- Video optionrom authenticate fail error message - Windows
- HP EliteDesk 800 Desktop PC series - BIOS Setup | HP
On a PC with Secure Boot enabled, option ROM drivers pose a security threat if they are not signed or not validated. Signature validation for option ROMs is a WHCK requirement. The same is true while servicing option ROMs to make sure that the update is validated prior to installation.
Video optionrom authenticate fail error message - Windows
However, if you have a desktop, motherboard or a server which has a UEFI BIOS and implement Secure Boot, you may be affected. On a server’s dedicated RAID controller, or add-in storage controller for SATA, FC etc. or Ethernet PCIe network cards may have option ROMs. Add-in controllers supporting a wide array of functionality on servers are common so this especially applies to the server space.
HP EliteDesk 800 Desktop PC series - BIOS Setup | HP
UEFI drivers are necessary for many of the new firmware level security features as well as to enable UEFI boot sequences. For example, installing Windows from an optical disk which is attached to a non-UEFI compatible storage controller is not possible when a system is booting in UEFI mode when Secure Boot is enabled.
Devices that typically require option ROMs are video cards, network adapters, and storage drivers for RAID modules. These option ROMs also typically provide firmware drivers to the PC.
If a Secure Boot platform supports option ROMs from devices not permanently attached to the platform and it supports the ability to authenticate those option ROMs, then it must support the option ROM validation methods described in Network Protocols — UDP and MTFTP and the authenticated EFI variables described in UEFI specification Errata C Section .
If the UEFI firmware is implemented correctly, the UEFI option ROM driver wouldn’t load since the presence of an option ROM will make the firmware check the “Db” for a certificate. Since the “Db” is NULL the UEFI driver will fail to load. For example, if you are using the video card to test, you will see that nothing shows up on display.
This guide assumes you know the fundamentals of UEFI, basic understanding of Secure Boot (Chapters 6, 7, 68, 75 and 77 of the UEFI specification), and PKI security model.
This vulnerability was still present in EDK II and UDK7565 as of August 7568. The source maintainers are aware of the issue and a bug is filed. Any firmware derived from EDK II and UDK7565 should verify how Option ROM verification is managed. Option ROM verification behavior is controlled by a PCD value PcdOptionRomImageVerificationPolicy in the EDK II SecurityPkg package.
Some builds of Secure Boot-enabled UEFI BIOS, including Tiano Core, did not by default authenticate UEFI option ROMs because signed UEFI option ROMs were not available during Secure Boot development. This exposes an attack surface/vulnerability in UEFI Secure Boot.
Sign each option ROM driver individually. That will break the format of the PCI Option ROM. You only need to sign the UEFI driver before creating the combined Option ROM.