2
2
So, graphics cards have a ROM that you can export in GPU-Z (GPU-Z: An example of an application that will perform this task). Is it at all possible to find out what the specification is for a GPU ROM? I have an issue with one of my cards and would like to add a GOP partition to it in order to enable secure boot and remove the annoying watermark in Windows 8.1 about secure boot not being configured correctly.
Alexandru
Posted 2013-10-25T03:23:56.167
Reputation: 425
0
Secure Boot, atleast as far as Windows is concerned, requires all Option ROMs to be signed by a recognised authority:
On a PC with Secure Boot enabled, option ROM drivers pose a security threat if they are not signed or not validated. Signature validation for option ROMs is a WHCK requirement.
There is also some ambiguity as to whether this is a part of the UEFI Secure Boot requirements, as documented in this GitHub issue.
It just so happens that the UEFI firmware defines and recognises its own format for OpROMs, as well as the manner of signing and verifying the OpROMs (Check the UEFI specification Section 14.4.2 of the UEFI Specification 2.7 A). That is the true origin of the support required from graphics card for secure boot.
VGA is a BIOS mechanism for software to use the display. GOP is a new graphics protocol defined by the UEFI specification, which would be loaded in the form of a UEFI driver (Ref). GOP support by the video card is needed for "Ultra Fast Boot" or "Super Fast Boot", and in general for "Pure" UEFI Boot without Legacy VGA Int 10h support. This is called UEFI Class 3, as opposed to Class 2 which also allows BIOS-ways of doing this. Notably, Windows 7 does not support GOP and hence UEFI Class 3.
The requirement for an EFI graphics card Option ROM seems to only coincidentally connect to GOP-compliance of graphics card Option ROM, seems coincidental, with only this document making the connection.
Milind R
Posted 2013-10-25T03:23:56.167
Reputation: 767
2Secure boot has what to do with your GPU? – Ramhound – 2013-10-25T03:26:43.213
Try BIOS setting to check on secure boot. – Darius – 2013-10-25T04:30:02.087
Secure Boot requires GPUs to be UEFI-compliant so that it can generate its required keys, which means they must have a GOP partition in their vBIOS - at least my Alienware A09 BIOS requires it otherwise the secure boot option is gray'd out. Is this NOT true? Please confirm with a proper reference. – Alexandru – 2013-10-25T12:03:00.317
1Keying off the GPU helps prevent vBIOS rootkit attacks, but is it a requirement for UEFI's Secure Boot? – Alexandru – 2013-10-25T12:05:11.013
@Ramhound Any thoughts? Anyone? – Alexandru – 2013-10-25T17:58:37.983
1I have never heard of any such requirement dealing with Secure Boot. There are tons of OEM products that don't even have a dedecated GPU that support Secure Boot. The generation of the Intel keys are not done by the GPU. – Ramhound – 2013-10-25T18:20:21.983
@Ramhound Yeah, you bring up a good point. Perhaps my computer manufacturer's BIOS thinks it needs a signature from the GPU, when probably it doesn't. Do you think this is the case? The A09 BIOS is made by American Megatrends. – Alexandru – 2013-10-25T18:45:19.187
Regardless, none of this answers my original question. I wanna hack my video card's ROM, and I need to know how the spec for that is laid out. – Alexandru – 2013-10-25T19:36:13.287