Compatibility Support Module

Unified Extensible Firmware Interface (UEFI, as an acronym) is a specification for the firmware architecture of a computing platform. When a computer is powered on, the UEFI implementation is typically the first that runs, before starting the operating system. Examples include AMI Aptio, Phoenix SecureCore, TianoCore EDK II, and InsydeH2O.

UEFI replaces the BIOS that was present in the boot ROM of all personal computers that are IBM PC compatible, although it can provide backwards compatibility with the BIOS using CSM booting. Unlike its predecessor, BIOS, which is a de facto standard originally created by IBM as proprietary software, UEFI is an open standard maintained by an industry consortium. Like BIOS, most UEFI implementations are proprietary.

Intel developed the original ''Extensible Firmware Interface'' (''EFI'') specification. The last Intel version of EFI was 1.10 released in 2005. Subsequent versions have been developed as UEFI by the UEFI Forum.

UEFI is independent of platform and programming language, but C is used for the reference implementation TianoCore EDKII.

History

The original motivation for EFI came during early development of the first Intel–HP Itanium systems in the mid-1990s. BIOS limitations (such as 16-bit real mode, 1 MB addressable memory space, assembly language programming, and PC AT hardware) had become too restrictive for the larger server platforms Itanium was targeting. The effort to address these concerns began in 1998 and was initially called ''Intel Boot Initiative''. It was later renamed to ''Extensible Firmware Interface'' (EFI).

The first open source UEFI implementation, Tiano, was released by Intel in 2004. Tiano has since then been superseded by EDK and EDK II and is now maintained by the TianoCore community.

In July 2005, Intel ceased its development of the EFI specification at version 1.10, and contributed it to the Unified EFI Forum, which has developed the specification as the ''Unified Extensible Firmware Interface'' (UEFI). The original EFI specification remains owned by Intel, which exclusively provides licenses for EFI-based products, but the UEFI specification is owned by the UEFI Forum.

Version 2.0 of the UEFI specification was released on 31 January 2006. It added cryptography and security.

Version 2.1 of the UEFI specification was released on 7 January 2007. It added network authentication and the user interface architecture ('Human Interface Infrastructure' in UEFI).

In October 2018, Arm announce
Arm ServerReady
a compliance certification program for landing the generic off-the-shelf operating systems and hypervisors on Arm-based servers. The program requires the system firmware to comply with Server Base Boot Requirements (SBBR). SBBR requires UEFI, ACPI and SMBIOS compliance. In October 2020, Arm announced the extension of the program to the edge and IoT market. The new program name i
Arm SystemReady
Arm SystemReady defined the Base Boot Requirements
BBR
specification that currently provides three recipes, two of which are related to UEFI: 1) SBBR: which requires UEFI, ACPI and SMBIOS compliance suitable for enterprise level operating environments such as Windows, Red Hat Enterprise Linux, and VMware ESXi; and 2) EBBR: which requires compliance to a set of UEFI interfaces as defined in the Embedded Base Boot Requirements
EBBR
suitable for embedded environments such as Yocto. Many Linux and BSD distros can support both recipes.

In December 2018, Microsoft announced Project Mu, a fork of TianoCore EDK II used in Microsoft Surface and Hyper-V products. The project promotes the idea of firmware as a service.

The latest UEFI specification, version 2.11, was published in December 2024.

Advantages

The interface defined by the EFI specification includes data tables that contain platform information, and boot and runtime services that are available to the OS loader and OS. UEFI firmware provides several technical advantages over a BIOS:

* Ability to boot a disk containing large partitions (over 2  TB) with a GUID Partition Table (GPT)
* Flexible pre-OS environment, including network capability, GUI, multi language
* 32-bit (for example IA-32, ARM32) or 64-bit (for example x64, AArch64) pre-OS environment
* C language programming
* Python programming usin
Python interpreter for UEFI
shell
* Modular design
* Backward and forward compatibility

With UEFI, it is possible to store product keys for operating systems such as Windows, on the UEFI firmware of the device. UEFI is required for Secure Boot on devices shipping with Windows 8 and above.

It is also possible for operating systems to access UEFI configuration data.

