Fact-checked by Grok 2 weeks ago

Option ROM

An Option ROM, also known as an OpROM, is firmware code stored in the (ROM) of a , add-in device, or integrated component, which is executed by the system or firmware during the platform initialization phase to perform device-specific setup, configuration, and boot services such as hardware initialization or loading bootable images. This code typically runs after the (POST) but before the operating system boot process, enabling peripherals like network adapters for PXE booting or storage controllers for volume support without relying on the host OS drivers. In the context of the architecture, Option ROMs are accessed via the Expansion ROM Base Address Register in the device's configuration space, allowing the to map and load the ROM contents—often shadowing them into system RAM for faster execution and dynamic sizing. The structure begins with a Expansion ROM Header featuring a of 55h followed by AAh, which identifies valid images and points to a PCI Data Structure containing details on the code type, such as x86 PC-AT compatible initialization routines or services. During , the scans for these headers on enabled devices, executes the initialization function (often an or similar entry point for legacy compatibility), and may invoke code for ongoing device management until the OS takes over. This mechanism ensures for legacy expansion buses like or EISA while supporting auto-configuration through subtractive decoding on PCI bridges. With the transition to the Unified Extensible Firmware Interface (), Option ROMs have evolved to support both legacy modes and native drivers, abstracting device initialization from the core to reduce complexity and improve modularity. -compliant Option ROMs can be packaged as drivers or applications, stored in the while maintaining compatibility with traditional x86 code, and are loaded via platform interfaces that handle enumeration. This dual-mode support addresses limitations of legacy , such as restricted size and execution space, enabling more robust options for modern servers and clients with diverse peripherals. Notable applications include host adapters for bootable disk arrays, graphics cards for early video output, and modules that provide a for setup during .

Fundamentals

Definition and Purpose

An Option ROM is firmware stored in read-only memory (ROM) on expansion cards or the motherboard, executed by the BIOS or UEFI firmware immediately after the Power-On Self-Test (POST) to initialize hardware components not natively supported by the base system BIOS and to extend available BIOS services. This code typically resides in the upper memory area of the system's address space, providing low-level drivers for peripherals such as storage controllers or network adapters during the pre-operating system phase. The primary purpose of an Option ROM is to bridge the gap between the application programming interface—often accessed via calls, such as for disk input/output—and the specific requirements of attached hardware, enabling device detection, configuration, and integration into the boot process without operating system intervention. By handling hardware-specific initialization, including vector setup and I/O operations, Option ROMs ensure that peripherals can participate in system startup, such as loading bootloaders from non-standard devices. Option ROMs originated in the early 1980s during the PC era, specifically with the release of the in 1981, to accommodate add-in cards like those using the (ISA) bus that extended beyond the capabilities of the core motherboard . This design addressed the limitations of fixed implementations by allowing modular support for emerging hardware, such as video adapters and disk controllers, without necessitating revisions to the primary system . Key benefits include facilitating hardware modularity, where vendors can add functionality via self-contained ROMs, and enabling boot options from peripherals, thereby supporting diverse configurations in the absence of a full operating system.

Memory Layout and Execution

During the (POST) phase of the legacy boot process, the firmware systematically scans the upper memory area for Option ROMs, typically from address C0000h to EFFFFh, though some implementations extend this up to F4000h to accommodate additional space. This range corresponds to the conventional memory block reserved for expansion ROMs on , , and compatible buses. The examines memory in fixed increments of 2 KB (2048-byte) boundaries to ensure alignment for both traditional legacy ROMs and () compliant ROMs. To qualify as a valid Option ROM, the code must begin with a specific header starting at offset 00h. The first two bytes form the : 55h followed by AAh, serving as a that the checks to distinguish ROM images from other data. At offset 02h, a single-byte field specifies the ROM's initialization size in units of 512 bytes (e.g., a value of 20h indicates ), determining how much the copies to for execution. The following two or three bytes at offsets 03h–05h contain the , typically a far (such as EAxxxx for a 16:16 segment: ) pointing to the ROM's initialization routine. Beyond the header, the ROM includes 16-bit real-mode x86 executable for device initialization, along with optional data tables for configuration, such as interrupt vectors or device parameters; PnP ROMs append an expansion header at offset 1Ah for details. If the is invalid or absent, the skips the block and continues scanning without error reporting to the user, preventing execution of malformed . Upon detecting a valid , the shadows (copies) the specified initialization portion of the ROM from to writable in the same address range, enabling modifications if needed during runtime. It then performs a far call to the , passing control to the ROM's initialization code in . The ROM routine configures the associated hardware—such as installing device drivers or hooking interrupts (e.g., for disk services by chaining to existing handlers)—and returns control to the via a far return, often setting the AX register to indicate success (e.g., 0000h) or failure for ROMs. After execution, the shadowed may be deallocated or marked read-only to free space for subsequent ROMs or the boot process, ensuring the system proceeds to interrupt 19h for booting. Option ROMs adhere to legacy 16-bit x86 real-mode format, limiting them to segmented addressing and pre-emptive multitasking avoidance. The total combined size for all Option ROMs is constrained to approximately 128 within the upper area, a hardware-imposed limit from early PC that can lead to conflicts if exceeded, prompting vendors to implement prioritization or disabling mechanisms.

