Adapt to PEI phase

[scristalli]

From my understanding, the tool at the moment is focused on the DXE drivers and their protocols.
I'm interested in doing something very similar (actual execution and custom hooks) for the PEI phase, and I'm wondering what it would take to adapt the framework. I forked the project at https://github.com/scristalli/efiperun_mod, and I would be interested in developing the feature.
To speed up the work, I would be very thankful if you could answer a couple questions:

• code in the PEI phase is 32-bit. Is 32-bit code execution already handled based on the PE file information, or does it need to be handled? Would it be feasible to integrate, say, gdb on a x86-64 system for singlestepping after the jump to the PE's entry point?
• EFI_SYSTEM_TABLE and other structures for the DXE protocols have been imported from library headers. I was thinking about definining the corresponding structures for the PEI phase (e.g. EFI_PEI_SERVICES), and then make the appropriate changes in the hooks etc. Do you see any particular challenge in my idea that could mine the feasibility of the project?

Feel free to correct mistakes in my understanding if you notice them.

Thank you.
Best regards.

[jethrogb]

Sorry for the late response. I hope this is still useful. In general, happy to answer more questions, but might take some time.

In general, I think your plan seems completely feasible.

I don't know exactly what mode the processor is in in PEI. Most 32-bit instruction can execute without issue in 64-bit mode, but not all, especially related to 16-bit compatibility. This would be my main concern.

The other concern is that I haven't really tested the load_pe function with 32-bit modules. For example, relocations might not work. Also, there are no checks to make sure that images are loaded in the lower 4GB of memory, which is probably necessary to make 32-bit pointers work.

[scristalli]

Hello Jethro,

thanks for the response. I tried some troubleshooting, but so far I have not been able to load PEI modules on 64-bit. So I figured I could just compile efiperun in a 32-bit environment, and that worked, as in I was able to jump to the PEIM's entry point and continue the execution until the first call to EFI_PEI_SERVICES + offset (for some modules, for the others the memory mapping fails before starting the execution, trying to figure out why).
Next I manually coded the EFI_PEI_SERVICES structure and did some other adapting, I haven't been able to find the structures for the PEI phases anywhere except for some specific implementation, probably due to the fact that they're not of interest for the following phases (as opposed to DXE structures, as I understand).

I have been able to code some function pointer into the table and jump to said function. At the moment I'm trying to understand your hook infrastructure, I'm not used to C++ and templates. :)

I will move further questions on development to email if this is OK for you; I will make sure I leave a note here when I make significant progress in my fork.

Thanks.
Best regards.

Stefano

[jethrogb]

I'm glad compiling in 32-bit "just works".

Intel's open source EFI implementation is a great resources for interface definitions, see e.g. https://github.com/tianocore/edk2/blob/master/EdkCompatibilityPkg/Foundation/Framework/Include/PeiApi.h#L490-L568

The GenericHook code just lets you add a pointer parameter of any type in front of a hook function being called. Looking at this now, it's definitely not going to work on 32-bit without changes. I dynamically generate some thunks with 64-bit instructions, and I'm pretty sure RIP-relative indexing doesn't exist in 32-bit. The thunks do this: // This calls m_pfn(&data,...) via fix_hook(). The template is there just to make data be any type. You probably don't need RIP-relative indexing since by the time you're filling in the thunk, you know the address so you can just use that. Hope this helps.

You can contact me at the email address in my git commit logs.

[redfast00]

@scristalli how did your research work out? I'm interested in doing this myself.

[scristalli]

Hello! After trying for a while with efiperun and another emulation approach (trying Unicorn emulator to run EDK II and other UEFI images), I obtained mostly negative (although still useful) results for the work I was trying to do.
In the best case, I was able to start the execution of PEI and even get to the PEI Dispatcher and load some modules, but the result was far from a real execution.
The main problem was the lack of an environment; since PEI is so closely related to hardware, I think that decent emulation of the PEI phase cannot happen without emulation of the hardware layer, which I was not able to accomplish at the time.

[lynxis]

@scristalli thanks for your work. I'm trying to export the memory configurations (only config for initialisation, not the initialisation itself) of TE modules. I've started writing a TE loader, but maybe, you already did so far. Could you explain, what you've done already and which tools/code you've used?

[scristalli]

@lynxis I'm afraid I don't have much information, it's been a while since I last worked on UEFI. I remember that I used the PE loader already present in Unicorn, and that worked just fine. I was able to extract useful information, map some memory regions and start the execution of EDKII's PEI. I didn't write a specific TE loader, and I didn't extend efiperun in the end.