Create OEM Default Map (AN08): Difference between revisions
Piotrkorsak (talk | contribs) No edit summary |
Piotrkorsak (talk | contribs) No edit summary |
||
| Line 117: | Line 117: | ||
{{Note|If the “Current Setup Settings module is not visible in the “Current BIOS Modules” window as i n the picture above ), add the module created in st ep 10 with your desired default settings. If a “ Current Setup Settings module is displayed with the wrong default settings, overwrite it with the correct module.}} | {{Note|If the “Current Setup Settings module is not visible in the “Current BIOS Modules” window as i n the picture above ), add the module created in st ep 10 with your desired default settings. If a “ Current Setup Settings module is displayed with the wrong default settings, overwrite it with the correct module.}} | ||
{{Continue Numbered List|19|If the “Current Setup Settings module is not visible in the “Current BIOS Modules” window as i n the picture above ), add the module created in st ep 10 with your desired default settings. If a “Current Setup Settings module is displayed with the wrong default settings, overwrite it with the correct module.}} | |||
::[[File:Create OEM Default Map (Ergänzung15).png|none|thumb|418x418px]] | ::[[File:Create OEM Default Map (Ergänzung15).png|none|thumb|418x418px]] | ||
Revision as of 13:06, 12 September 2024
| Affected Products | All congatec x86 Products with BIOS |
|---|
Preface
This application note describes with examples, how to create an OEM Default Settings Map module using the congatec System Utility.
The names “CMOS Default Map” and “CMOS Backup Map” refer to the old legacy BIOS. With the new UEFI firmware, these names are not used anymore because UEFI does not use the CMOS RAM in the RTC to store the system configuration. Therefore, congatec System Utility revision 1.5.7 and later refer to “Current Settings Map” instead of “CMOS Backup Map” and “Default Settings Map” instead of “CMOS Default Map”.
Terminology
| Term | Description |
|---|---|
| BIOS | Basic Input Output System. BIOS is actually firmware, the software that is programmed into a ROM (Read-Only Memory) chip built onto the motherboard of a computer |
| UEFI | Unified Extensible Firmware Interface is a specification that defines a software interface between an operating system and platform firmware. UEFI is meant as a replacement for the Basic Input/Output System (BIOS) firmware interface. |
| Flash | A special type of EEPROM (Electrically Erasable Read Only Memory) that can be erased and reprogrammed in blocks instead of one byte at a time. Many modern PCs have their BIOS stored on a flash memory chip so that it can easily be updated if necessary. |
| POST | Power-on Self Test - a diagnostic testing sequence run by a computer’s BIOS as the computer’s power is initially turned on. The POST will determine if the computer’s RAM, disk drives, peripheral devices and other hardware components are properly working. |
| CGUTIL | congatec System Utility – universal tool for BIOS updates and BIOS modifications. |
| CGOS | congatec Operating System API – software driver for the congatec Embedded Features |
| ME | Management Engine (Intel specific controller and firmware offering additional features) |
| COM | Computer-on-module |
| dTPM | Discrete TPM chip |
| fTPM | Firmware TPM |
| PTT | Platform Trust Technology (Intel firmware TPM solution in the Intel ME) |
Introduction
The following sections describe how to create an OEM Default Settings Map module within the BIOS module using the congatec System Utility. It is compatible to all congatec x86 products and available as a Windows (CGUTIL GUI) application and a command line (CGUTLCMD) application.
The second chapter is based on the Windows GUI version. The third chapter is based on the command line version. The fourth chapter explains the most commonly used procedure to create a new OEM BIOS file. Chapter 5 explains some limitations and exceptions of the OEM Default Settings Map.
The target system consists of conga-TS170 COM and BIOS ROM file “BHSLR123.BIN”. The initial production BIOS is identified as BHSLR1xx:
- BHSL is the congatec internal project name.
- R is the identifier for a BIOS ROM file.
- 1 is the type descriptor for a production BIOS.
- xx is the revision number.
The congatec Embedded BIOS employs a security feature that prevents a password protected BIOS from being overwritten.
To understand which settings are required in the congatec Embedded BIOS to enable the security feature and how the congatec System Utility (CGUTIL) can be used with a protected BIOS, see application note AN5_BIOS_Update_And_Write_Protection.pdf. It can be downloaded from the congatec website at www.congatec.com. For detailed information about the congatec System Utility, refer to the user's guide. It can be downloaded from the congatec website as well.
Note:
Generate the “Current Settings Map” via the BIOS setup menu -before- starting an external boot loader or the UEFI shell. Press the DEL key during power on self-test to enter the BIOS setup menu. If the BIOS setup menu is entered after starting an external boot loader or the UEFI shell, it is not possible to generate the “Current Settings Map”.
Creating and adding a OEM Default Setting Map using CGUTIL GUI (Windows version)
The method described below is useful for evaluating and testing the OEM customization feature offered by the congatec System Utility. On the target system, you can immediately check the BIOS setup changes.