Compatibility

Processor compatibility

As of version 2.5, processor bindings exist for Itanium, x86, x86-64, ARM (AArch32) and ARM64 (AArch64). Only little-endian processors can be supported. Unofficial UEFI support is under development for POWERPC64 by implementing TianoCore on top of OPAL, the OpenPOWER abstraction layer, running in little-endian mode. Similar projects exist for MIPS and RISC-V. As of UEFI 2.7, RISC-V processor bindings have been officially established for 32-, 64- and 128-bit modes.

Standard PC BIOS is limited to a 16-bit processor mode and 1 MB of addressable memory space, resulting from the design based on the IBM 5150 that used a 16-bit Intel 8088 processor. In comparison, the processor mode in a UEFI environment can be either 32-bit (IA-32, AArch32) or 64-bit (x86-64, Itanium, and AArch64). 64-bit UEFI firmware implementations support long mode, which allows applications in the preboot environment to use 64-bit addressing to get direct access to all of the machine's memory.

UEFI requires the firmware and operating system loader (or kernel) to be size-matched; that is, a 64-bit UEFI firmware implementation can load only a 64-bit operating system (OS) boot loader or kernel (unless the CSM-based ''legacy boot'' is used) and the same applies to 32-bit. After the system transitions from ''boot services'' to ''runtime services'', the operating system kernel takes over. At this point, the kernel can change processor modes if it desires, but this bars usage of the runtime services (unless the kernel switches back again). As of version 3.15, the Linux kernel supports 64-bit kernels to be booted on 32-bit UEFI firmware implementations running on x86-64 CPUs, with ''UEFI handover'' support from a UEFI boot loader as the requirement. UEFI handover protocol deduplicates the UEFI initialization code between the kernel and UEFI boot loaders, leaving the initialization to be performed only by the Linux kernel's ''UEFI boot stub''.

Disk device compatibility

In addition to the standard PC disk partition scheme that uses a master boot record (MBR), UEFI also works with the GUID Partition Table (GPT) partitioning scheme, which is free from many of the limitations of MBR. In particular, the MBR limits on the number and size of disk partitions (up to four primary partitions per disk, and up to 2  TB per disk) are relaxed. More specifically, GPT allows for a maximum disk and partition size of 8  ZiB .

Linux

Support for GPT in Linux is enabled by turning on the option CONFIG_EFI_PARTITION (EFI GUID Partition Support) during kernel configuration. This option allows Linux to recognize and use GPT disks after the system firmware passes control over the system to Linux.

For reverse compatibility, Linux can use GPT disks in BIOS-based systems for both data storage and booting, as both GRUB 2 and Linux are GPT-aware. Such a setup is usually referred to as ''BIOS-GPT''. As GPT incorporates the protective MBR, a BIOS-based computer can boot from a GPT disk using a GPT-aware boot loader stored in the protective MBR's bootstrap code area. In the case of GRUB, such a configuration requires a BIOS boot partition for GRUB to embed its second-stage code due to absence of the post-MBR gap in GPT partitioned disks (which is taken over by the GPT's ''Primary Header'' and ''Primary Partition Table''). Commonly 1  MB in size, this partition's Globally Unique Identifier (GUID) in GPT scheme is and is used by GRUB only in BIOS-GPT setups. From GRUB's perspective, no such partition type exists in case of MBR partitioning. This partition is not required if the system is UEFI-based because no embedding of the second-stage code is needed in that case.

UEFI systems can access GPT disks and boot directly from them, which allows Linux to use UEFI boot methods. Booting Linux from GPT disks on UEFI systems involves creation of an EFI system partition (ESP), which contains UEFI applications such as bootloaders, operating system kernels, and utility software. Such a setup is usually referred to as ''UEFI-GPT'', while ESP is recommended to be at least 512 MB in size and formatted with a FAT32 filesystem for maximum compatibility.

For backward compatibility, some UEFI implementations also support booting from MBR-partitioned disks through the Compatibility Support Module (CSM) that provides legacy BIOS compatibility. In that case, booting Linux on UEFI systems is the same as on legacy BIOS-based systems.

Microsoft Windows

Some of the EFI's practices and data formats mirror those of Microsoft Windows.

The 64-bit versions of Windows Vista SP1 and later and 64-bit versions of Windows 8, 8.1, 10, and 11 can boot from a GPT disk that is larger than 2  TB.

