaces) are installed together with some PPI Notifies, when PEI Core Service complets its initialization by calling <code>Initialize{SecurityServices,DispatcherData,ImageServices}</code>, what is indicated in debug.log</li>
<li>We can continue to <code>PeiDipatcher</code> responsible for discovering and loading PEIMs (PEI Modules), it is worth to step into this function and go through code more carefully</li>
<li><code>DiscoverPeimsAndOrderWithApriori</code> checks which PEIMs should be loaded before any other, what essentially determine order of PEIMs</li>
<li>Then dispatcher start loading various PEIMs, starting with <code>PcdPeim</code>, loading PEIM may mean instalation of additional PPIs and registration of associated Notifies</li>
<li>Fourth PEIM is <code>PltformPei</code> its logging is verbose because it handles: CMOS dumping, ACPI S3 detection and verification, various initialization related to memory and callbacks installation.</li>
<li><code>PlatformPei</code> leads to temporary RAM migration, which change way we load debug symbols</li>
<li>We should see log as follows:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>TemporaryRamMigration<span class="o">(</span>0x810000, 0x3F4E000, 0x10000<span class="o">)</span>
Loading PEIM 52C05B14-0B98-496C-BC3B-04B50211D680
Loading PEIM at 0x00007EE8000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00007EEFD0F PeiCore.efi
<span class="o">(</span>...<span class="o">)</span>
</code></pre>
</div>
<ul>
<li>From previous analysis we know that <code>.text</code> section of <code>PeiCore</code> is <code>0x240</code> and <code>.data</code> is <code>0xaf40</code>, to apply changes in debugging session we should do as dollows</li>
</ul>
<div class="codehilite">
<pre><span></span><code>Breakpoint <span class="m">6</span>, PeiCore <span class="o">(</span><span class="nv">SecCoreDataPtr</span><span class="o">=</span>SecCoreDataPtr@entry<span class="o">=</span>0x3f55d20, <span class="nv">PpiList</span><span class="o">=</span>PpiList@entry<span class="o">=</span>0x0, <span class="nv">Data</span><span class="o">=</span>Data@entry<span class="o">=</span>0x3f55628<span class="o">)</span> at /home/user/edk2/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c:169
<span class="o">(</span>gdb<span class="o">)</span> n
<span class="o">(</span>gdb<span class="o">)</span> si
0x0000000007eee4fd <span class="k">in</span> jQuery22402537741639935416_1653953332175 <span class="o">()</span>
<span class="o">(</span>gdb<span class="o">)</span> symbol-file Build/OvmfX64/DEBUG_GCC5/X64/PeiCore.debug
Load new symbol table from <span class="s2">"Build/OvmfX64/DEBUG_GCC5/X64/PeiCore.debug"</span>? <span class="o">(</span>y or n<span class="o">)</span> y
Reading symbols from Build/OvmfX64/DEBUG_GCC5/X64/PeiCore.debug...
<span class="o">(</span>gdb<span class="o">)</span> add-symbol-file Build/OvmfX64/DEBUG_GCC5/X64/PeiCore.debug <span class="o">(</span>0x00007EE8000+0x0000000000000240<span class="o">)</span> -s .data <span class="o">(</span>0x00007EE8000+0x000000000000af40<span class="o">)</span>
add symbol table from file <span class="s2">"Build/OvmfX64/DEBUG_GCC5/X64/PeiCore.debug"</span> at
.text_addr <span class="o">=</span> 0x7ee8240
.data_addr <span class="o">=</span> 0x7ef2f40
<span class="o">(</span>y or n<span class="o">)</span> y
Reading symbols from Build/OvmfX64/DEBUG_GCC5/X64/PeiCore.debug...
</code></pre>
</div>
<ul>
<li>To continue debugging we have to do the same for <code>DxeIpl</code></li>
</ul>
<pre><code>(gdb) symbol-file Build/OvmfX64/DEBUG_GCC5/X64/DxeIpl.debug
Load new symbol table from "Build/OvmfX64/DEBUG_GCC5/X64/DxeIpl.debug"? (y or n) y
Reading symbols from Build/OvmfX64/DEBUG_GCC5/X64/DxeIpl.debug...