Legacy BIOS Implementation

Early Usage for Expansion Cards

Option ROMs emerged in the early 1980s as firmware components embedded on (ISA) expansion cards for the PC/AT and compatible systems, enabling support for non-integrated peripherals such as controllers and early hard disk drives that extended beyond the motherboard's basic capabilities. These ROMs provided device-specific initialization routines and extensions, allowing the system to recognize and utilize add-on during the process without requiring modifications to the core system . For instance, the Fixed Disk Drive Adapter included an Option ROM to handle bootable fixed disks with capacities up to 10 MB or 20 MB, using (MFM) encoding for data storage. During the Power-On Self-Test (POST), the BIOS scanned upper memory areas from C0000h to FFFFFh in 2 KB increments for valid Option ROMs, identified by a 55h AA signature at the start, followed by a length byte in 512-byte blocks and an entry point. Upon detection, the ROM code executed to hook into the boot process via Interrupt 19h (INT 19h), the bootstrap loader routine vectored at F000:FE6Fh, which allowed the expansion device to insert itself into the boot sequence by attempting to load a boot sector. Boot priority was determined by memory address, with lower addresses (e.g., C8000h range) gaining precedence during the descending scan order, ensuring that earlier-loaded ROMs could override or chain to subsequent ones in the sequence. This mechanism supported booting from devices like 5¼-inch floppy drives on the Diskette Drive Adapter, which stored 320 KB or 360 KB and integrated via INT 13h for disk services. Configuration of these early Option ROMs required manual intervention through jumpers or switches on the cards to set selects, addresses, or wait states, as there was no automated detection of resources. For example, cards used eight-position modules to define starting addresses by toggling bits like LA23 for 128 to 640 blocks. Limitations included fixed sizes (minimum 2 , maximum 64 per segment), absence of dynamic leading to address overlaps and conflicts among multiple cards, and strict validation (sum modulo 100h equaling zero) to prevent execution of invalid code. These constraints, combined with the growing variety of peripherals by the late , highlighted the need for standardized frameworks to manage increasing complexity in the mid-1990s.

BIOS Boot Specification

The BIOS Boot Specification (BBS), version 1.01, was jointly developed in 1996 by Computer Corporation, Phoenix Technologies Ltd., and Intel Corporation to establish a standardized methodology for firmware to identify, prioritize, and initiate from Initial Program Load (IPL) devices in () environments. This specification integrates seamlessly with the PCI framework, enabling the to adapt to emerging bootable hardware such as drives and network interfaces while maintaining compatibility with traditional systems. Released on January 11, 1996, it addressed the growing complexity of expansion cards equipped with Option ROMs by formalizing their enumeration and boot handling processes. Central to BBS are key structural components that facilitate device management during the boot sequence. The Boot Connection Vector (BCV) table serves as a core element, listing INT 13h-compatible device controllers—including interfaces, BCVs, and legacy expansion cards—to support systematic enumeration and prioritization for booting. Complementing this, Boot Entry Vectors (BEVs) are defined within Option ROMs as pointers that allow direct execution of boot code, such as on network cards, bypassing traditional interrupt-based loading. The specification explicitly supports both legacy ROMs, which rely on conventional memory scanning, and ROMs, ensuring a unified approach to handling diverse hardware without requiring modifications to existing BIOS implementations. In terms of functionality, empowers users to configure order through setup utilities, with priorities for IPL and BCV devices stored in for persistence across reboots. It resolves potential conflicts among multiple bootable devices by sequentially attempting loads based on established priorities, while providing a runtime —accessed via functions 60h through 6Fh—for Option ROMs to self-identify, query device information, and adjust selections dynamically. This includes mechanisms for reporting device capabilities and integrating with the 's , enhancing flexibility in multi-device configurations. BBS saw widespread adoption in personal computers from the late through the , becoming a for PnP-compatible systems and enabling reliable booting from expansion cards in enterprise and consumer hardware. Its design ensured with non-PnP setups, allowing seamless integration into legacy environments while supporting the transition to more modular PC architectures. BBS builds upon earlier standards such as the Specification 1.0A (1994).