Features

Services

EFI defines two types of services: ''boot services'' and ''runtime services''. Boot services are available only while the firmware owns the platform (i.e., before the ExitBootServices() call), and they include text and graphical consoles on various devices, and bus, block and file services. Runtime services are still accessible while the operating system is running; they include services such as date, time and NVRAM access.

; Graphics Output Protocol (GOP) services
: The ''Graphics Output Protocol'' (GOP) provides runtime services; see also Graphics features section below. The operating system is permitted to directly write to the framebuffer provided by GOP during runtime mode.
; UEFI Memory map services
; SMM services
; ACPI services
; SMBIOS services
; Devicetree services (for RISC processors)
; Variable services
: UEFI variables provide a way to store data, in particular non-volatile data. Some UEFI variables are shared between platform firmware and operating systems. Variable namespaces are identified by GUIDs, and variables are key/value pairs. For example, UEFI variables can be used to keep crash messages in NVRAM after a crash for the operating system to retrieve after a reboot.
; Time services
: UEFI provides time services. Time services include support for time zone and daylight saving fields, which allow the hardware real-time clock to be set to local time or UTC. On machines using a PC-AT real-time clock, by default the hardware clock still has to be set to local time for compatibility with BIOS-based Windows, unless using recent versions and an entry in the Windows registry is set to indicate the use of UTC.

Applications

Beyond loading an OS, UEFI can run ''UEFI applications'', which reside as files on the EFI system partition. They can be executed from the UEFI Shell, by the firmware's boot manager, or by other UEFI applications. ''UEFI applications'' can be developed and installed independently of the original equipment manufacturers (OEMs).

A type of UEFI application is an OS boot loader such as GRUB, rEFInd, Gummiboot, and Windows Boot Manager, which loads some OS files into memory and executes them. Also, an OS boot loader can provide a user interface to allow the selection of another UEFI application to run. Utilities like the UEFI Shell are also UEFI applications.

Protocols

EFI defines protocols as a set of software interfaces used for communication between two binary modules. All EFI drivers must provide services to others via protocols. The EFI Protocols are similar to the BIOS interrupt calls.

Device drivers

In addition to standard instruction set architecture-specific device drivers, EFI provides for a ISA-independent device driver stored in non-volatile memory as ''EFI byte code'' or ''EBC''. System firmware has an interpreter for EBC images. In that sense, EBC is analogous to Open Firmware, the ISA-independent firmware used in PowerPC-based Apple Macintosh and Sun Microsystems SPARC computers, among others.

Some architecture-specific (non-EFI Byte Code) EFI drivers for some device types can have interfaces for use by the OS. This allows the OS to rely on EFI for drivers to perform basic graphics and network functions before, and if, operating-system-specific drivers are loaded.

In other cases, the EFI driver can be filesystem drivers that allow for booting from other types of disk volumes. Examples include ''efifs'' for 37 file systems (based on GRUB2 code), used by Rufus for chain-loading NTFS ESPs.

Graphics features

The EFI 1.0 specification defined a UGA (Universal Graphic Adapter) protocol as a way to support graphics features. UEFI did not include UGA and replaced it with GOP (Graphics Output Protocol).

UEFI 2.1 defined a "Human Interface Infrastructure" (HII) to manage user input, localized strings, fonts, and forms (in the HTML sense). These enable original equipment manufacturers (OEMs) or independent BIOS vendors (IBVs) to design graphical interfaces for pre-boot configuration. UEFI uses UTF-16 to encode strings by default.

Most early UEFI firmware implementations were console-based. Today many UEFI firmware implementations are GUI-based.

EFI system partition

An EFI system partition, often abbreviated to ESP, is a data storage device partition that is used in computers adhering to the UEFI specification. Accessed by the UEFI firmware when a computer is powered up, it stores UEFI applications and the files these applications need to run, including operating system boot loaders. Supported partition table schemes include MBR and GPT, as well as El Torito volumes on optical discs. For use on ESPs, UEFI defines a specific version of the FAT file system, which is maintained as part of the UEFI specification and independently from the original FAT specification, encompassing the FAT32, FAT16 and FAT12 file systems. The ESP also provides space for a boot sector as part of the backward BIOS compatibility.

