4.2.13 Do not use hidden PCI Option ROM Regions

EDK II Driver Writer's Guide for UEFI 2.3.1

DRAFT [12/01/2020 06:15:53]

Revision 1.10

4.2.13 Do not use hidden PCI Option ROM Regions

Some option ROMs may use paging or other techniques to load and execute code that was not visible to the system firmware when measuring the visible portion of the option ROM. This technique is discouraged because it is the PCI bus driver's responsibility to extract the option ROM contents when a PCI bus enumerates. If code were required to access hidden portions of an option ROM, then the PCI bus driver would not have the ability to extract the additional PCI Option ROM contents.

This inability means that the UEFI drivers in a PCI Option ROM must be visible without accessing a hidden portion of a PCI Option ROM. However, if there is a safe mechanism to access the hidden portions of the PCI option ROM after the UEFI drivers have been loaded and executed, then the UEFI driver may choose to access those contents. For example, non-volatile configuration information, utilities, or diagnostics can be stored in the hidden PCI Option ROM regions.

Caution: The hidden option ROM regions are also not measurable via UEFI 2.3 and beyond signing and verification interfaces. This makes them, and the system, less secure.

EDK II Driver Writer's Guide for UEFI 2.3.1 DRAFT [12/01/2020 06:15:53] Revision 1.10