Flash Layout - ISpillMyDrink/UEFI-Repair-Guide GitHub Wiki
This page explains some platform specific differences between flash images, for example Intel and AMD images. For an explanation of general structures present in UEFI images, refer to UEFI/BIOS Firmware.
Intel Flash Layout
Descriptor Mode vs. Non-Descriptor Mode
Up to Intel's I/O Controller Hub 7 Family (ICH7), the contents of the firmware flash image were purely the BIOS code without any segmentation. Starting with the ICH8 the chipset can be initialized either in Descriptor Mode or Non-Descriptor Mode. Non-Descriptor Mode uses the same non-segmented flash layout as the ICH7 and earlier whilst Descriptor Mode adds segmentation of the flash in regions with independent access permissions and additional features such as the usage of Intel's Integrated GbE controller, the usage of soft- instead of hardstraps for chipset initialization, the Management Engine including use of Active Management Technology, as well as support for multiple flash components.
Intel's current Platform Controller Hubs (PCHs) cannot be used in Non-Descriptor Mode, a valid Flash Descriptor at the beginning of the flash is required. Even when the platform is configured to read BIOS from LPC, a flash component with valid Descriptor still needs to be present on the SPI bus.
Multiple Flash Components
Intel chipsets running in Descriptor Mode can utilize up to two flash chips for firmware storage. If used the firmware image is then split onto those chips. For analysis or modification of such split images it is necessary to merge the contents of the chips beforehand. Such can be done with any hex editor. On a machine with a 6MB firmware image for example, one may find two flash chips, one with a capacity of 4MB and another with a capacity of 2MB, the first 4MB of the firmware image would then be contained on the first chip, and the last 2MB on the second chip. Dumping both chips and appending the 2MB image to the 4MB one would yield the full firmware image.
Image Layout
In the following we'll be concentrating on the flash layout as found on platforms utilizing an Intel PCH but most of it still applies to older chipsets running in Descriptor Mode with the difference that some regions may be omitted. Note that we're also talking about the full firmware image here, not just the content of a single chip in case of multiple flash components being utilized.
Descriptor Region
All Intel images begin with the Descriptor Region at offset 0x0 and with a typical size of 4KB (common size of an erase segment in SPI flash). The Descriptor contains the offsets of all other Regions, their access permissions, soft-straps for the PCH and CPU, and the Management Engine's VSCC Table among others. The access permissions determine which regions of the flash are readable or writeable from within the running system. Soft-straps for the PCH include the number of flash components, the clock speed at which they can be accessed, whether Dual or Quad SPI is used, the High Assurance Platform (HAP) bit to soft-disable the Management Engine, and many others. Soft-straps for the CPU include settings to disable Hyperthreading, number of active cores, and other mostly debugging related settings.
The Descriptor Region begins with a 16 byte reserved space for the ARM Reset Vector (likely to support ARM based Embedded Controller with shared flash storage) followed by the Descriptor signature of 0x0FF0A55A. The signature is the first thing an Intel PCH will look for at power on.
Management Engine Region
All Intel images contain an ME Region, which holds firmware and configuration settings for the Management Engine.
Gigabit Ethernet Region
On platforms with an Intel Gigabit Ethernet interface, the Intel image will also contain the GbE Region with a size of 8KB, which contains LAN configuration such as the device's MAC address. Not all platforms, such as some ASUS devices, necessarily store the MAC address in the GbE Region.
Platform Data Region
Some Intel images may contain a Platform Data Region (PDR) which can store any platform implementation specific data such as serial information.
Embedded Controller Region (since Skylake)
Some Intel images may contain an EC Region, which holds firmware for the Embedded Controller.
BIOS Region
All Intel images contain a BIOS Region, which will always be aligned to the end of the flash image and contains the UEFI implementation.
Firmware Interface Table (FIT)
The Firmware Interface Table (FIT) is a structure present in any modern Intel system's firmware image. It consists of a table with entries for Microcode updates, Bootguard configuration, and others. A Microcode patch for any processor stepping supported by the platform must be present within the FIT. The CPU locates the FIT pointer at logical address 0xFFFF:FFC0 and processes the FIT before control is transferred to the BIOS. That means all Microcode patches matching the current processor that are present in the FIT will be applied before execution of the Reset Vector. If a startup Authenticated Code Module (ACM) is present within the FIT, control will be transferred to its entry point after the Microcode patch (see Bootguard).
Integrated Firmware Image (IFWI)
On some TXE platforms the default Intel layout has been replaced with the Integrated Firmware Image (IFWI) layout, this can often times be found on platforms utilizing eMMC for firmware storage.
Descriptor Region
All IFWI images start with a Descriptor Region at offset 0x0 and with a typical size of 4KB. Similar to the default Intel layout, the Descriptor contains offsets and access permissions for all other regions.
IFWI Region
All IFWI images contain an IFWI region, which replaces the previously distinct ME and BIOS region. The IFWI region is divided into two Logical Boot Partitions (LBP) with each being divided into multiple sub-partitions for things like TXE Firmware, IA Firmware (BIOS), PMC Firmware, CPU Microcode, etc.
Logical Data Region
The Logical Data region contains all non-volatile data managed by the TXE and the UEFI NVRAM storage.
AMD Flash Layout
On AMD platforms with Platform Security Processor (PSP) the firmware for the PSP is embedded between UEFI filesystems.