Option ROM

Last updated

An option ROM for the PC platform (i.e. the IBM PC and derived successor computer systems) is a piece of firmware that resides in ROM on an expansion card (or stored along with the main system BIOS), which gets executed to initialize the device and (optionally) add support for the device to the BIOS. In its usual use, it is essentially a driver that interfaces between the BIOS API and hardware. Technically, an option ROM is firmware that is executed by the BIOS after POST (the testing and initialization of basic system hardware) and before the BIOS boot process, gaining complete control of the system and being generally unrestricted in what it can do. The BIOS relies on each option ROM to return control to the BIOS so that it can either call the next option ROM or commence the boot process. For this reason, it is possible (but not usual) for an option ROM to keep control and preempt the BIOS boot process. The BIOS (at least as originally designed by IBM) generally scans for and initializes (by executing) option ROMs in ascending address order at 2 KB address intervals within two different address ranges above address C0000h in the conventional (20-bit) memory address space; later systems may also scan additional address ranges in the 24-bit or 32-bit extended address space.

Contents

Option ROMs are necessary to enable non-Plug and Play peripheral devices to boot and to extend the BIOS to provide support for any non-Plug and Play peripheral device in the same way that standard and motherboard-integrated peripherals are supported. Option ROMs are also used to extend the BIOS or to add other firmware services to the BIOS. In principle, an option ROM could provide any sort of firmware extension, such as a library of video graphics subroutines, or a set of PCM audio processing services, and cause it to be installed into the system RAM and optionally the CPU interrupt system before boot time.

A common option ROM is the video BIOS which gets loaded very early on in the boot process and hooks INT 10h so that output from the power-on self-test (POST) can be displayed. The video BIOS is almost always located in the memory segment beginning at C0000h, the start of the memory area reserved for option ROMs; this is because when the motherboard has a built-in VGA controller, the option ROM will reside in the BIOS – the BIOS knows where it is and shadows it into RAM at a fixed time. Other ROMs can be located from segments C8000h all the way up to F4000h in early PCs. [1] The final search address was limited to segment DFFFFh [2] or EFFFFh [3] in modern products. The BIOS Boot Specification requires that option ROMs be aligned to 2 kB boundaries (e.g. segments C8000h, C8800h, C9000h, C9800h, etc.). The first two bytes of the ROM must be 55 AA. [4] The third byte indicates the ROM size in 512-bytes blocks (e.g. 20h for 16kB ROM). And the fourth byte is where the BIOS begins execution of the option ROM to initialize it before the system boots. Often this initialization is done by a 3 byte jump instruction starting with hexadecimal value E9. [5]

Original usage of Option ROMs for booting through expansion cards

Prior to the development and ubiquitous adoption of the Plug and Play BIOS standard, an add-on device such as a hard disk controller or a network adapter card (NIC) was generally required to include an option ROM in order to be bootable, as the motherboard BIOS did not include any support for the device and so could not incorporate it into the BIOS's boot protocol. Such an option ROM would hook INT 19h, the BIOS boot interrupt, to preempt the BIOS boot loader and substitute their own boot loader. The boot loader on the option ROM would attempt to boot from a disk, network, or other boot program source attached to or installed on the adapter card; if that boot attempt failed, it would pass control to the previous boot loader (to which INT 19h pointed before the option ROM hooked it), allowing the system to boot from another device as a fallback strategy. Some adapters cards, such as certain SCSI adapters (e.g. some made by Adaptec), were available in versions that differed only in the presence or absence of the option ROM to enable booting from attached SCSI devices. As a result of the option ROM scanning protocol, the highest-addressed option ROM is the last one to be initialized and so the last one to hook any interrupts and the first one in those interrupt service routine (ISR) chains; thus the addresses of the option ROMs completely determine the boot priority between adapter cards that are enabled for booting, and the boot devices supported by the motherboard BIOS collectively have lowest priority, i.e. the system will attempt to boot from them only after attempting to boot from all boot-enabled adapter cards.