(gdb) add-symbol-file Build/OvmfX64/DEBUG_GCC5/X64/DxeIpl.debug (0x00007EDE000+0x0000000000000240) -s .data (0x00007EDE000+0x0000000000004240)
add symbol table from file "Build/OvmfX64/DEBUG_GCC5/X64/DxeIpl.debug" at
.text_addr = 0x7ede240
.data_addr = 0x7ee2240
(y or n) y
</code></pre>
<ul>
<li>After that we area ready to start transition to DXE by using DXE IPL PPI (through <code>DxeIpl</code>, we can step to the point where <code>DXE IPL Entry</code>) string is printed in <code>debug.log</code> and then step into <code>TempPtr.DxeIpl->Entry</code> function</li>
<li>If everything was loaded correctly we should land in <code>DxeLoadCore</code>, where first boot mode is analyzed and appropriate actionare taken</li>
<li>Then <code>DxeLoadCore</code> look for DXE Core file and after loading it calls <code>HandOffToDxeCore</code> which prepare final switch to DXE.</li>
<li>Since switching to DXE is not so trivial to observe we will describe it in DXE related exercise.</li>
</ul>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@e2560cc7daa6477f918d4b266a29981a">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@e2560cc7daa6477f918d4b266a29981a" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@7a7906c18aaa499aba345956035af6a1">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@7a7906c18aaa499aba345956035af6a1" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>
<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@vertical+block@2b74954893544c108aef03a60e89adb0" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@1af47530d9d54e0d935efe20c4c2381b">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@1af47530d9d54e0d935efe20c4c2381b" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><h2>Exercise #8: Welcome in DXE</h2>
<ul>
<li>Based on exercise #7 we are redy to jump into DXE phase</li>
<li>Let's start QEMU:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>qemu-system-x86_64 -nographic -bios Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd -chardev file,path<span class="o">=</span>debug.log,id<span class="o">=</span>edk2-debug -device isa-debugcon,iobase<span class="o">=</span>0x402,chardev<span class="o">=</span>edk2-debug -s -S
</code></pre>
</div>
<ul>
<li>Let's start GDB and load symbols:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>add-symbol-file Build/OvmfX64/DEBUG_GCC5/X64/PeiCore.debug <span class="o">(</span>0x00007EE8000+0x0000000000000240<span class="o">)</span> -s .data <span class="o">(</span>0x00007EE8000+0x000000000000af40<span class="o">)</span>
add-symbol-file Build/OvmfX64/DEBUG_GCC5/X64/DxeIpl.debug <span class="o">(</span>0x00007EDE000+0x0000000000000240<span class="o">)</span> -s .data <span class="o">(</span>0x00007EDE000+0x0000000000004240<span class="o">)</span>
add-symbol-file Build/OvmfX64/DEBUG_GCC5/X64/DxeCore.debug <span class="o">(</span>0x00007E9E000+0x0000000000000240<span class="o">)</span> -s .data <span class="o">(</span>0x00007E9E000+0x0000000000021e00<span class="o">)</span>
target remote :1234
</code></pre>
</div>
<ul>
<li>Following commands have to be executed manually.</li>
</ul>
<div class="codehilite">
<pre><span></span><code><span class="nb">break</span> PeiCore
c
<span class="nb">break</span> HandOffToDxeCore
c
</code></pre>
</div>
<ul>
<li>Interestingly second break point is not always set, when things happen too fast, sometimes GDB claims it does not know the symbol in following way:</li>
</ul>
<div class="codehilite">
<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> <span class="nb">break</span> HandOffToDxeCore
Function <span class="s2">"HandOffToDxeCore"</span> not defined.
