Fork: 0
ajax / AMI-Aptio-BIOS-Reversed
Transfer to URL with SHA Find file
Newer
Older
AMI-Aptio-BIOS-Reversed / docs / boot_and_runtime_lifecycle.md
@Ajax Dong Ajax Dong 12 hours ago 7 KB Added some docs
Raw Blame History

Boot and Runtime Lifecycle

This document describes the observed lifecycle of the recovered HR650X / Purley
AMI UEFI firmware. It is based on the module evidence currently present in the
tree, especially the PEI, DXE IPL, DXE Core, SMM IPL/Core, setup, security, and
BMC module notes.

1. Early PEI Dispatch

PeiCore is the first major recovered phase anchor after SEC. Its notes describe
the PEI dispatcher, PEI Services Table setup, firmware-volume discovery, memory
initialization, PPI management, and HOB creation.

Key behaviours:

  • Establishes PEI services and the PPI database.
  • Discovers firmware volumes and PEIMs.
  • Dispatches PEIMs according to PEI dependency rules.
  • Handles boot-mode and memory-initialization transitions.
  • Builds the HOB list that later phases consume.

Evidence:

  • MdeModulePkg/Core/Pei/PeiMain/PeiCore/README.md

2. Early Security and Platform State

Some security and platform checks occur before DXE. The clearest recovered
example is BootGuardPei, an IA32 PEI module that reads Boot Guard state from
MSR 0x13A, installs a BootGuard PPI, skips FV verification on S3 resume, hashes
FV segments with SHA-256, and sets a disabling PCD on mismatch according to its
README.

Other PEI-stage platform work includes TPM/TCG policy, IPMI/BMC initialization,
CMOS/boot-mode handling, early video, and Purley silicon initialization.

Evidence:

  • PurleyPlatPkg/BootGuard/ExtendBtGSupportToDxe/Pei/BootGuardPei/README.md
  • AmiModulePkg/TCG2/Common/AmiTcgPlatformPei/AmiTpm20PlatformPei/README.md
  • AmiIpmiPkg/Ipmi/PeiIpmiInitialize/PeiIpmiBmcInitialize/PeiIpmiBmcInitialize/README.md
  • PurleySktPkg/SouthClusterLbg/SiInit/Pei/SiInitPreMem/README.md
  • PurleyPlatPkg/Platform/Pei/EarlyVideoPei/README.md

3. PEI-to-DXE Handoff

DxeIpl bridges PEI and DXE. The README and function table show DXE Core
discovery, firmware-volume section reading, LZMA decompression, x64 page-table
creation, HOB handoff, boot-mode handling, and transfer to the DXE Core entry
point.

Key behaviours:

  • Finds the DXE Foundation in firmware volumes.
  • Extracts/decompresses sections where required.
  • Builds identity-mapped page tables for x64 DXE execution.
  • Carries PEI HOB state forward.
  • Calls into the DXE Core.

Evidence:

  • MdeModulePkg/Core/DxeIplPeim/README.md
  • MdeModulePkg/Core/DxeIplPeim/DxeIpl.md
  • MdeModulePkg/Core/DxeIplPeim/DxeIplDiscoverDxeCore.c
  • MdeModulePkg/Core/DxeIplPeim/DxeIplTransferToDxeCore.c

4. DXE Foundation

The recovered DXE Core evidence is located at
MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction. Its README
describes the central DXE services:

  • Protocol database and handle database management.
  • Boot and runtime service table initialization.
  • DXE Services and Global Coherency Domain services.
  • Page and pool allocation.
  • Image loading, start, unload, and driver dispatch.
  • Event, timer, TPL, and notification handling.
  • Firmware-volume and section-extraction services.
  • Memory protection table construction.

Evidence:

  • MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction/README.md

5. DXE Platform Services

After the DXE Core starts dispatching drivers, the firmware builds the server
platform environment. The recovered tree shows several major DXE service groups:

  • PCI, storage, NVMe, AHCI, SCSI, FAT, shell, CSM, terminal, and network boot.
  • SMBIOS and system inventory.
  • ACPI table updates.
  • Lenovo setup and platform policy.
  • Intel SPS/ME communication.
  • BMC/IPMI setup, self-test, SEL/status reporting, and management tables.
  • Secure Boot and TPM 2.0 protocols.
  • Flash, NVRAM, runtime, and SMM bridge services.