BIOS Boot Specification

The BIOS Boot Specification (BBS) was developed by a consortium comprising Compaq, Intel and Phoenix Technologies to standardize the initialization sequence of Plug and Play (PnP) BIOS and Option ROMs. [3] The standard presents the notion of a Boot Connection Vector (BCV) table and BCV priority. [3] The core principles of the standard make behaviour more defined and debuggable and gives BIOS manufacturers room to further dynamise boot device selection for the user, beyond the suggestions of the standard. The beginning of the PnP Expansion header is marked by the 4 byte ASCII signature $PnP and a pointer to this is stored at offset +1Ah as a 2 byte little endian value. [6]

After the basic POST checks are complete, the BBS specifies that the BIOS will detect and shadow all option ROMs that reside in the BIOS into the aforementioned region and it will traverse the PCI configuration space, filling in XROMBARs and copying the expansion card option ROMs from MMIO space to the region. The BIOS then scans the region, and if the option ROM has a PnP Expansion header, it does a far call to offset +03h in the option ROM header to initialize it. It then rescans the region after all the PnP option ROMs have been initialized (because, as appendix E states, the option ROM initialization routine may have chained more PnP expansion headers for individual disks the device owns). It adds the BCV pointer (if present) in the PnP Expansion headers it finds the BCV Table or the BEV pointer (if present) to the IPL priority table. The BCV entries in the BCV table are then called according to priority settable in NVRAM. The BCV table is full of BCV function pointers but has a fixed entry representing legacy option ROMs which is a pointer to a BIOS routine which calls +03h in all the remaining option ROMs that don't have a PnP Expansion header. The BCV function initializes the INT 13h and INT 19h hooks, which the BBS stipulates must not be done in the initialization routine at +03h. If a device has no PnP Expansion header, it may perform any hook in the routine at +03h, as it is a legacy card.

In the initial initialization routine, as the Option ROM points to a PCI data structure (not the same as the configuration space), the option ROM code knows the device and vendor ID is at a fixed offset from RIP. The beginning of this structure is marked by the 4 byte ASCII signature PCIR and a pointer to this is stored at offset +18h as a 2 byte little endian value. [6] This allows it to scan the PCI configuration space to find the correct device and BARs it needs to use. To prevent this scan, and in case of two identical cards in the system, the BIOS passes the PFA (bus/device/function) to the initialization routine in AX, and the card select number (CSN) for ISA option ROMs is passed in BX. It can then interact with the device using PMIO / MMIO to see how many disks it has and which ones are bootable by reading the MBR. The BIOS will have already combed the configuration space, allocated the BARs and filled in the ACPI table prior to the initialization routine call, so the option ROM would use the addresses allocated to its BARs. The BCV, however, hooks interrupt routines which interact with the device which are adjusted based on a base MMIO address location, disk information ascertained in the option ROM initialization routine and the current disk number in the BDA.

The BIOS INT 19h procedure then uses the IPL table priority in NVRAM to decide whether to call an entry containing a boot handler which will read the MBR of 00h (floppy disk BAID; the first device in the BCV table to register disk 00h), an entry containing a boot handler which will read the MBR of 80h (the hard drive BAID; the first device in the BCV Table to register disk 80h) or one of the BEV entries in the table. A device only has a BEV or a BCV if it is a bootable device.

SCSI

A SCSI controller card may hook INT 13h which is responsible for providing disk services. It will do so in its BCV if it is a PnP card. Once it has done this, any subsequent calls to INT 13h will be "caught" by the SCSI option ROM (or "SCSI BIOS"), allowing it to respond for disks that may exist on the SCSI bus. Before it had hooked the interrupt there may have been no disks on the system, but by intercepting the interrupt and altering the values returned, the SCSI BIOS can make all the disks on the SCSI bus visible to the system.

In this particular case, the BIOS itself may call INT 13h to provide a list of possible boot devices to the user, and because the SCSI BIOS has hooked the interrupt the user will be able to choose not only which standard system devices to boot from, but also which SCSI disks as well. This is because, as suggested in Appendix D of the Boot BIOS Specification, the BIOS could populate the IPL table with device and vendor information from INT 13h calls to the different disks, paired with the Hard Disk Number (80h, 81h ...), to allow any hard disk device to be booted from, rather than just the first disk of the first controller to hook INT 13h (the highest priority item in the BCV table), referred to as a BIOS Aware IPL Device (BAID) in the specification.