Make breakpoint pending on future shared library load? <span class="o">(</span>y or <span class="o">[</span>n<span class="o">])</span>
</code></pre>
</div>
<p>It probably means things happen to fast or GDB has some weird bug with looking for symbols, workaround that works for me most of the time is using Tab for symbol searching in between continue commands:</p>
<div class="codehilite">
<pre><span></span><code>0x000000000000fff0 <span class="k">in</span> jQuery22409624574272244508_1654035483785 <span class="o">()</span>
<span class="o">(</span>gdb<span class="o">)</span> <span class="nb">break</span> Pei<TAB>
PeiAllocatePages PeiDefaultMemRead8 PeiFfsFvPpiGetFileInfo PeiNotifyPpi
PeiAllocatePool PeiDefaultMemWrite PeiFfsFvPpiGetFileInfo2 PeiPcdLib.c
PeiCheckAndSwitchStack PeiDefaultMemWrite16 PeiFfsFvPpiGetVolumeInfo PeiReInstallPpi
PeiCore PeiDefaultMemWrite32 PeiFfsFvPpiProcessVolume PeiRegisterForShadow
PeiCoreEntry PeiDefaultMemWrite64 PeiFfsGetFileInfo PeiReportStatusCode
PeiCoreEntryPoint.c PeiDefaultMemWrite8 PeiFfsGetFileInfo2 PeiResetSystem
PeiCoreFvLocation.h PeiDefaultPciCfg2Modify PeiFfsGetVolumeInfo PeiResetSystem2
PeiCreateHob PeiDefaultPciCfg2Read PeiFreePages PeiServicesAllocatePages
PeiDefaultIoRead PeiDefaultPciCfg2Write PeiGetBootMode PeiServicesFfsFindSectionData3
PeiDefaultIoRead16 PeiDxeSmmCpuException.c PeiGetExtractGuidedSectionHandlerInfo PeiServicesFfsFindSectionData3.constprop.0
PeiDefaultIoRead32 PeiDxeVirtualMemory.c PeiGetHobList PeiServicesInstallPpi
PeiDefaultIoRead64 PeiDxeVmgExitVcHandler.c PeiImageRead PeiServicesLib.c
PeiDefaultIoRead8 PeiExtractGuidedSectionLib.c PeiInstallPeiMemory PeiServicesLocatePpi
PeiDefaultIoWrite PeiFfsFindFileByName PeiInstallPpi PeiServicesLocatePpi.constprop.0
PeiDefaultIoWrite16 PeiFfsFindNextFile PeiLoadImage PeiServicesNotifyPpi
PeiDefaultIoWrite32 PeiFfsFindNextVolume PeiLoadImage.constprop.0 PeiServicesReInstallPpi
PeiDefaultIoWrite64 PeiFfsFindSectionData PeiLoadImageLoadImage PeiServicesTablePointer.c
PeiDefaultIoWrite8 PeiFfsFindSectionData3 PeiLoadImageLoadImage.constprop.0 PeiSetBootMode
PeiDefaultMemRead PeiFfsFvPpiFindFileByName PeiLoadImageLoadImageWrapper PeimDispatchReadiness
PeiDefaultMemRead16 PeiFfsFvPpiFindFileByType PeiLocatePpi PeimEntryPoint.c
PeiDefaultMemRead32 PeiFfsFvPpiFindSectionByType PeiMain.c PeimEntryPoint.h
PeiDefaultMemRead64 PeiFfsFvPpiFindSectionByType2 PeiMain.h
<span class="o">(</span>gdb<span class="o">)</span> <span class="nb">break</span> PeiCore
Breakpoint <span class="m">1</span> at 0x7eee4fd: file /home/user/edk2/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c, line <span class="m">169</span>.
<span class="o">(</span>gdb<span class="o">)</span> c
Continuing.
Breakpoint <span class="m">1</span>, PeiCore <span class="o">(</span><span class="nv">SecCoreDataPtr</span><span class="o">=</span>0x3f55d20, <span class="nv">PpiList</span><span class="o">=</span>0x0, <span class="nv">Data</span><span class="o">=</span>0x3f55628<span class="o">)</span> at /home/user/edk2/MdeModulePkg/Core/Pei/PeiMain/PeiMain.c:169
<span class="m">169</span> <span class="o">{</span>
<span class="o">(</span>gdb<span class="o">)</span> <span class="nb">break</span> Hand<TAB>
Handle.c HandoffInformationTable
<span class="o">(</span>gdb<span class="o">)</span> <span class="nb">break</span> Hand<TAB>
Handle.c HandoffInformationTable
<span class="o">(</span>gdb<span class="o">)</span> <span class="nb">break</span> Hand<TAB>
Handle.c HandoffInformationTable
<span class="o">(</span>gdb<span class="o">)</span> <span class="nb">break</span> Hand<TAB>
Handle.c HandoffInformationTable
<span class="o">(</span>gdb<span class="o">)</span> <span class="nb">break</span> HandOffToDxeCore
Breakpoint <span class="m">2</span> at 0x7ee05ce: file /home/user/edk2/MdeModulePkg/Core/DxeIplPeim/DxeLoad.c, line <span class="m">450</span>.
