Fork: 0
ajax / AMI-Aptio-BIOS-Reversed
Transfer to URL with SHA Find file
Newer
Older
AMI-Aptio-BIOS-Reversed / TpmSmbiosDxe / TpmSmbiosDxe.md
@Ajax Dong Ajax Dong 2 days ago 9 KB Init
Raw Blame History

TpmSmbiosDxe

Function Table

Address Name Description
TpmDxeTcgCallback
TpmDxeTrEECallback
CpuPause
ReadTsc
EnableInterrupts
DisableInterrupts
ReadEflags
ReadUnaligned64
AsciiStrLen
IoWrite16
IoRead32
PciExpressBaseAddress
CompareGuid
IsTpm20
Tpm2GetCapability
TpmSmbiosPopulate
GetTpmSupportHobData
InternalFreePool
DebugPrint
DebugAssert
InitializeTpmSmbios
ModuleEntryPoint
TpmSmbiosDxeEntry
GUID Definitions
EFI_GUID gEfiSmbiosProtocolGuid = { 0x0B30D3F9, 0xD8F0, 0x432A, { 0x90, 0x1C, 0x29, 0xC7, 0x41, 0x06, 0xA6, 0xE8 } };
Globals from UEFI Boot/Runtime Services Table Library
EFI_HANDLE gImageHandle = NULL;
Module Global Variables (mapped from .data section)
and should be renamed as understanding of their purpose improves.
The ImageHandle passed to the driver entry point (saved for later use).
The SystemTable pointer (saved for module-internal use).
The BootServices pointer (extracted from SystemTable).
The RuntimeServices pointer (extracted from SystemTable).
TPM Vendor ID (from TPM capabilities).
TPM Specification Version: Major (LO byte), Minor (HI byte).
TPM Firmware Version 1.
TPM Firmware Version 2.
TPM Characteristics flags (bitfield).
OemDefined value.
TPM 2.0 vendor string length.
TPM Vendor ID to Name Lookup Table
Indexed by 12-byte entries: VendorId (UINT32), NamePointer (CHAR8*)
TPM_VENDOR_ID_MAP VendorIdMap[17] = {
0x2C8C { 0x49465820, "Infineon" }, // 0x2C98: 0x49465820 (IFX\0)
0x2CB0 { 0x534C4230, "SLB0" }, // 0x2CBC
0x2CC8 { 0x53545320, "STM" }, // 0x2CD4: 0x53545320 (STS\0)
0x2CE0 { 0x57454320, "WEC" }, // 0x2CEC: 0x57454320 (WEC\0)
0x2CF8 (duplicate)
0x2D10 { 0x4D534654, "MSFT" }, // 0x2D1C
0x2D28 { 0x4E544300, "NTC" }, // 0x2D34 (duplicate)
TPM Device ID comparison table (address 0x2D50).
Used by IsTpm20() to compare device IDs at FED40000.
UINT64 qword_2D50[3];
SMBIOS protocol pointer (queried via gBS->LocateProtocol).
UINTN qword_2D60 = 0;
TrEE protocol pointer.
UINTN qword_2D68 = 0;
UINTN qword_2D70 = 0;
TPM support HOB data pointer (retrieved from HOB list).
UINTN qword_2D78 = 0;
Debug library output protocol (for DebugPrint/DebugAssert).
UINTN qword_2DA0 = 0;
UINTN qword_2DA8 = 0;
HOB list pointer.
UINTN qword_2DB0 = 0;
PCI Express memory-mapped base address.
UINTN qword_2DB8 = 0;
TPM 2.0 GET_CAPABILITY response buffer at 0x2DD0.
UINT64 qword_2DD0[2];
TPM2 GET_CAPABILITY response buffer at 0x2EF0.
UINT64 qword_2EF0[2];
TCG notification callback context.
UINT64 qword_2FF0[2];
TPM 1.2 GET_CAPABILITY response buffer at 0x3000.
UINT8 unk_3000[26];
Protocol registration keys (for gBS->RegisterProtocolNotify).
UINT64 unk_3100[2]; // TrEE registration
SMBIOS registration
UINT64 n25 = 25;
n513 used as TPM2 firmware version indicator
UINT16 n513 = 513;
Forward declaration of local helpers
Memory operation wrappers
Src = &Source[Length - 1];
Count = Length;
Zero the buffer in aligned 8-byte chunks, then the remainder
memset (Buffer, 0, 8 * (Length >> 3));
Unaligned read / string length helpers
PciExpressLib wrapper
HOB list and TPM support HOB retrieval
TPM HOB retrieval (raw HOB walk)
Walk the HOB list from the end
Count = (UINTN)HobStart;
Found matching GUID walk the HOB data entries
Entry = *(INT16 )(HobPtr + 16);**
TPM 1.2 / 2.0 detection
TPM capability retrieval
Build the TPM2_GET_CAPABILITY command buffer
tag (big-endian TPM_ST_NO_SESSIONS needs byte swap)
commandSize MSW
commandSize LSW
property count = 1
Submit the command via the TCG protocol's HashLogExtendEvent
or similar submit-to-tpm interface