Multiple controllers can hook INT 13h at once. For instance, after the SCSI controller, an AHCI controller can also hook INT 13h by putting a call to the previous handler, which was stored in the IDT at entry 13h by the SCSI controller, at the end of its own handler, before it puts the address of its own handler into the IDT at entry 13h. The first controller to hook INT 13h will see that 0 disks have been installed by checking the byte at 0040:0075, which resides in the BIOS Data Area (BDA), and if it has 4 disks to enumerate, it will assign the range of disk numbers 80h–83h and store '4' in the BDA. If the second controller to hook INT 13h has 2 disks, it will read '4' from the BDA, assign the disk numbers 84h and 85h, and store '6' in place of the '4'. Now if INT 13h is called with DL = 83h, then the handler of the second controller, which did not assign disk number 83h, will relay the call to the previous handler; that handler, which did assign disk number 83h, will handle the call itself. With any number of controllers' ISRs hooked into INT 13h, the ISRs will each pass control to the next one until the one that assigned the specified drive number recognizes the number, handles the call, and returns from the interrupt.

Network boot ROM

Another common option ROM is a network boot ROM. The option ROM contains the program required to download the boot code. The original IBM Personal Computer ROMs hooked INT 18H (originally to invoke Cassette BASIC) and INT 19H, as these two interrupts were used for the boot process. INT 19h is called to initiate the boot process, and INT 18h was called to start Cassette BASIC from ROM when the boot process found that none of the possible boot devices was bootable. Originally, by hooking INT 18h, the network adapter ROM would try to boot from the network when all other boot devices (floppy drives, hard drives, etc.) had failed. By hooking INT 19H, the network adapter ROM would attempt to boot from the network before any other devices. The BBS specifies that the NIC option ROM does not hook INT 19h, but instead the BIOS 19h handler should call the BEV, which will then download the boot code.

Video

The Video BIOS provides some basic display services for BIOS and operating systems, for example INT 10H (Legacy BIOS), VBE (Legacy BIOS) and UEFI GOP. The original IBM PC BIOS included integrated support for the IBM CGA and MDA video adapters (and did not support option ROMs at all), so those video cards had no option ROMs. The CGA and MDA support in the BIOS proper was maintained through the IBM PC XT and PC AT product lines (which did support option ROMs), so that those cards worked (with full BIOS support) in those machines. The first PC video adapter card that had an option ROM was the IBM EGA, introduced in 1984 with the IBM PC AT. (The Hercules Graphics Card had no option ROM and no BIOS support except for its MDA-compatible features, for which it relied in the IBM-supplied MDA support in the main BIOS.) Most subsequent PC video adapters were supported by option ROMs, although VGA and MCGA integrated onto PS/2 motherboards may have used integrated BIOS support. Once integrated Super VGAs (SVGAs), integrated on clone PC motherboards, were being provided by separate companies than the systems themselves, it became common for the SVGA vendor-provided video BIOS to be included as a separate option ROM module on the same BIOS chip as the main system BIOS (provided by a third separate company).

UEFI Option ROMs

UEFI Option ROMs utilize the Unified Extensible Firmware Interface (UEFI). Multiple Option ROM images on a single device can include both Legacy x86 and UEFI Option ROMs. This dual compatibility in devices can function in both legacy BIOS and modern UEFI environments. When the Option ROM format is set to “UEFI Compatible” in the UEFI Setup, the Driver Execution Environment (DXE) stage will prioritize loading the UEFI Option ROM if it is present. If a UEFI Option ROM is not available, the system will revert to the legacy Option ROM. UEFI systems can utilize legacy Option ROMs through the Compatibility Support Module (CSM). When Secure Boot is enabled, the execution of CSM and legacy Option ROMs is prohibited as legacy firmware drivers do not support authentication, which creates a potential security vulnerability. [7] [8]

See also

Related Research Articles

<span class="mw-page-title-main">Parallel ATA</span> Computer storage interface standard

Parallel ATA (PATA), originally AT Attachment, also known as Integrated Drive Electronics (IDE), is a standard interface designed for IBM PC-compatible computers. It was first developed by Western Digital and Compaq in 1986 for compatible hard drives and CD or DVD drives. The connection is used for storage devices such as hard disk drives, floppy disk drives, optical disc drives, and tape drives in computers.