<span class="o">(</span>gdb<span class="o">)</span> c
</code></pre>
</div>
<p>Please note above addresses could change, if you using different code base or different compilation parameters.</p>
<ul>
<li>Set breakpoint for <code>SwitchStack</code> function since stepping thrugh <code>HandOffToDxeCore</code>, especially areas dealing with page tables of CR3, breaks debugging session</li>
</ul>
<div class="codehilite">
<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> <span class="nb">break</span> SwitchStack
Breakpoint <span class="m">3</span> at 0x7edfd0e: SwitchStack. <span class="o">(</span><span class="m">2</span> locations<span class="o">)</span>
<span class="o">(</span>gdb<span class="o">)</span> c
Continuing.
Breakpoint <span class="m">3</span>, SwitchStack <span class="o">(</span><span class="nv">EntryPoint</span><span class="o">=</span>EntryPoint@entry<span class="o">=</span>0x7ea0ef0 <_ModuleEntryPoint>, <span class="nv">Context1</span><span class="o">=</span>Context1@entry<span class="o">=</span>0x3f56000, <span class="nv">Context2</span><span class="o">=</span>0x0, <span class="nv">NewStack</span><span class="o">=</span>NewStack@entry<span class="o">=</span>0x7e9dff0, <span class="nv">Context2</span><span class="o">=</span>0x0<span class="o">)</span>
at /home/user/edk2/MdePkg/Library/BaseLib/SwitchStack.c:42
<span class="m">42</span> SwitchStack <span class="o">(</span>
<span class="o">(</span>gdb<span class="o">)</span>
</code></pre>
</div>
<ul>
<li>if we step into <code>SwitchStack</code> we will get through <code>InternalSwitchStack</code>, we have no symbols loaded for that functions (this is your challange)</li>
<li><code>InternalSwitchStack</code> calls <code>_ModuleEntryPoint</code> defined in <code>DxeCoreEntryPoint.c:37</code> which works in very similar way to PEI Core entry point.</li>
<li>Stepping in <code>_ModuleEntryPoint</code> should lead us to <code>DxeMain</code> for which backtracs should oook as follows.</li>
</ul>
<div class="codehilite">
<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> bt
<span class="c1">#0 DxeMain (HobStart=0x3f56000) at /home/user/edk2/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c:236</span>
<span class="c1">#1 0x0000000007ea0f06 in ProcessModuleEntryPointList (HobStart=<optimized out>) at /home/user/edk2/Build/OvmfX64/DEBUG_GCC5/X64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/AutoGen.c:507</span>
<span class="c1">#2 _ModuleEntryPoint (HobStart=<optimized out>) at /home/user/edk2/MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.c:46</span>
<span class="c1">#3 0x0000000007ee10cf in InternalSwitchStack ()</span>
<span class="c1">#4 0x0000000000000000 in jQuery224020365090181166434_1654038333306 ()</span>
</code></pre>
</div>
<ul>
<li>DxeMain is DXE phase entry point.</li>
</ul>
<h2>Exercise #9: DXE debug.log review</h2>
<ul>
<li>Let's check debug.log file:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>PlatformPei: ClearCacheOnMpServicesAvailable
DiscoverPeimsAndOrderWithApriori<span class="o">()</span>: Found 0x0 PEI FFS files <span class="k">in</span> the 1th FV
DXE IPL Entry
Loading PEIM D6A2CB7F-6A18-4E2F-B43B-9920A733700A
Loading PEIM at 0x00007E9E000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00007EA0EF0 DxeCore.efi
Loading DXE CORE at 0x00007E9E000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00007EA0EF0
<span class="nv">AddressBits</span><span class="o">=</span><span class="m">36</span> <span class="nv">5LevelPaging</span><span class="o">=</span><span class="m">0</span> <span class="nv">1GPage</span><span class="o">=</span><span class="m">0</span>
<span class="nv">Pml5</span><span class="o">=</span><span class="m">1</span> <span class="nv">Pml4</span><span class="o">=</span><span class="m">1</span> <span class="nv">Pdp</span><span class="o">=</span><span class="m">64</span> <span class="nv">TotalPage</span><span class="o">=</span><span class="m">66</span>
Install PPI: 605EA650-C65C-42E1-BA80-91A52AB618C6
Notify: PPI Guid: 605EA650-C65C-42E1-BA80-91A52AB618C6, Peim notify entry point: <span class="nv">82D881</span>
<span class="o">===============</span> here is end of PEI and next log messag coming from <span class="nv">DXE</span> <span class="o">================</span>
