<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@vertical+block@7a84a9b07a6d4324b626b04547354636" data-request-token="2d9329a6090211efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@9191f6b2ee004890be8d12a69bd4407a">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@9191f6b2ee004890be8d12a69bd4407a" data-request-token="2d9329a6090211efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><p>In this practice we would like to explore UEFITool, especially one component of it <code>UEFIExtract</code></p>
<h2>Exercise #1: Install UEFIExtract</h2>
<div class="codehilite">
<pre><span></span><code>wget https://github.com/LongSoft/UEFITool/releases/download/A59/UEFIExtract_NE_A59_linux_x86_64.zip
unzip UEFIExtract_NE_A59_linux_x86_64.zip
./UEFIExtract
</code></pre>
</div>
<p>This should show the usage help. Please read it before proceeding to the next section.</p>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@8b6682f963c844138413fa1d4cc860bd">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@8b6682f963c844138413fa1d4cc860bd" data-request-token="2d9329a6090211efabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@19444bba43594500ae2e5a4d8a8beaf6">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@19444bba43594500ae2e5a4d8a8beaf6" data-request-token="2d9329a6090211efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>
<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@vertical+block@ff6699394cd44c348072c6741c4fdf13" data-request-token="2d9329a6090211efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@4bbcc8ec14ad4b46be5f2687854a914d">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@markdown+block@4bbcc8ec14ad4b46be5f2687854a914d" data-request-token="2d9329a6090211efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><p>Let's identify the content of <code>OVMF.fd</code> used to boot our QEMU system and find the most important elements of the image mentioned in the PI specification.</p>
<h2>Exercise #2: prepare text report</h2>
<div class="codehilite">
<pre><span></span><code>./UEFIExtract Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd report
less Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd.report.txt
</code></pre>
</div>
<p><div class="codehilite">
<pre><span></span><code>Image <span class="p">|</span> UEFI <span class="p">|</span> <span class="m">00000000</span> <span class="p">|</span> <span class="m">00400000</span> <span class="p">|</span> DCCFEE73 <span class="p">|</span> UEFI image
Volume <span class="p">|</span> NVRAM <span class="p">|</span> <span class="m">00000000</span> <span class="p">|</span> <span class="m">00084000</span> <span class="p">|</span> 94DF64CC <span class="p">|</span> - FFF12B8D-7696-4C8B-A985-2747075B4F50
</code></pre>
</div></p>
<ul>
<li>UEFIExtract recognizes our image as a 4MB UEFI image which starts with a NVRAM region used for keeping UEFI variables</li>
</ul>
<div class="codehilite">
<pre><span></span><code>Volume | FFSv2 | 00084000 | 00348000 | 18C9F4D1 | - 48DB5E17-707C-472D-91CD-1613E7EF51B0
</code></pre>
</div>
<ul>
<li>At address 0x84000 we have the first Firmware Volume with Firmware FileSystem version 2. Please note FVs can be built into other FVs:</li>
</ul>
<div class="codehilite">
<pre><span></span><code>user@user-OST-VM:~/edk2$ grep FFS Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd.report.txt
Volume | FFSv2 | 00084000 | 00348000 | 18C9F4D1 | - 48DB5E17-707C-472D-91CD-1613E7EF51B0
Volume | FFSv2 | N/A | 000E0000 | BE1876C9 | ----- 6938079B-B503-4E3D-9D24-B28337A25806
Volume | FFSv2 | N/A | 00C00000 | 9BBD6BB4 | ----- 7CB8BDC9-F8EB-4F34-AAEA-3EE4AF6516A1
Volume | FFSv2 | 003CC000 | 00034000 | 0DEE9963 | - 763BED0D-DE9F-48F5-81F1-3E90E1B1A015
</code></pre>
</div>
<ul>
<li>Both <code>6938079B-B503-4E3D-9D24-B28337A25806</code> and <code>7CB8BDC9-F8EB-4F34-AAEA-3EE4AF6516A1</code> are in <code>48DB5E17-707C-472D-91CD-1613E7EF51B0</code> FV.</li>
<li>We can figure out what those FV consist of, by looking in <code>./OvmfPkg/OvmfPkgX64.fdf</code>
<ul>
<li><code>6938079B-B503-4E3D-9D24-B28337A25806</code> - PEI Firmware Volume</li>
<li><code>7CB8BDC9-F8EB-4F34-AAEA-3EE4AF6516A1</code> - DXE Firmware Volume</li>
</ul></li>
<li><p>In PEI FV we can find PEI modules consisting of various sections</p>
<div class="codehilite">
<pre><span></span><code>File | PEI module | N/A | 00014802 | 5214FCD6 | ------ 222C386D-5ABC-4FB4-B124-FBB82488ACF4 | PlatformPei
Section | PEI dependency | N/A | 00000016 | 99E93E7C | ------- PEI dependency section
Section | Raw | N/A | 00000024 | C8C93A23 | ------- Raw section
Section | PE32 image | N/A | 00014784 | 7EF25DB9 | ------- PE32 image section
Section | UI | N/A | 0000001C | F791D416 | ------- UI section
Section | Version | N/A | 0000000E | 80E5540A | ------- Version section
</code></pre>
</div></li>
<li><p>UEFIExtract recognizes special modules like PEI core, SEC core, or DXE core</p></li>
<li><p>In DXE FV we can find DXE drivers consisting of various sections</p>
<div class="codehilite">
<pre><span></span><code>File | DXE driver | N/A | 000092BA | 53FA25B4 | ------ 11A6EDF6-A9BE-426D-A6CC-B22FE51D9224 | PciHotPlugInitDxe
Section | DXE dependency | N/A | 00000028 | E001C4CA | ------- DXE dependency section
Section | PE32 image | N/A | 00009244 | 6E262CA0 | ------- PE32 image section
Section | UI | N/A | 00000028 | 0F47669C | ------- UI section
Section | Version | N/A | 0000000E | 80E5540A | ------- Version section
</code></pre>
</div></li>
<li><p>And applications</p>
<div class="codehilite">
<pre><span></span><code>File | Application | N/A | 000345EE | 843DD61F | ------ 462CAA21-7614-4503-836E-8AB6F4662331 | UiApp
Section | PE32 image | N/A | 00034584 | 4C3B0E1F | ------- PE32 image section
Section | Raw | N/A | 00000034 | D7939489 | ------- Raw section
Section | UI | N/A | 00000010 | AFB40D8A | ------- UI section
Section | Version | N/A | 0000000E | 80E5540A | ------- Version section
</code></pre>
</div></li>
</ul>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@fe65c3a704ef42138a89e20f50a9b547">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@done+block@fe65c3a704ef42138a89e20f50a9b547" data-request-token="2d9329a6090211efabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@96e8454d7e25469e9e5d4aa5a1e64481">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+4021_Intro_UEFI+2022_v1+type@discussion+block@96e8454d7e25469e9e5d4aa5a1e64481" data-request-token="2d9329a6090211efabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>