<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@vertical+block@4746f1616bc04cf5bad757b26a93632c" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@d51600f576a14986b9a4774e4923440d">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@d51600f576a14986b9a4774e4923440d" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><p>OVMF.fd which we used so far does not have support for persistent storage for UEFI variables, because of that we have to add two defines to build process to enabled features required to show how UEFI variables attributes work.</p>
<div class="codehilite">
<pre><span></span><code>build -p OvmfPkg/OvmfPkgX64.dsc -D SECURE_BOOT_ENABLE -D SMM_REQUIRE -b DEBUG -t GCC5 -n <span class="k">$(</span>nproc<span class="k">)</span> -a X64 all
</code></pre>
</div>
<ul>
<li><code>SECURE_BOOT_ENABLE</code> - we will not use UEFI Secure Boot in this lecture, but this define gates compilation of AuthVairableLib, so library supporting UEFI Authenticated Variables.</li>
<li><code>SMM_REQUIRE</code> - as we mentioned before default implementation of UEFI Runtime Service SetVariable() and GetVariable() is handled through SMM, because of that we have to enabled SMM mode in OVMF.</li>
</ul>
<p>This time build process give us two important binaries:</p>
<ul>
<li><code>Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd</code> - containing code of our UEFI BIOS for QEMU.</li>
<li><code>Build/OvmfX64/DEBUG_GCC5/FV/OVMF_VARS.fd</code> - responisble for persisten storage of our variables</li>
</ul>
<p>Let's make local copy of <code>OVMF_VARS.fs</code> for use in this course:</p>
<div class="codehilite">
<pre><span></span><code>cp Build/OvmfX64/DEBUG_GCC5/FV/OVMF_VARS.fd .
</code></pre>
</div>
<p>To use above binaries our QEMU command also has to change:</p>
<div class="codehilite">
<pre><span></span><code>qemu-system-x86_64 -machine q35,smm<span class="o">=</span>on -global <span class="nv">driver</span><span class="o">=</span>cfi.pflash01,property<span class="o">=</span>secure,value<span class="o">=</span>on -drive <span class="k">if</span><span class="o">=</span>pflash,format<span class="o">=</span>raw,unit<span class="o">=</span><span class="m">0</span>,file<span class="o">=</span>Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd,readonly<span class="o">=</span>on -drive <span class="k">if</span><span class="o">=</span>pflash,format<span class="o">=</span>raw,unit<span class="o">=</span><span class="m">1</span>,file<span class="o">=</span>OVMF_VARS.fd -net none -nographic -global ICH9-LPC.disable_s3<span class="o">=</span><span class="m">1</span>
</code></pre>
</div>
<ul>
<li><code>-machine q35,smm=on</code> - Enable SMM.</li>
<li><code>-global driver=cfi.pflash01,property=secure,value=on</code> - Enable <a href="https://en.wikipedia.org/wiki/Common_Flash_Memory_Interface">CFI flash</a>, secure property control how data is read from flash. More details can be found in <a href="https://github.com/qemu/qemu/blob/master/hw/block/pflash_cfi01.c#L665">source code</a>.</li>
<li><code>-drive if=pflash,format=raw,unit=0,file=Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=OVMF_VARS.fd</code> - connect two block drivers using flash interface.</li>
<li><code>-global ICH9-LPC.disable_s3=1</code> - workaround for boot issues.</li>
</ul>
<p>That should give you working environment to test UEFI variables attributes using UEFI Shell commands.</p>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@889d825372ac4a93a1acc54f3efe8461">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@889d825372ac4a93a1acc54f3efe8461" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@b188643b30c44ca38688694860e91dbe">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@b188643b30c44ca38688694860e91dbe" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>
<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@vertical+block@3be3644fa38c4d82bd5f9fe3ca22021c" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@b677cc53e4ba463cafcfe292eb294e52">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@b677cc53e4ba463cafcfe292eb294e52" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><p>Please read <code>setvar</code> UEFI Shell command help (type <code>help setvar</code> in UEFI Shell) to understand syntax of follwing commands:</p>
<ul>
<li>Store volatile UEFI Boot Service accesible <code>01-bs</code> variable</li>
</ul>
<div class="codehilite">
<pre><span></span><code>setvar <span class="m">01</span>-bs -guid 158DEF5A-F656-419C-B027-7A3192C079D2 -bs <span class="o">=</span>0x1234567890ab
</code></pre>
</div>
<ul>
<li>Store non-volatile UEFI Boot Service accesible <code>02-bs-nv</code> variable</li>
</ul>
<div class="codehilite">
<pre><span></span><code>setvar <span class="m">02</span>-bs-nv -guid 158DEF5A-F656-419C-B027-7A3192C079D2 -bs -nv <span class="o">=</span>0x4242424242
</code></pre>
</div>
<ul>
<li>Store non-volatile UEFI Boot Service and UEFI Runtime accesible <code>03-bs-nv-rt</code> variable</li>
</ul>
<div class="codehilite">
<pre><span></span><code>setvar <span class="m">03</span>-bs-nv-rt -guid 158DEF5A-F656-419C-B027-7A3192C079D2 -bs -nv -rt <span class="o">=</span>0xfefefefefe
</code></pre>
</div>
<ul>
<li>Store non-volatile UEFI Runtime accesible <code>04-nv-rt</code> variable</li>
</ul>
<div class="codehilite">
<pre><span></span><code>setvar <span class="m">04</span>-nv-rt -guid 158DEF5A-F656-419C-B027-7A3192C079D2 -nv -rt <span class="o">=</span>0xdeadbeef
</code></pre>
</div>
<ul>
<li>Store volatile UEFI Runtime accesible <code>05-rt</code> variable</li>