CoreInitializeMemoryServices:
BaseAddress - 0x3F59000 Length - 0x3CA7000 MinimalMemorySizeNeeded - 0x320000
</code></pre>
</div>
<ul>
<li>As we can see first DXE related log happen little bit earlier then switching between phases, also we can note that EDKII does not indicate places where we change phases</li>
<li>DXE phase is quite verbose and big in terms of executed code, so we will just get through its most important parts, as you can see above we started with initialization of memory related services</li>
<li>Then DXE proceed with initialization of other services and table, but does it quitely</li>
<li>After that DXE retreive from HOBs information deliverd by PEI phase:</li>
<li>First are information about memory allocations, show memory type and adresses</li>
</ul>
<div class="codehilite">
<pre><span></span><code><span class="o">(</span>...<span class="o">)</span>
Memory Allocation 0x00000004 0x7C00000 - 0x7DFFFFF
Memory Allocation 0x00000007 0x7E00000 - 0x7E7DFFF
Memory Allocation 0x00000004 0x3F36000 - 0x3F55FFF
</code></pre>
</div>
<ul>
<li>Second Firmware Volume information</li>
</ul>
<div class="codehilite">
<pre><span></span><code>FV Hob 0x900000 - 0x14FFFFF
</code></pre>
</div>
<ul>
<li>And proceed with architectural protocols installation</li>
</ul>
<div class="codehilite">
<pre><span></span><code>InstallProtocolInterface: D8117CFE-94A6-11D4-9A3A-0090273FC14D 7EC0F10
<span class="o">(</span>...<span class="o">)</span>
</code></pre>
</div>
<ul>
<li>Finally DXE put main actor on stage namely DXE dispatcher reesponsible for loading DXE drivers, by calling <code>CoreDispatcher</code> function, each driver has its own entry point which perform some action. For OVMF X64 95 drivers are loaded:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>grep <span class="s2">"Loading driver at"</span> debug.log
<span class="o">(</span>...<span class="o">)</span>
Loading driver at 0x00006CF6000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006CFC735 UefiPxeBcDxe.efi
Loading driver at 0x00006CB8000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006CBF808 IScsiDxe.efi
Loading driver at 0x00006D20000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006D23B7C VirtioNetDxe.efi
Loading driver at 0x00006CE8000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006CED1EE UhciDxe.efi
Loading driver at 0x00006CAF000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006CB533A EhciDxe.efi
Loading driver at 0x00006CA2000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006CAB912 XhciDxe.efi
Loading driver at 0x00006C98000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006C9E6D6 UsbBusDxe.efi
Loading driver at 0x00006CE1000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006CE5112 UsbKbDxe.efi
Loading driver at 0x00006D1A000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006D1DC76 UsbMassStorageDxe.efi
Loading driver at 0x00006CDA000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006CDDD91 QemuVideoDxe.efi
Loading driver at 0x00006CEF000 <span class="nv">EntryPoint</span><span class="o">=</span>0x00006CF2C3C VirtioGpuDxe.efi
</code></pre>
</div>
<ul>
<li>After dispatcher some minor cleanup is performed and BDS phase entry is called.</li>
</ul>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@a3de1effd7624a28b7cc57125c05adf6">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@a3de1effd7624a28b7cc57125c05adf6" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@5477c00fe16b4dd08a3f9462aa142cbf">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@5477c00fe16b4dd08a3f9462aa142cbf" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>
<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@vertical+block@31cb3cb2c18a4aa1a06cd108f0d1493a" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@cb4c5f50170142e48295dd63964c5bff">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@cb4c5f50170142e48295dd63964c5bff" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><h2>Exercise #10: Welcome in BDS</h2>
<ul>
<li>Based on exercise #9 we are ready to jump into BDS phase.</li>
<li>Please try to perform step in (<code>si</code>) transition from DXE to BDS by adding symbols as mentioned below.</li>