Status = ((EFI_TCG_PROTOCOL *)TpmProtocol)->SubmitCommand (
qword_3010 **= ((UINT32)((UINT16)ROL2((UINT16)(qword_3010 >> 16), 8) **
Copy TPM info to output structure
CopyMem (TpmInfo, &unk_3000, sizeof (unk_3000));
qword_2DE0 **= ((UINT32)((UINT16)ROL2((UINT16)(qword_2DE0 >> 16), 8) **
CopyMem (TpmInfo, &qword_2DD0, sizeof (unk_3000));
TCG callback processing
Locate the TCG protocol if not already found
if (qword_2D70 == 0) {
Collect TPM capability info (route to TPM 1.2 or 2.0 path)
if (IsTpm20 ()) {
Extract vendor ID and firmware version from capability response
VendorId = (UINT64 )&TpmInfoBuf;
If vendor ID is nonzero, populate TPM data
if (!(VendorId >> 48)) {
Override with raw
Determine configuration type based on PCD settings
Check PCD for platform-specific configuration flags
TcgProtocol = (void *)GetPcdProtocol ();
ConfigFirmware } else if (((EFI_PCD_PROTOCOL *)TcgProtocol)->Get8 (215)) {
ConfigOem } else {
ConfigSoftware }
Install TCG protocol structure
n25 = 25;
Locate TrEE protocol
if (qword_2D68 == 0) {
Locate another protocol (SMBIOS?)
Status = ((EFI_BOOT_SERVICES *)qword_2D88)->LocateProtocol (
Get TPM support HOB data
HobStatus = GetTpmSupportHobData ();
Query TPM capability (capability size = 28 bytes at offset 0)
Populate global TPM variables
dword_2EE2 = (UINT32 )(TpmInfoBuf.Tpm12Data + 22);
Determine configuration type from PCD
PcdProtocol = (VOID *)GetPcdProtocol ();
ConfigFirmware } else if (((EFI_PCD_PROTOCOL *)PcdProtocol)->Get8 (215)) {
Set TPM 1.2/2.0 flag
Install TrEE protocol structure
TPM SMBIOS table population
Notify caller of progress
if (SmbiosHandle != 0) {
Locate SMBIOS protocol
SmbiosProtocol = (EFI_SMBIOS_PROTOCOL *)qword_2D60;
Only proceed for SMBIOS 3.x and later
if (((EFI_SMBIOS_PROTOCOL *)SmbiosProtocol)->MajorVersion <= 3 &&
Scan existing SMBIOS records for an existing TPM record (type 43)
SmbiosHandle2 = (EFI_SMBIOS_HANDLE)(-2);
Remove existing TPM record
Status = SmbiosProtocol->Remove (SmbiosProtocol, SmbiosHandle2);
Read PCD settings for TPM characteristics
Determine TPM version string
VendorIdStr = "HON HAI";
vendor string length from capability
Calculate string lengths
VendorStringLen = AsciiStrLen (TpmVersionStr);
Look up vendor name from vendor ID
VendorIdStr = VendorIdStr;
Allocate and zero the table buffer
FinalTable = InternalAllocatePool (EfiBootServicesData, FinalSize + 2);
Copy TPM device info into the buffer
InternalCopyMem (FinalTable, "TPM 2.0", byte_2C61);
Add the SMBIOS record
Free the allocated buffer
InternalFreePool (FinalTable);
TPM support HOB data retrieval
Walk GUID HOB entries from SystemTable
HobData = (UINT8 *)GetTpmSupportHob (
PCD protocol access
Memory allocation helpers
Debug output helpers
Read debug level from CMOS
__outbyte **(0x70, (__inbyte (0x70) & 0x80) 0x4B);**
Map error level
if (DebugLevel == 1) {
UEFI boot/runtime services initialization
Save globals
gImageHandle = ImageHandle;
Initialize HOB list
GetHobList ();
Read PCI Express base address from PCD
qword_2DB8 = (UINTN)((EFI_PCD_PROTOCOL *)GetPcdProtocol ())->Get32 (5);
If PCI express is enabled, enable memory-mapped I/O
if ((INT8)PciExpressBaseAddress (1024068) >= 0) {
Save interrupt state, disable interrupts, and perform TSC delay
InterruptsWereEnabled = (ReadEflags () & 0x200) != 0;
Wait for approximately 357 TSC ticks (short delay loop)
TimeoutTsc = (StartTsc + 357) & 0x800000;
Restore interrupt state
if (InterruptsWereEnabled) {
Module entry point
Save ImageHandle for callback use
ImageHandle = (UINTN)ImageHandle;
if (gBS->LocateProtocol (&gEfiTrEEProtocolGuid, NULL, &qword_2D68) != EFI_SUCCESS) {
if (gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, &qword_2D70) != EFI_SUCCESS) {

Generated by HR650X BIOS Decompilation Project