Applications in BIOS Era

Storage and SCSI ROMs

Option ROMs for storage devices, particularly SCSI controllers, play a crucial role in enabling -based systems to access and boot from SCSI-attached drives by emulating standard disk services. These ROMs hook into the interrupt, which handles low-level disk operations such as reading and writing sectors, to translate commands into compatible calls. This emulation allows the system to treat drives as native hard disks, supporting essential functions like drive initialization and sector access during the boot process. In implementation, SCSI Option ROMs perform device detection by scanning the SCSI bus for attached peripherals, such as hard drives and optical devices, and map Logical Unit Numbers (LUNs) to BIOS drive numbers (e.g., assigning 80h for the first bootable hard drive). Geometry translation is a key component, converting the physical SCSI drive parameters (often using or LBA) into the (CHS) format required by legacy , which is limited to 1024 cylinders, 256 heads, and 63 sectors per track. This translation enables compatibility with boot routines and operating systems like . Integration with the Boot Specification (BBS) occurs through Boot Extension Vectors (BEVs), which allow these ROMs to register in the BBS boot priority list, enabling user-configurable boot order for SCSI drives alongside other devices. Historically, these Option ROMs were prevalent in 1990s servers and workstations, where interfaces offered superior performance over for multi-drive setups. A representative example is the AHA-154x series of host adapters, which included onboard BIOS ROMs supporting booting from up to seven drives per controller (with earlier versions limited to two). The AHA-154x ROM enabled dynamic bus scanning for devices and extended translation for drives exceeding 1 GB, making viable as a device before native OS drivers were loaded. Challenges in these implementations included partition table compatibility, as mismatched CHS geometry translations could lead to misaligned partitions and boot failures, particularly for drives larger than 8.4 under the original constraints. Additionally, support was generally limited to eight drives per controller due to BIOS drive numbering (80h–87h for hard disks), restricting scalability in multi-controller environments without additional software overlays.

Network Boot ROMs

Network Boot ROMs are Option ROMs embedded in network interface cards (NICs) designed to facilitate remote over local area s (LANs) in legacy systems, allowing diskless workstations to load operating system images from a remote . These ROMs extend the boot process by intercepting boot interrupts and implementing network protocols for discovery and , primarily used in environments like thin clients or early server farms where local storage was minimal. In terms of functionality, Network Boot ROMs typically hook into interrupt 18h for alternative boot sequences or interrupt 19h for the primary routine, enabling the system to attempt when local devices fail. They implement early boot protocols, such as precursors to the (PXE), using BOOTP for assignment and TFTP for transferring boot images from a remote . This begins with the ROM broadcasting a request for boot services, followed by receiving configuration data and downloading the necessary files to for execution. Within the BIOS Boot Specification (BBS), these ROMs utilize the Boot Entry Vector (BEV) to register the network device for during the boot device prioritization phase, allowing the BIOS to include it in the boot order alongside local drives. BBS-compliant Network Boot ROMs support configurable boot delays—often 3-5 seconds—to allow manual intervention—and retry logic for handling network timeouts or failed connections, ensuring reliable operation in multi-device setups. This integration standardized serverless booting for diskless systems, as defined in the BBS framework. Historically, Network Boot ROMs gained prominence in the with NICs like the 3C509 EtherLink III, which included a socket supporting remote via packet drivers and early RPL (Remote Program Load) protocols for environments. Standardization under BBS in the mid- further enabled widespread adoption for diskless workstations in corporate networks, reducing hardware costs by eliminating local drives. Despite their utility, Network Boot ROMs have limitations, including heavy dependence on stable network infrastructure for broadcasts and responses, which can fail in segmented or congested LANs. via network is inherently slower than local media due to the overhead of protocol handshakes and file transfers, often taking 30-60 seconds compared to under 10 for HDDs. Additionally, they pose risks from open broadcast requests, potentially exposing systems to unauthorized boot servers or man-in-the-middle attacks in untrusted networks.