<li>Let's start QEMU:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>qemu-system-x86_64 -nographic -bios Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd -chardev file,path<span class="o">=</span>debug.log,id<span class="o">=</span>edk2-debug -device isa-debugcon,iobase<span class="o">=</span>0x402,chardev<span class="o">=</span>edk2-debug -s -S
</code></pre>
</div>
<ul>
<li>Let's start debugging BDS:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>add-symbol-file Build/OvmfX64/DEBUG_GCC5/X64/BdsDxe.debug <span class="o">(</span>0x00007062000+0x0000000000000240<span class="o">)</span> -s .data <span class="o">(</span>0x00007062000+0x000000000001a080<span class="o">)</span>
target remote :1234
<span class="nb">break</span> BdsEntry
c
</code></pre>
</div>
<ul>
<li>We are in BDS.</li>
</ul>
<h2>Exercise #10: Welcome in BDS</h2>
<ul>
<li>Quckily looking at <code>BdsEntry</code> (<code>MdeModulePkg/Universal/BdsDxe/BdsEntry.c</code>) function we see that log from first exercise <code>[Bds] Entry...</code> is first thing BDS does.</li>
<li>BDS quietly dealing with all actions related to variables validation and load variable policy protocol:</li>
</ul>
<div class="codehilite">
<pre><span></span><code><span class="o">[</span>BdsDxe<span class="o">]</span> Locate Variable Policy protocol - Success
</code></pre>
</div>
<ul>
<li>Then BDS deal with locales by initializing setup menu language accordingly:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>Variable Driver Auto Update Lang, Lang:eng, PlatformLang:en Status: Success
</code></pre>
</div>
<ul>
<li>Then, since BDS would like to show something to user it tries to use console what trigger PCI scanning:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>PlatformBootManagerBeforeConsole
Registered NotifyDevPath Event
PCI Bus First Scanning
PciBus: Discovered PCI @ <span class="o">[</span><span class="m">00</span><span class="p">|</span><span class="m">00</span><span class="p">|</span><span class="m">00</span><span class="o">]</span>
PciBus: Discovered PCI @ <span class="o">[</span><span class="m">00</span><span class="p">|</span><span class="m">01</span><span class="p">|</span><span class="m">00</span><span class="o">]</span>
PciBus: Discovered PCI @ <span class="o">[</span><span class="m">00</span><span class="p">|</span><span class="m">01</span><span class="p">|</span><span class="m">01</span><span class="o">]</span>
BAR<span class="o">[</span><span class="m">4</span><span class="o">]</span>: <span class="nv">Type</span> <span class="o">=</span> Io32<span class="p">;</span> <span class="nv">Alignment</span> <span class="o">=</span> 0xF<span class="p">;</span> <span class="nv">Length</span> <span class="o">=</span> 0x10<span class="p">;</span> <span class="nv">Offset</span> <span class="o">=</span> 0x20
PciBus: Discovered PCI @ <span class="o">[</span><span class="m">00</span><span class="p">|</span><span class="m">01</span><span class="p">|</span><span class="m">03</span><span class="o">]</span>
PciBus: Discovered PCI @ <span class="o">[</span><span class="m">00</span><span class="p">|</span><span class="m">02</span><span class="p">|</span><span class="m">00</span><span class="o">]</span>
BAR<span class="o">[</span><span class="m">0</span><span class="o">]</span>: <span class="nv">Type</span> <span class="o">=</span> PMem32<span class="p">;</span> <span class="nv">Alignment</span> <span class="o">=</span> 0xFFFFFF<span class="p">;</span> <span class="nv">Length</span> <span class="o">=</span> 0x1000000<span class="p">;</span> <span class="nv">Offset</span> <span class="o">=</span> 0x10
BAR<span class="o">[</span><span class="m">2</span><span class="o">]</span>: <span class="nv">Type</span> <span class="o">=</span> Mem32<span class="p">;</span> <span class="nv">Alignment</span> <span class="o">=</span> 0xFFF<span class="p">;</span> <span class="nv">Length</span> <span class="o">=</span> 0x1000<span class="p">;</span> <span class="nv">Offset</span> <span class="o">=</span> 0x18
PciBus: Discovered PCI @ <span class="o">[</span><span class="m">00</span><span class="p">|</span><span class="m">03</span><span class="p">|</span><span class="m">00</span><span class="o">]</span>