</ul>
<div class="codehilite">
<pre><span></span><code>setvar <span class="m">05</span>-rt -guid 158DEF5A-F656-419C-B027-7A3192C079D2 -rt <span class="o">=</span>L<span class="s2">"this is test"</span> <span class="o">=</span>0x0000
</code></pre>
</div>
<p>Use <code>setvar</code> to confirm all variables contain expected values.</p>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@problem+block@19e72cef0a484066a45f7355139a527c">
<div class="xblock xblock-public_view xblock-public_view-problem xmodule_display xmodule_ProblemBlock" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="problem" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@problem+block@19e72cef0a484066a45f7355139a527c" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Mini-quiz #4 is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@problem+block@2add629cdff04acba0361cbd5217731a">
<div class="xblock xblock-public_view xblock-public_view-problem xmodule_display xmodule_ProblemBlock" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="problem" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@problem+block@2add629cdff04acba0361cbd5217731a" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Mini-quiz #5 is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-3" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@9c57e3e55aca4fbbb8a827947210e76d">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@9c57e3e55aca4fbbb8a827947210e76d" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-4" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@44cd55953dac4e1d99759453e8a1b7db">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@44cd55953dac4e1d99759453e8a1b7db" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>
<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@vertical+block@aec6880af6a74626966833e898b1f19e" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@c6889fe583504d9aae1c61ede7ad1b84">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@c6889fe583504d9aae1c61ede7ad1b84" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><p>To verify what variables were set in previous exercise let's boot Alpine Linux:</p>
<div class="codehilite">
<pre><span></span><code>qemu-system-x86_64 -machine q35,smm<span class="o">=</span>on -global <span class="nv">driver</span><span class="o">=</span>cfi.pflash01,property<span class="o">=</span>secure,value<span class="o">=</span>on -drive <span class="k">if</span><span class="o">=</span>pflash,format<span class="o">=</span>raw,unit<span class="o">=</span><span class="m">0</span>,file<span class="o">=</span>Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd,readonly<span class="o">=</span>on -drive <span class="k">if</span><span class="o">=</span>pflash,format<span class="o">=</span>raw,unit<span class="o">=</span><span class="m">1</span>,file<span class="o">=</span>OVMF_VARS.fd -nographic -global ICH9-LPC.disable_s3<span class="o">=</span><span class="m">1</span> -m 512M ~/alpine-virt-3.16.1-x86_64.iso
</code></pre>
</div>
<ul>
<li>Please note we increased memory <code>-m 512M</code>, because without that parameter boot process will crash because of not enough memory.</li>
<li>Please note there is no <code>-net none</code> since we will need networking for package installation inside Alpine Linux, which we will use later in course section.</li>
</ul>
<p>UEFI has no BootOrder variable correctly set, so it will boot us to UEFI Shell. To boot Alpine from UEFI Shell, we have to find <code>bootx64.efi</code> file. First let's change our location to only available filesystem:</p>
<div class="codehilite">
<pre><span></span><code>fs0:
</code></pre>
</div>
<p>Our <code>bootx64.efi</code> file should be in <code>efi\boot</code> directory:</p>
<div class="codehilite">
<pre><span></span><code><span class="nb">cd</span> efi<span class="se">\b</span>oot
</code></pre>
</div>
<p>Now we can call our bootloader:</p>
<div class="codehilite">
<pre><span></span><code>bootx64.efi
</code></pre>
</div>
<p>After booting login to Alpine with <code>root</code> user.</p>
<p>Please inspect variables using <code>xxd -g 1</code></p>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@problem+block@f201b82198524926aee33be7561984db">
<div class="xblock xblock-public_view xblock-public_view-problem xmodule_display xmodule_ProblemBlock" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="problem" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@problem+block@f201b82198524926aee33be7561984db" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Mini-quiz #6 is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@problem+block@ec4669bca8a74812b57c855f9c6c4e57">
<div class="xblock xblock-public_view xblock-public_view-problem xmodule_display xmodule_ProblemBlock" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="problem" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@problem+block@ec4669bca8a74812b57c855f9c6c4e57" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Mini-quiz #7 is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-3" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@6fa7f97139ed4835b4ca9bf6a00c3100">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@6fa7f97139ed4835b4ca9bf6a00c3100" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-4" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@91cf915a9c5b4e44a8a0e589d645950e">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@91cf915a9c5b4e44a8a0e589d645950e" data-request-token="abab73c6044711efaa280242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>