Booting

UEFI booting

Unlike the legacy PC BIOS, UEFI does not rely on boot sectors, defining instead a boot manager as part of the UEFI specification. When a computer is powered on, the boot manager checks the boot configuration and, based on its settings, then executes the specified OS boot loader or operating system kernel (usually boot loader). The boot configuration is defined by variables stored in NVRAM, including variables that indicate the file system paths to OS loaders or OS kernels.

OS boot loaders can be automatically detected by UEFI, which enables easy booting from removable devices such as USB flash drives. This automated detection relies on standardized file paths to the OS boot loader, with the path varying depending on the computer architecture. The format of the file path is defined as ; for example, the file path to the OS loader on an x86-64 system is , and on ARM64 architecture.

Booting UEFI systems from GPT-partitioned disks is commonly called ''UEFI-GPT booting''. Despite the fact that the UEFI specification requires MBR partition tables to be fully supported, some UEFI firmware implementations immediately switch to the BIOS-based CSM booting depending on the type of boot disk's partition table, effectively preventing UEFI booting to be performed from EFI System Partition on MBR-partitioned disks. Such a boot scheme is commonly called ''UEFI-MBR''.

It is also common for a boot manager to have a textual user interface so the user can select the desired OS (or setup utility) from a list of available boot options.

On PC platforms, the BIOS firmware that supports UEFI boot can be called ''UEFI BIOS'', although it may not support CSM boot method, as modern x86 PCs deprecated use of CSM.

CSM booting

To ensure backward compatibility, UEFI firmware implementations on PC-class machines could support booting in legacy BIOS mode from MBR-partitioned disks through the ''Compatibility Support Module (CSM)'' that provides legacy BIOS compatibility. In this scenario, booting is performed in the same way as on legacy BIOS-based systems, by ignoring the partition table and relying on the content of a boot sector.

BIOS-style booting from MBR-partitioned disks is commonly called ''BIOS-MBR'', regardless of it being performed on UEFI or legacy BIOS-based systems. Furthermore, booting legacy BIOS-based systems from GPT disks is also possible, and such a boot scheme is commonly called ''BIOS-GPT''.

The ''Compatibility Support Module'' allows legacy operating systems and some legacy option ROMs that do not support UEFI to still be used. It also provides required legacy System Management Mode (SMM) functionality, called ''CompatibilitySmm'', as an addition to features provided by the UEFI SMM. An example of such a legacy SMM functionality is providing USB legacy support for keyboard and mouse, by emulating their classic PS/2 counterparts.

In November 2017, Intel announced that it planned to phase out support CSM for client platforms by 2020.

In July, of 2022, Kaspersky Labs published information regarding a Rootkit designed to chain boot malicious code on machines using Intel's H81 chipset and the Compatibility Support module of affected motherboards.

In August 2023, Intel announced that it planned to phase out support CSM for server platforms by 2024.

Currently most computers based on Intel platforms do not support CSM.

Network booting

The UEFI specification includes support for booting over network via the Preboot eXecution Environment (PXE). PXE booting network protocols include Internet Protocol (IPv4 and IPv6), User Datagram Protocol (UDP), Dynamic Host Configuration Protocol (DHCP), Trivial File Transfer Protocol (TFTP) and iSCSI.

OS images can be remotely stored on storage area networks (SANs), with Internet Small Computer System Interface (iSCSI) and Fibre Channel over Ethernet (FCoE) as supported protocols for accessing the SANs.

Version 2.5 of the UEFI specification adds support for accessing boot images over HTTP.

Secure Boot

The UEFI specification defines a protocol known as ''Secure Boot'', which can secure the boot process by preventing the loading of UEFI drivers or OS boot loaders that are not signed with an acceptable digital signature. The details of how these drivers are signed is specified in th
UEFI Specification
When Secure Boot is enabled, it is initially placed in "setup" mode, which allows a public key known as the "platform key" (PK) to be written to the firmware. Once the key is written, Secure Boot enters "User" mode, where only UEFI drivers and OS boot loaders signed with the platform key can be loaded by the firmware. Additional "key exchange keys" (KEK) can be added to a database stored in memory to allow other certificates to be used, but they must still have a connection to the private portion of the platform key. Secure Boot can also be placed in "Custom" mode, where additional public keys can be added to the system that do not match the private key.