BAR<span class="o">[</span><span class="m">0</span><span class="o">]</span>: <span class="nv">Type</span> <span class="o">=</span> Mem32<span class="p">;</span> <span class="nv">Alignment</span> <span class="o">=</span> 0x1FFFF<span class="p">;</span> <span class="nv">Length</span> <span class="o">=</span> 0x20000<span class="p">;</span> <span class="nv">Offset</span> <span class="o">=</span> 0x10
BAR<span class="o">[</span><span class="m">1</span><span class="o">]</span>: <span class="nv">Type</span> <span class="o">=</span> Io32<span class="p">;</span> <span class="nv">Alignment</span> <span class="o">=</span> 0x3F<span class="p">;</span> <span class="nv">Length</span> <span class="o">=</span> 0x40<span class="p">;</span> <span class="nv">Offset</span> <span class="o">=</span> 0x14
<span class="o">(</span>...<span class="o">)</span>
</code></pre>
</div>
<ul>
<li>Scanning triggers various drivers (e.g. <code>QemuVideo</code>), protocols installations and security checks <code>[Security]</code>. This mostly preparation for potential user interaction in following steps.</li>
<li>Next hot keys are registered to support for entering setup or quick boot menu:</li>
</ul>
<div class="codehilite">
<pre><span></span><code><span class="o">[</span>Bds<span class="o">]</span>RegisterKeyNotify: 000C/0000 <span class="m">80000000</span>/00 Success
<span class="o">[</span>Bds<span class="o">]</span>RegisterKeyNotify: <span class="m">0017</span>/0000 <span class="m">80000000</span>/00 Success
<span class="o">[</span>Bds<span class="o">]</span>RegisterKeyNotify: <span class="m">0000</span>/000D <span class="m">80000000</span>/00 Success
</code></pre>
</div>
<ul>
<li>Then BDS connect all default console, what means on outputs detected earlier, for which drivers were found. You can find out something happen since our terminal where we running QEMU changed color.</li>
<li>Finally BDS inform us about OS indicated features and dump various information related to boot process:</li>
</ul>
<div class="codehilite">
<pre><span></span><code><span class="o">[</span>Bds<span class="o">]</span>OsIndication: <span class="m">0000000000000000</span>
<span class="o">[</span>Bds<span class="o">]=============</span>Begin Load Options Dumping ...<span class="o">=============</span>
Driver Options:
SysPrep Options:
Boot Options:
Boot0000: UiApp 0x0109
Boot0001: UEFI QEMU DVD-ROM QM00003 0x0001
Boot0002: UEFI PXEv4 <span class="o">(</span>MAC:525400123456<span class="o">)</span> 0x0001
Boot0003: EFI Internal Shell 0x0001
PlatformRecovery Options:
PlatformRecovery0000: Default PlatformRecovery 0x0001
<span class="o">[</span>Bds<span class="o">]=============</span>End Load Options <span class="nv">Dumping</span><span class="o">=============</span>
</code></pre>
</div>
<ul>
<li>Now BDS waits for user interaction e.g. entering setup or quick boot menu, if no action taken boot options would bexecured according to priority.</li>
<li>On the screen we can find:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>BdsDxe: failed to load Boot0001 <span class="s2">"UEFI QEMU DVD-ROM QM00003 "</span> from PciRoot<span class="o">(</span>0x0<span class="o">)</span>/Pci<span class="o">(</span>0x1,0x1<span class="o">)</span>/Ata<span class="o">(</span>Secondary,Master,0x0<span class="o">)</span>: Not Found
</code></pre>
</div>
<p>What is quite normal assuming we didn't connected DVD-ROM to QEMU.
* Then we can see PXE loading screen and as finall step we land in UEFI Shell since no options was selected:</p>
<pre><code>UEFI Interactive Shell v2.2
EDK II
UEFI v2.70 (EDK II, 0x00010000)
Mapping table
BLK0: Alias(s):
PciRoot(0x0)/Pci(0x1,0x1)/Ata(0x0)
Press ESC in 1 seconds to skip startup.nsh or any other key to continue.
Shell>
</code></pre>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@67cf8f9a722a4b0f89631a68e8db31da">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@67cf8f9a722a4b0f89631a68e8db31da" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@f2c20e75ad79481c9d48ded0e8fb8617">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@f2c20e75ad79481c9d48ded0e8fb8617" data-request-token="473bf9f4093511efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>