Video and Display ROMs

Video and display Option ROMs are modules embedded on graphics adapter cards, designed to deliver early-stage video services within the legacy boot environment. These ROMs occupy the dedicated segment from C0000h to C7FFFh, a 32KB range reserved specifically for video expansion and scanned by the system in 2KB increments during initialization. Upon detection via the standard 55 AA hex signature followed by a valid length and zero , the ROM executes its initialization code to configure the adapter hardware. The core functionality revolves around intercepting the INT 10h BIOS interrupt vector, originally pointing to F000:F065h in system ROM, to provide comprehensive video I/O services. This hooking enables operations such as setting text or graphics modes (e.g., via AH=00h for 80x25 color or 640x200 monochrome), loading character fonts (e.g., 8x8 or 8x14 patterns stored in ROM at FFA6Eh using AH=11h), controlling cursor position and size (e.g., AH=02h for positioning or AH=01h for sizing via CRTC registers at 03D4h), and writing pixels or characters to the display buffer (e.g., AH=0Eh for teletype output or AH=0Ch for graphics). Hardware initialization occurs through I/O port accesses in the 03C0h–03DFh range, programming controllers like the Motorola 6845 CRT for modes on VGA, EGA, or CGA adapters, including clearing the regen buffer at B8000h and testing video RAM with patterns such as FFh, 55h, AAh, and 00h. Some adapters extend these services with an optional INT C0h interface for OEM-specific features, though INT 10h remains the standardized entry point. Execution of video ROMs occurs early in the boot sequence, as their low address placement prioritizes them during the () scan starting at C0000h, immediately after basic system checks like refresh and NMI masking. This timing ensures video output is available for displaying progress, diagnostic messages, and setup interfaces, with default modes like 80x25 color established via (AH=00h, AL=03h). Without this early initialization, the system would lack visual feedback until the operating system loads its drivers. Historically, video Option ROMs became standard with the introduction of the (CGA) alongside the in August 1981, marking the first integration of color graphics support through dedicated adapter firmware. The CGA ROM, located at C0000:0000h on the card, supported foundational modes including 40x25 or 80x25 text and 320x200 or 640x200 graphics, using 16KB of dynamic RAM at B8000h. Subsequent evolutions, such as the EGA in 1984 and VGA in 1987, built on this foundation by expanding resolutions (e.g., 640x350 for EGA) and color depths while retaining the C0000h–C7FFFh loading and hooking paradigm. For multimonitor configurations, these ROMs employed chaining techniques, where primary and secondary adapters coordinate via Display Combination Code (DCC) tables and extended calls (e.g., AH=12h, BL=35h), allowing seamless output across multiple displays without boot involvement. Although video ROMs play no direct role in boot device selection or loading, their provision of reliable display services is essential for user interaction during POST and setup, ensuring error reporting and configuration access in text-based environments.