Secure Boot is supported by Windows 8 and 8.1, Windows Server 2012 and 2012 R2, Windows 10, Windows Server 2016, 2019, and 2022, and Windows 11, VMware vSphere 6.5 and a number of Linux distributions including Fedora (since version 18), openSUSE (since version 12.3), RHEL (since version 7), CentOS (since version 7), Debian (since version 10), Ubuntu (since version 12.04.2), Linux Mint (since version 21.3)., and AlmaLinux OS (since version 8.4). , FreeBSD support is in a planning stage.

UEFI shell

UEFI provides a shell environment, which can be used to execute other UEFI applications, including UEFI boot loaders. Apart from that, commands available in the UEFI shell can be used for obtaining various other information about the system or the firmware, including getting the memory map (memmap), modifying boot manager variables (bcfg), running partitioning programs (diskpart), loading UEFI drivers, and editing text files (edit).

Source code for a UEFI shell can be downloaded from the Intel's TianoCore UDK/EDK2 project. A pre-built ShellBinPkg is also available. Shell v2 works best in UEFI 2.3+ systems and is recommended over Shell v1 in those systems. Shell v1 should work in all UEFI systems.

Methods used for launching UEFI shell depend on the manufacturer and model of the system motherboard. Some of them already provide a direct option in firmware setup for launching, e.g. compiled x86-64 version of the shell needs to be made available as /SHELLX64.EFI. Some other systems have an already embedded UEFI shell which can be launched by appropriate key press combinations. For other systems, the solution is either creating an appropriate USB flash drive or adding manually (bcfg) a boot option associated with the compiled version of shell.

Commands

The following is a list of commands supported by the EFI shell.

* alias
* attrib
* bcfg
* cd
* cls
* comp
* cp
* date
* dblk
* dh
* dmpstore
* echo
* Edd30
* EddDebug
* edit
* err
* guid
* help
* load
* ls
* map
* mem
* memmap
* mkdir
* mm
* mode
* mount
* pause
* pci
* reset
* rm
* set
* stall
* time
* type
* unload
* ver
* vol

Extensions

Extensions to UEFI can be loaded from virtually any non-volatile storage device attached to the computer. For example, an original equipment manufacturer (OEM) can distribute systems with an EFI system partition on the hard drive, which would add additional functions to the standard UEFI firmware stored on the motherboard's ROM.

UEFI Capsule

UEFI Capsule defines a Firmware-to-OS firmware update interface, marketed as modern and secure. Windows 8, Windows 8.1, Windows 10, and Fwupd for Linux each support the UEFI Capsule.

Hardware

Like BIOS, UEFI initializes and tests system hardware components (e.g. memory training, PCIe link training, USB link training on typical x86 systems), and then loads the boot loader from a mass storage device or through a network connection. In x86 systems, the UEFI firmware is usually stored in the NOR flash chip of the motherboard. In some ARM-based Android and Windows Phone devices, the UEFI boot loader is stored in the eMMC or eUFS flash memory.

Classes

UEFI machines can have one of the following classes, which were used to help ease the transition to UEFI:

* Class 0: Legacy BIOS
* Class 1: UEFI with a CSM interface and no external UEFI interface. The only UEFI interfaces are internal to the firmware.
* Class 2: UEFI with CSM and external UEFI interfaces, eg. UEFI Boot.
* Class 3: UEFI without a CSM interface and with an external UEFI interface.
* Class 3+: UEFI class 3 that has Secure Boot enabled.

Starting from the 10th Gen Intel Core, Intel no longer provides Legacy Video BIOS for the iGPU (Intel Graphics Technology). Legacy boot with those CPUs requires a Legacy Video BIOS, which can still be provided by a video card.

Boot stages

SEC – Security Phase

This is the first stage of the UEFI boot but may have platform specific binary code that precedes it. (e.g., Intel ME, AMD PSP, CPU microcode). It consists of minimal code written in assembly language for the specific architecture. It initializes a temporary memory (often CPU cache-as-RAM (CAR), or SoC on-chip SRAM) and serves as the system's software root of trust with the option of verifying PEI before hand-off.