<span class="mw-page-title-main">BIOS</span> Firmware for hardware initialization and OS runtime services

In computing, BIOS is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The firmware comes pre-installed on the computer's motherboard.

<span class="mw-page-title-main">Industry Standard Architecture</span> Internal expansion bus in early PC compatibles

Industry Standard Architecture (ISA) is the 16-bit internal bus of IBM PC/AT and similar computers based on the Intel 80286 and its immediate successors during the 1980s. The bus was (largely) backward compatible with the 8-bit bus of the 8088-based IBM PC, including the IBM PC/XT as well as IBM PC compatibles.

<span class="mw-page-title-main">Motherboard</span> Main printed circuit board used for a computing device

A motherboard is the main printed circuit board (PCB) in general-purpose computers and other expandable systems. It holds and allows communication between many of the crucial electronic components of a system, such as the central processing unit (CPU) and memory, and provides connectors for other peripherals. Unlike a backplane, a motherboard usually contains significant sub-systems, such as the central processor, the chipset's input/output and memory controllers, interface connectors, and other components integrated for general use.

<span class="mw-page-title-main">SCSI</span> Set of computer and peripheral connection standards

Small Computer System Interface is a set of standards for physically connecting and transferring data between computers and peripheral devices, best known for its use with storage devices such as hard disk drives. SCSI was introduced in the 1980s and has seen widespread use on servers and high-end workstations, with new SCSI standards being published as recently as SAS-4 in 2017.

<span class="mw-page-title-main">Booting</span> Process of starting a computer

In computing, booting is the process of starting a computer as initiated via hardware such as a button on the computer or by a software command. After it is switched on, a computer's central processing unit (CPU) has no software in its main memory, so some process must load software into memory before it can be executed. This may be done by hardware or firmware in the CPU, or by a separate processor in the computer system.

In computing, a plug and play (PnP) device or computer bus is one with a specification that facilitates the recognition of a hardware component in a system without the need for physical device configuration or user intervention in resolving resource conflicts. The term "plug and play" has since been expanded to a wide variety of applications to which the same lack of user setup applies.

<span class="mw-page-title-main">Boot sector</span> Sector of a persistent data storage device

A boot sector is the sector of a persistent data storage device which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware.

Logical block addressing (LBA) is a common scheme used for specifying the location of blocks of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; blocks are located by an integer index, with the first block being LBA 0, the second LBA 1, and so on.

<span class="mw-page-title-main">UEFI</span> Operating system and firmware specification

Unified Extensible Firmware Interface is a specification that defines an architecture for the platform firmware used for booting a computer's hardware and its interface for interaction with the operating system. Examples of firmware that implement the specification are AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O.

BIOS implementations provide interrupts that can be invoked by operating systems and application programs to use the facilities of the firmware on IBM PC compatible computers. Traditionally, BIOS calls are mainly used by DOS programs and some other software such as boot loaders. BIOS runs in the real address mode of the x86 CPU, so programs that call BIOS either must also run in real mode or must switch from protected mode to real mode before calling BIOS and then switching back again. For this reason, modern operating systems that use the CPU in Protected mode or Long mode generally do not use the BIOS interrupt calls to support system functions, although they use the BIOS interrupt calls to probe and initialize hardware during booting. Real mode has the 1MB memory limitation, modern boot loaders use the unreal mode or protected mode to access up to 4GB memory.

<span class="mw-page-title-main">Cylinder-head-sector</span> Historical method for giving addresses to physical data blocks on hard disk drives

Cylinder-head-sector (CHS) is an early method for giving addresses to each physical block of data on a hard disk drive.

<span class="mw-page-title-main">Power-on self-test</span> Process performed by firmware or software routines

A power-on self-test (POST) is a process performed by firmware or software routines immediately after a computer or other digital electronic device is powered on.