- Enter the BIOS Setup Program of your congatec CPU board.
- Select the settings required for your OEM specific Default Settings Map. A Current Setting Map will be automatically generated and written to the BIOS flash chip when saving the BIOS setup configuration before exiting setup.
Note:
The OEM maps are specific to BIOS revisions. A created OEM map can only be used on the BIOS revision it is derived from. It cannot be integrated into another BIOS revision.
- Boot Microsoft Windows
- To install the congatec System Utility, refer to the congatec System Utility user's guide.
- Start the congatec System Utility
- Select "Board (CGOS)" to modify the onboard BIOS of your running system.
- Click "BIOS Module Modification".
.png)
- Click "Current Setup Settings" in the "Current BIOS Modules" section.
- Click "Save Module To File" button.
.png)
- Enter a name for the Current Setup Settings Map (in this example "BHSLR123_CurrentSettings.mod") and click "Save". Later on, this map will also be implemented into your OEM BIOS binary file.
.png)
- Click "Create Module" button to create an OEM Default Settings Map from your Current Settings Map.
.png)
- The "Select Input Data File" window appears. Click the previously saved backup file (in this example “BHSLR123_CurrentSettings.mod”) and then click “Open”.
.png)
- Make sure to change the “Module Type” to “Default Setup Settings” and keep the “Module ID” set at 0000h (default) before clicking the “Create Module” button again to generate the new module.
.png)
- Save the created Default Settings Map (in this example “BHSLR123_DefaultSettings.mod”). Later on, this map will be implemented into your OEM BIOS binary file.
.png)
- Click "Add Module" in the "BIOS Module Modification" window to add the Default Settings Map Module (in this example “BHSLR123_DefaultSettings.mod”).
.png)
- Click the previously saved Default Settings Map from step 14 (in this example “BHSLR123_DefaultSettings.mod”) and then click “Open”.
.png)
- The Default Settings Map appears in the “Current BIOS Modules” module window. Name your OEM BIOS Version (in this example “BHSLOEM1”). This name is shown in the BIOS Setup Program below the congatec BIOS version.
- Click "Apply" to confirm your changes.
.png)
Caution:
An incorrect setting may damage your onboard BIOS file which could lead to a problem. In worst case, the board may no longer be bootable. A safe alternative way would be to switch to a host PC system and do the necessary changes in a BIOS binary file separately.
Note:
If the “Current Setup Settings module is not visible in the “Current BIOS Modules” window as i n the picture above ), add the module created in st ep 10 with your desired default settings. If a “ Current Setup Settings module is displayed with the wrong default settings, overwrite it with the correct module.
- If the “Current Setup Settings module is not visible in the “Current BIOS Modules” window as i n the picture above ), add the module created in st ep 10 with your desired default settings. If a “Current Setup Settings module is displayed with the wrong default settings, overwrite it with the correct module.
.png)
- Assign your OEM name to the BIOS
- Save the new BIOS file by clicking the "Apply" button.
- Click "Close" to close CGUTIL
.png)
- The new "BHSLOEM1.BIN" BIOS binary file can now be flashed on additional congatec products.
Note:
It is assumed that a new OEM BIOS should not only load the OEM default settings when the Load Default command is executed in BIOS Setup (F9), it should also start with these settings on the first boot after the OEM BIOS has been flashed. That is why the same settings are also added as Current Settings Map.
Limitations / Exceptions
The setup settings described in this section cannot be modified with an OEM default map. These settings are handled differently by the UEFI firmware for security reasons.
BIOS Password
It is not possible to assign a default password in an OEM default map. To assign a default password, use the OEM backup map or set the password manually in the BIOS setup menu. After a password is assigned, you cannot revert or set it back to default by pressing F9 key to load default settings. The password can only be changed manually in the BIOS setup menu.
Note:
Only a customized source code BIOS with a defined default password can restore the password when loading defaults (F9) in BIOS setup.
Secure Boot
The most important variables for Secure Boot are the Platform Key (PK), the Key Exchange Key (KEK) and the database of authorized boot loaders (DB). For security reasons, these variables cannot be handled by CGUTIL OEM default and backup maps. That is why Secure Boot always requires source code OEM BIOS development.
Note:
Refer to the application note “AN39_Secure_Boot_BIOS_Customizations.pdf” on the congatec website or contact your local congatec FAE.
Trusted Computing (TPM Support)
The setup option to enable TPM support can also not be assigned a default with an OEM default map. Like the BIOS password, it can be customized using an OEM backup map. All other TPM settings in the Trusted Computing submenu are fully supported by OEM default and backup maps.
On Intel platforms that support PTT (fTPM), the initial power-on setting for the TPM Device Selection (PTT vs. dTPM) is hard coded in the Intel ME firmware. An OEM backup map cannot change this setting. However, it is possible to customized the default setting for TPM Device Selection in an OEM Default map.
Note:
For PTT support, an Intel ME enabled BIOS (R7xy) is required.