Responsibilities

* Initialization of temporary memory for next stage(PEI).
* Root of trust, by the means of verifying the integrity of PEI.
* Passing handoff information to the PEI foundation. The information includes the location and size of temporary memory, location and size of stack and state of the platform.

PEI – Pre-EFI Initialization

The second stage of UEFI boot consists of a dependency-aware dispatcher that loads and runs PEI modules (PEIMs) to handle early hardware initialization tasks such as main memory initialization (initialize memory controller and DRAM) and firmware recovery operations. Additionally, it is responsible for discovery of the current boot mode and handling many ACPI S3 operations. In the case of ACPI S3 resume, it is responsible for restoring many hardware registers to a pre-sleep state. PEI also uses CAR. Initialization at this stage involves creating data structures in memory and establishing default values within these structures.

This stage has several components including PEI foundation, PEIMs and PPI. Due less resources available in this stage, this stage must be minimal and do minimal preparations for the next stage(DXE), Which is more richer.

PEI Foundation

After SEC phase hand off, platform responsibility is taken by PEI Foundation. it's responsibility is:
* Successful dispatch of PEIMs(pre-EFI Initialization modules).
* Initialization permanent memory(RAM).
* And handing over to next stage which is DXE.
* facilitate the communication of PEIMs called PPI.

PEI Dispatcher

This component is responsible for invoking PEIMs and managing there dependencies.

Pre-EFI Initialization modules

Those are minimal PEI drivers that is responsible for initialization of the hardware like permanent memory, CPU, chipset and motherboard. Each PEIMs has single responsibility and focused on single initialization. Those drivers came from different vendors.

PEIMs-to-PEIMs Interfaces

This is a data structure that composed of GUID pairs of pointers. PPIs are discovered by PEIMs through PEI services.

After minimal initialization of the system for DXE, PEI foundation locates and passes control to DXE. The PEI foundation dispatches DXE foundation through special PPI called IPL(Initial Program Load).

DXE – Driver Execution Environment

This stage consist of C modules and a dependency-aware dispatcher. With main memory now available, CPU, chipset, mainboard and other I/O devices are initialized in DXE and BDS. Initialization at this stage involves assigning EFI device paths to the hardware connected to the motherboard, and transferring configuration data to the hardware.

BDS – Boot Device Select (Boot Manager)

BDS is a part of the DXE. In this stage, boot devices are initialized, UEFI drivers or Option ROMs of PCI devices are executed according to architecturally defined variables called NVRAM.

TSL – Transient System Load

This is the stage between boot device selection and hand-off to the OS. At this point one may enter a UEFI shell, or execute a UEFI application such as the OS boot loader.

RT – Runtime

The UEFI hands off to the operating system (OS) after is executed. A UEFI compatible OS is now responsible for exiting boot services triggering the firmware to unload all no longer needed code and data, leaving only runtime services code/data, e.g. SMM and ACPI. A typical modern OS will prefer to use its own programs (such as kernel drivers) to control hardware devices.

When a legacy OS is used, CSM will handle this call ensuring the system is compatible with legacy BIOS expectations.

Usage

Implementations

Intel's implementation of EFI is the ''Intel Platform Innovation Framework'', codenamed ''Tiano''. Tiano runs on Intel's XScale, Itanium, IA-32 and x86-64 processors, and is proprietary software, although a portion of the code has been released under the BSD license or Eclipse Public License (EPL) as TianoCore EDK II. TianoCore can be used as a payload for coreboot.

Phoenix Technologies' implementation of UEFI is branded as SecureCore Technology (SCT). American Megatrends offers its own UEFI firmware implementation known as Aptio, while Insyde Software offers InsydeH2O, and Byosoft offers ByoCore.

In December 2018, Microsoft released an open source version of its TianoCore EDK2-based UEFI implementation from the Surface line, Project Mu.

An implementation of the UEFI API was introduced into the Universal Boot Loader (Das U-Boot) in 2017. On the ARMv8 architecture Linux distributions use the U-Boot UEFI implementation in conjunction with GNU GRUB for booting (e.g. SUSE Linux), the same holds true for OpenBSD. For booting from iSCSI iPXE

HOME


Content is Copyleft
Website design, code, and AI is Copyrighted (c) 2014-2017 by Stephen Payne


Consider donating to Wikimedia



As an Amazon Associate I earn from qualifying purchases