<span class="mw-page-title-main">Rainbow 100</span> DEC microcomputer

The Rainbow 100 is a microcomputer introduced by Digital Equipment Corporation (DEC) in 1982. This desktop unit had a monitor similar to the VT220 and a dual-CPU box with both 4 MHz Zilog Z80 and 4.81 MHz Intel 8088 CPUs. The Rainbow 100 was a triple-use machine: VT100 mode, 8-bit CP/M mode, and CP/M-86 or MS-DOS mode using the 8088. It ultimately failed to succeed in the marketplace which became dominated by the simpler IBM PC and its clones which established the industry standard as compatibility with CP/M became less important than IBM PC compatibility. Writer David Ahl called it a disastrous foray into the personal computer market. The Rainbow was launched along with the similarly packaged DEC Professional and DECmate II which were also not successful. The failure of DEC to gain a significant foothold in the high-volume PC market would be the beginning of the end of the computer hardware industry in New England, as nearly all computer companies located there were focused on minicomputers for large organizations, from DEC to Data General, Wang, Prime, Computervision, Honeywell, and Symbolics Inc.

INT 13h is shorthand for BIOS interrupt call 13hex, the 20th interrupt vector in an x86-based computer system. The BIOS typically sets up a real mode interrupt handler at this vector that provides sector-based hard disk and floppy disk read and write services using cylinder-head-sector (CHS) addressing. Modern PC BIOSes also include INT 13h extension functions, originated by IBM and Microsoft in 1992, that provide those same disk access services using 64-bit LBA addressing; with minor additions, these were quasi-standardized by Phoenix Technologies and others as the EDD BIOS extensions.

The interrupt descriptor table (IDT) is a data structure used by the x86 architecture to implement an interrupt vector table. The IDT is used by the processor to determine the memory addresses of the handlers to be executed on interrupts and exceptions.

A volume boot record (VBR) is a type of boot sector introduced by the IBM Personal Computer. It may be found on a partitioned data storage device, such as a hard disk, or an unpartitioned device, such as a floppy disk, and contains machine code for bootstrapping programs stored in other parts of the device. On non-partitioned storage devices, it is the first sector of the device. On partitioned devices, it is the first sector of an individual partition on the device, with the first sector of the entire device being a Master Boot Record (MBR) containing the partition table.

The Linux booting process involves multiple stages and is in many ways similar to the BSD and other Unix-style boot processes, from which it derives. Although the Linux booting process depends very much on the computer architecture, those architectures share similar stages and software components, including system startup, bootloader execution, loading and startup of a Linux kernel image, and execution of various startup scripts and daemons. Those are grouped into 4 steps: system startup, bootloader stage, kernel stage, and init process. When a Linux system is powered up or reset, its processor will execute a specific firmware/program for system initialization, such as the power-on self-test, invoking the reset vector to start a program at a known address in flash/ROM, then load the bootloader into RAM for later execution. In IBM PC–compatible personal computers (PCs), this firmware/program is either a BIOS or a UEFI monitor, and is stored in the mainboard. In embedded Linux systems, this firmware/program is called boot ROM. After being loaded into RAM, the bootloader will execute to load the second-stage bootloader. The second-stage bootloader will load the kernel image into memory, decompress and initialize it, and then pass control to this kernel image. The second-stage bootloader also performs several operation on the system such as system hardware check, mounting the root device, loading the necessary kernel modules, etc. Finally, the first user-space process starts, and other high-level system initializations are performed.

INT 10h, INT 10H or INT 16 is shorthand for BIOS interrupt call 10hex, the 17th interrupt vector in an x86-based computer system. The BIOS typically sets up a real mode interrupt handler at this vector that provides video services. Such services include setting the video mode, character and string output, and graphics primitives.

A master boot record (MBR) is a type of boot sector in the first block of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MBRs was publicly introduced in 1983 with PC DOS 2.0.

References

  1. IBM PC XT Technical Reference, pg. 2-10
  2. Personal System/2 and Personal Computer BIOS Interface Technical Reference, pg. 4-12
  3. 1 2 3 BIOS Boot Specification (PDF) (Version 1.01 ed.). Compaq, Phoenix, & Intel. January 11, 1996.
  4. The execution environment of Etherboot
  5. Salihun, Darmawan (January 9, 2007). BIOS Disassembly Ninjutsu Uncovered (PDF).
  6. 1 2 "BIOS". 2022-04-06. Retrieved 2022-04-08.
  7. "UEFI Validation Option ROM Guidance". 14 September 2022.
  8. "Microsoft docs". 14 September 2022.