Evidence examples:

  • AmiModulePkg/PCI/PciBus/README.md
  • AmiModulePkg/Nvme/Nvme/README.md
  • AmiNetworkPkg/UefiNetworkStack/PxeBcDxe/README.md
  • LenovoServerPkg/SystemInventory/SystemInventory/README.md
  • PurleySktPkg/Me/Sps/Dxe/SpsDxe/README.md
  • AmiIpmiPkg/Ipmi/IpmiInitialize/DxeIpmiBmcInitialize/DxeIpmiBmcInitialize/README.md
  • AmiModulePkg/SecureBoot/SecureBootDXE/README.md
  • AmiModulePkg/TCG2/Common/TcgDxe/Tcg2Dxe/README.md

6. SMM Bring-up

SMM is established from DXE through PiSmmIpl, which opens/configures SMRAM,
loads SMM Core into SMRAM, exposes SMM access/control/communication protocols,
and bridges S3 boot-script and runtime pointer conversion work. PiSmmCore then
provides SMST services and dispatches registered SMI handlers.

Key behaviours:

  • Enumerates and prepares SMRAM ranges.
  • Loads SMM Core into SMRAM.
  • Provides software SMI triggering and SMM communication.
  • Initializes SMM system table services.
  • Registers and dispatches GUID-keyed SMI handlers.
  • Validates SMM communication buffers through AMI buffer-validation support.

Evidence:

  • MdeModulePkg/Core/PiSmmCore/PiSmmIpl/README.md
  • MdeModulePkg/Core/PiSmmCore/PiSmmCore/README.md
  • PurleySktPkg/Override/IA32FamilyCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm/README.md

7. Setup and Boot Policy

AMI TSE and Lenovo setup modules control interactive firmware configuration and
boot-option policy. The AMITSE notes describe menu database parsing, HII package
installation, graphics/text rendering, boot-option management, language and
hotkey initialization, and storage-security policy hooks. Lenovo setup modules
handle HR650X-specific setup variables, defaults, server-management forms, and
socket/platform options.

Key behaviours:

  • Reads and writes setup variables.
  • Publishes HII forms and setup callbacks.
  • Manages Boot####, BootOrder, BootNext, and Timeout.
  • Applies platform setup defaults and SKU-specific setup updates.
  • Exposes server-management and socket/platform configuration screens.

Evidence:

  • AmiTsePkg/EDK/MiniSetup/AMITSE/README.md
  • LenovoServerPkg/Setup/README.md
  • LenovoServerPkg/ServerMgmtSetup/README.md
  • LenovoServerPkg/SetupDefaults/SetupDefaultLoad/README.md
  • LenovoServerPkg/SocketSetup/README.md

8. Ready-to-Boot and OS Handoff

Near the end of boot-service time, ready-to-boot and platform hooks finalize
platform tables, inventory, boot policy, and BMC/SMBIOS state. Runtime services
and SMM handlers remain available after ExitBootServices, while ACPI/SMBIOS
tables describe platform capabilities to the OS.

Evidence:

  • LenovoServerPkg/OemReadyToBootDxe/OemReadyToBootDxe/README.md
  • LenovoServerPkg/OemSaveSmbiosDxe/README.md
  • LenovoServerPkg/SmbiosType11/SmbiosType11/README.md
  • LenovoServerPkg/SmbiosType39/README.md
  • AmiModulePkg/RuntimeDxe/RuntimeDxe/README.md
  • AmiModulePkg/RuntimeSmm/RuntimeSmm/README.md

9. Runtime and Management After Boot

After OS handoff, the relevant remaining firmware behaviours are primarily:

  • UEFI runtime variable and time services.
  • SMM communication and software SMI handlers.
  • Flash and secure-flash update handlers.
  • BMC/IPMI event logging and management paths.
  • WHEA/RAS error logging and SMI-based recovery paths.
  • ACPI methods and tables installed during DXE.

Evidence:

  • AmiModulePkg/NVRAM/NvramSmm/README.md
  • AmiModulePkg/SmiVariable/SmiVariable/README.md
  • AmiModulePkg/Flash/SmiFlash/README.md
  • AmiModulePkg/SecureFlash/SecSMIFlash/README.md
  • AmiIpmiPkg/Ipmi/SmmBmcElog/README.md
  • CpPlatPkg/Whea/WheaElog/README.md
  • PurleySktPkg/Smm/Ras/QuiesceSupport/QuiesceSupport/README.md