UEFI Integration

UEFI Option ROM Architecture

In the UEFI firmware framework, the architecture for handling Option ROMs begins with scanning during PCI device enumeration in the Driver Execution Environment (DXE) phase, where the firmware inspects the PCI expansion ROM base address register to locate potential ROM images on add-in cards. Upon detection, the firmware first validates the legacy BIOS compatibility signature of 0x55 followed by 0xAA at offset 0 within the ROM. If present, it then searches for the EFI-specific image signature embedded after this header, often within a PCI Card ROM (PCIR) structure, to identify native UEFI drivers formatted as Portable Executable/Common Object File Format (PE/COFF) .efi files. These EFI drivers are subsequently extracted, decompressed if necessary using the UEFI compression algorithm, and loaded into system memory as relocatable images during the DXE phase, where the DXE core manages initialization and execution. A primary distinction from legacy BIOS Option ROMs lies in the adoption of the modular PE/COFF format, which supports both 32-bit and 64-bit execution models and allows for larger code segments beyond the 64 KB limitations of traditional 16-bit x86 code. Unlike -era ROMs that hooked into vectors for device control, UEFI Option ROMs integrate via a protocol-driven model, where drivers bind to using the EFI Driver Binding and expose services through standardized interfaces such as the Block I/O for storage devices or the PXE Base Code for . This approach ensures device drivers operate within the UEFI runtime environment, promoting modularity, hot-pluggability, and reduced reliance on platform-specific assumptions. Execution of native UEFI Option ROMs occurs through the EFI boot services, with loaded drivers starting via the StartImage() function and accessing system resources via the EFI System Table, which serves as the central hub for boot services, runtime services, and configuration tables. Optional legacy execution modes may shadow compatible ROMs into upper memory for interrupt-based operation, but native drivers remain protocol-oriented. For Windows-certified platforms, Option ROMs require validation against compliance guidelines, including signature verification and protocol adherence, to maintain boot integrity. This architecture became standardized with the EFI 1.10 specification in 2002, introducing the EFI Driver Model to replace legacy Option ROMs while enabling 64-bit addressing and expanded driver capabilities for contemporary hardware ecosystems.

Legacy Compatibility and

The Compatibility Support Module () is a subsystem within UEFI firmware designed to emulate a legacy environment, allowing UEFI systems to support and execute older 16-bit Option ROMs from expansion cards. It achieves this by scanning devices for legacy Option ROMs in the conventional memory region (0xC0000–0xFFFFF), shadowing them into system RAM for faster execution, and providing a 16-bit real-mode interface through mode-switching thunks that bridge 32-bit UEFI code and 16-bit legacy code. This emulation enables compatibility for hardware and operating systems that rely on traditional calls, such as interrupt services for device initialization. CSM implementation involves several key components configurable via the UEFI BIOS setup menu, where it can be enabled or disabled based on system needs. Once activated, it hooks legacy interrupts (e.g., INT 0x10 for video services) using protocols like EFI_LEGACY_8259_PROTOCOL and supports the Boot Specification () to manage boot device order through a priority table. In modern firmware, is typically disabled by default to optimize performance, as its emulation layer adds overhead during the process. It was particularly useful during operating system transitions, such as booting in environments requiring legacy interrupt support like INT 0x10. Despite its utility, CSM has notable limitations that restrict its use in contemporary systems. It supports only 16-bit real-mode code, excluding 32-bit or 64-bit native UEFI drivers, and significantly increases boot times due to the scanning, shadowing, and mode-switching processes. is inherently incompatible with Secure Boot, as the latter requires a purely UEFI-native without legacy emulation, necessitating its disablement for Secure Boot activation. Since the 2010s, CSM usage has been declining with the widespread adoption of UEFI-native operating systems and , though it remains necessary for certain older configurations. announced plans to cease silicon support for CSM starting with platforms shipping from 2020 onward, with full removal targeted for those launched in 2024 and later; however, as of 2025, CSM remains available on many current platforms. While traditional Option ROM support may persist longer for specific , overall reliance on CSM is discouraged to enhance and efficiency.

Security and Modern Considerations

Vulnerabilities and Risks

Option ROMs operate in a highly privileged environment, executing code during the process with direct access to system resources, which exposes systems to firmware-level attacks. Malicious actors can embed rootkits within Option ROMs to achieve stealthy , as these modules load early and can manipulate or alter flows without detection by operating system-level tools. Such injections often exploit the lack of built-in checks, allowing unauthorized code to run post-Power-On Self-Test () and potentially compromise the entire boot chain. Supply chain attacks represent a critical for Option ROM vulnerabilities, where adversaries vendors to insert malicious during or . For instance, compromised Option ROMs on cards can serve as initial infection points, spreading to the host or enabling persistent backdoors that evade traditional antivirus solutions. Historical exploits underscore these risks; the 2015 Hacking Team data leak exposed source for a UEFI bootkit (Vector-EDK) that modified to deploy persistent implants surviving OS reinstalls. Additionally, PCI-based Option ROMs are susceptible to Direct Memory Access (DMA) attacks via peripherals like devices, permitting attackers to read or write system memory and inject during the EFI . In modern UEFI environments, legacy Option ROMs pose ongoing threats by bypassing Secure Boot signature verification when invoked through the Compatibility Support Module (CSM), allowing unsigned or tampered code to execute unchecked. This enables bootkit malware, such as those demonstrated in the Thunderstrike proof-of-concept, to infect the via malicious peripherals, granting pre-OS control. Such exploits can extend to virtualized setups, where malicious Option ROMs invoked by a OS may compromise the , leading to escape from machines and broader system exposure. The impacts are severe: these threats persist across OS reinstalls or hardware swaps and require specialized analysis tools for detection, complicating remediation efforts.

Mitigation Strategies in Secure Boot

UEFI Secure Boot serves as a foundational defense mechanism against Option ROM vulnerabilities by establishing a that verifies the integrity of components, including bootloaders and drivers, through digital signatures. It employs a hierarchy of keys—Platform Key (PK), Key Exchange Key (KEK), signature database (db), and revoked signatures database (dbx)—to authenticate code before execution, ensuring only signed and trusted components load during the boot process. By default, Secure Boot disables unsigned legacy Option ROMs, particularly when the Compatibility Support Module () is turned off, preventing the execution of potentially malicious 16-bit code from expansion cards. This policy aligns with UEFI 2.3.1 standards, which mandate verification of PCI-based UEFI-compatible ROMs during the Driver Execution Environment (DXE) and Boot Device Selection () phases. For Option ROM-specific mitigations, firmware must enforce signature validation using RSA-2048 with SHA-256 algorithms, rejecting any unsigned or tampered images as required by the Windows Hardware Quality Labs (WHQL) certification program since version 1809. Independent Hardware Vendors (IHVs) attain signing capabilities through Microsoft's Hardware Dev Center, enabling attestation of their EFI drivers and ensuring compliance with Secure Boot policies. Runtime disabling of unused Option ROMs further reduces the , as firmware can selectively load only necessary drivers via protocols like EFI_PLATFORM_DRIVER_OVERRIDE, while prohibiting legacy modes under Secure Boot enforcement. Additional strategies integrate Firmware Trusted Platform Module (TPM) for measured boot, where boot measurements—including Option ROM hashes—are stored in the TPM's Platform Configuration Registers (PCRs) for remote attestation and integrity verification against a policy. BIOS setup menus allow administrators to configure OpROM policies, such as whitelisting approved signatures in the db or blacklisting known malicious ones in the dbx, providing granular control over device initialization. Vendor-specific tools facilitate secure updates to Option ROMs and firmware, maintaining signature validity and addressing emerging threats without compromising the boot chain. Recent developments in Secure Boot include 's issuance of updated certificates, such as the Microsoft Option ROM UEFI CA 2023, to replace expiring keys like the Microsoft UEFI CA 2011, which expires in June 2026. This update is critical for Option ROMs, as older signed components (e.g., Graphics Output Protocol drivers) may fail to boot on Secure Boot-enabled systems post-expiration unless or certificates are updated. These changes, available via optional servicing updates since February 2024, ensure continued protection against vulnerabilities while maintaining compatibility. Since its introduction with in 2012, Secure Boot has significantly reduced risks from legacy Option ROMs on compliant systems, with all Certified for Windows PCs incorporating it alongside TPM support. However, challenges persist in mixed environments requiring for legacy compatibility, where partial enablement may expose systems to unverified code. Ongoing advancements, such as those in recent specifications including version 2.11 released in December 2024, enhance abstraction layers for Option ROM handling, promoting more secure and modular boot architectures.

References

  1. [1]
    [PDF] PCI Local Bus Specification
    Dec 18, 1998 · The PCI Local Bus Specification, Rev. 2.2, includes the ... device specific option ROM code. Documentation for Open Firmware is ...
  2. [2]
    UEFI Validation Option ROM Guidance - Microsoft Learn
    Sep 14, 2022 · Option ROMs (or OpROMs) are firmware run by the PC BIOS during platform initialization. They are usually stored on a plug-in card, though they ...
  3. [3]
    [PDF] Intel® Rapid Storage Technology - User Guide
    Intel® Rapid Storage. Technology Option ROM. A code module built into the system BIOS that provides boot support for. RAID volumes as well as a user interface ...
  4. [4]
    2. Definition of Terms — ACPI Specification 6.4 documentation
    Option ROM Firmware. Legacy term for boot firmware typically executed on a host processor which is used by a device during the boot process. Option ROM ...
  5. [5]
    1. Introduction — UEFI Specification 2.10 documentation
    Abstraction of Option ROMs from the firmware. This specification defines interfaces to platform capabilities including standard bus types such as PCI, USB, and ...
  6. [6]
    2. Overview — UEFI Specification 2.10 documentation
    Platform interfaces defined in this section allow the use of standard Plug and Play Option ROMs as the underlying implementation methodology for the boot ...
  7. [7]
    [PDF] Unified Extensible Firmware Interface (UEFI) Specification
    Aug 29, 2022 · Additional details are provided that allow UEFI drivers to be stored in PCI option ROMs, while maintaining compatibility with legacy option ROM ...
  8. [8]
    [PDF] A Tale of Two Standards - UEFI Forum
    • BIOS presents a hard limit on the size of Option ROM execution space, severely restricting the support of bootable devices on servers, both in terms of ...<|control11|><|separator|>
  9. [9]
    [PDF] IBM PC Technical Reference - Bitsavers.org
    The IBM PC has a 90-day warranty, a Class B FCC radio interference limit, and includes hardware overview, system board, and keyboard details.
  10. [10]
    How does Option ROM work? - Electrical Engineering Stack Exchange
    Oct 12, 2016 · The Option ROM contains device BIOS software which is meant to help the system BIOS to interact with specific device. Right? You can say this ...Missing: definition | Show results with:definition
  11. [11]
    https://minuszerodegrees.net/manuals/IBM_5150_Technical_Reference_6025005_AUG81.pdf
  12. [12]
    [PDF] BIOS Boot Specification - Stanford Secure Computer Systems Group
    Jan 11, 1996 · PCI Local Bus Specification. 2.1. PCI Special ... Boot Specification. E.3 Option ROM Initialization. E.3.1 Before Option ROM Placement.
  13. [13]
    [PDF] Preboot Execution Environment (PXE) Specification
    Sep 20, 1999 · ROM ID structure. Scan memory from 0xC0000 to 0xF0000 for valid option. ROMs. Look inside each option ROM for a BUSD ROM ID structure. Compare ...Missing: layout C0000 F0000
  14. [14]
    Unified Extensible Firmware Interface (UEFI) legacy mode option ...
    When the IBM PC architecture is in Legacy Mode, the adapter cards ROM space is only allowed a total of 128 KB. If an adapter needs more, it will not be ...
  15. [15]
    Malicious code execution in PCI expansion ROM - Infosec Institute
    Jun 29, 2012 · This article explains how a malicious PCI expansion ROM might exploit a little-known BIOS memory management interface to break through the memory barrier.
  16. [16]
    None
    Below is a merged summary of Option ROMs in the IBM PC/AT Technical Reference (March 1984), consolidating all provided segments into a single, comprehensive response. To maximize detail and clarity while retaining all information, I’ve organized the key points into a table in CSV format, followed by a narrative summary that ties everything together. The table captures the most granular and recurring details across the segments, while the narrative provides context and additional insights.
  17. [17]
    [PDF] System BIOS for IBM® PCI)(TrMIAT® Computers and Compatibles
    The microprocessor created a cult following among programmers. System BIOS for IBM PC/XT/AT Computers and Compatibles xvii. Page 17. In the mid-seventies ...
  18. [18]
    [PDF] Technical_Reference_Options_a...
    The options and adapters manual is the second part of the. Technical Reference publication. It is designed to be used in conjunction with any of the Technical ...
  19. [19]
    [PDF] Flash Memory PCI Add-In Card for Embedded Systems - Intel
    The BIOS Boot Specification as defined by Compaq,. Phoenix Technologies and Intel provides the means for any device in a system to be identified as an Initial.
  20. [20]
    [PDF] System Management BIOS (SMBIOS) Reference Specification - DMTF
    Jun 17, 2022 · ... BIOS Boot Specification, Version 1.01, 11 January 1996,. 531. A copy is available at http://www.scs.stanford.edu/nyu/04fa/lab/specsbbs101.pdf.
  21. [21]
    [PDF] AHA-1540C/1542C User's Manual - Bitsavers.org
    This manual provides complete instructions on how to install and use the Adaptec AHA-1540C and AHA-1542C ISA-to-SCSI. Advanced Host Adapters. Chapter One, ...Missing: 154x | Show results with:154x
  22. [22]
    None
    ### Summary of Option ROM Functionality for AHA-1540B/1542B (BIOS Boot Aspects)
  23. [23]
    [PDF] IBM Personal Computer AT - Technical Reference
    This manual describes the various units of the IBM Personal. Computer AT and how they interact. It also has information about the basic input/output system ( ...Missing: CGA C0000
  24. [24]
    [PDF] Intel® Platform Innovation for UEFI - CSM Specification
    Sep 26, 2013 · This functionality along with the associated IBV Compatibility16 and. CompatibilitySmm code is called the Compatibility Support Module (CSM).
  25. [25]
    Firmware WEG FAQ - Windows drivers - Microsoft Learn
    You can boot Win7 in UEFI mode if a partial CSM is in place (enabled) providing Int10 support. If firmware defaults to UEFI boot mode leaving Int10 CSM enabled, ...
  26. [26]
    The Oft-Rumored Death of UEFI's CSM Prophesied Again by Intel
    Apr 21, 2018 · Intel has publicly stated that they will not provide the related silicon pieces needed for delivering CSM in BIOS, starting with platforms that ship in 2020.
  27. [27]
    MosaicRegressor: Lurking in the Shadows of UEFI - Securelist
    Oct 5, 2020 · These make use of UEFI firmware by AMI which is very similar to the one we inspected. For this reason we can assume that Hacking Team's method ...
  28. [28]
    [PDF] Secure Firmware Development Best Practices | Open Compute Project
    This exposes it to risks such as unverified image download and execution, unverified option ROMs loaded to access the network, or denial of service from ...
  29. [29]
    Anatomy of a Firmware Attack - Eclypsium | Supply Chain Security ...
    Dec 20, 2019 · Option ROM Attacks – Option ROM attacks can be used as part of an initial infection or to spread malicious firmware from one component to ...
  30. [30]
    Control-Alt-Can't delete: customized firmware bootkit found in the wild
    Oct 5, 2020 · The UEFI bootkit used with the malware is a custom version of Hacking Team's bootkit, leaked in 2015. UEFI firmware is an essential part of a ...
  31. [31]
    [PDF] Thunderbolt: Exposure and Mitigation - cs.wisc.edu
    We describe the implementation of such an Option. ROM in the subsequent section, and consider such a combination Option ROM and DMA attack to effectively.
  32. [32]
    EFI bootkits for Apple MacBooks via Thunderbolt & Option ROMs
    Dec 31, 2014 · Thunderstrike is the name for the Apple EFI firmware security vulnerability that allows a malicious Thunderbolt device to flash untrusted code to the boot ROM.Missing: risks | Show results with:risks
  33. [33]
    [PDF] Requirements for an Integrity-Protected Hypervisor on the x86 ...
    An attacker may replace a legitimate option ROM with a malicious one which may then be invoked at runtime by an OS running within a VM [16]. This code can then ...
  34. [34]
    SoK: Security Below the OS – A Security Analysis of UEFI - ar5iv
    The Thunderstrike attack leverages a vulnerability in the Thunderbolt Option ROM, to inject malicious code into the Option ROM of the targeted Mac's firmware.
  35. [35]
    Secure the Windows boot process | Microsoft Learn
    Aug 18, 2025 · Secure Boot, Trusted Boot, and Measured Boot block malware at every stage: Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.
  36. [36]
    [PDF] National Security Agency Cybersecurity Report
    Jul 27, 2017 · Secure Boot can also whitelist or blacklist newer. OROMs for granular boot device control. Graphics cards are the most common stumbling point ...