Apple's EFI implementation
Technical Information about EFI on original Macs
What is EFI?
The Extensible Firmware Interface (EFI) is a set of interfaces that defines how software will interface with future firmware. Intel developed EFI as a part of the Intel Boot Initiative program that began in 1998. This program was designed to modernize firmware technology in today's computers in order to move past the limitations of a legacy BIOS. It offers features similar to the Open Firmware used on older PowerPC-based Macs. Beyond that, it is extensible and quite flexible. (Note: HP Itanium systems have been using EFI for several years)
Drivers, pre-boot applications and OS loaders for EFI are written in C, not assembly. The EFI specification includes clean APIs for text and graphical screen output, keyboard and mouse input, and access to file systems and block devices. EFI allows settings to be stored in NVRAM in the form of named variables, i.e. key-value pairs.
Intel also created the Platform Innovation Framework for EFI (or "The Framework"), which is a fully compliant EFI implementation that also supports legacy Operating Systems (OS'es) through a Compatibility Support Module (CSM). The Framework is often mistakingly refered to simply as "EFI", when it is in reality only a single possible implementation of the EFI standard. Other implementations include Apple's new firmware being used in their Intel-based Macs and Insyde Technology's InsydeH2O firmware which supports only legacy OS'es. Certain Gateway motherboards have been shipping with The Framework for some time now. .
EFI in the Intel Macs
Apple uses an EFI 1.10 compliant firmware based on Intel's reference implementation in the new Intel Macs. Apple developed this firmware by itself. That fact is not visible to the user under normal circumstances. The Intel Macs boot in graphics mode, without the text console visible. They also don't use the EFI boot menu, but Apple's own way of locating the OS boot loader. Holding the Option key on boot activates a graphical boot volume chooser similar to the one in the PowerPC Macs.
Some more facts about Apple's EFI implementation:
- It includes a read-only HFS+ filesystem driver in addition to the standard read-write FAT driver.
- Disks formatted in GPT format by Disk Utility have the required EFI system partition in FAT32 format, but it is empty and unused.
- The OS loader is usually located through a file ID pointer in the HFS+ volume header. This info can be set with the bless command-line tool.
- When using bless --mount ... --file ... the file's path is stored in NVRAM, allowing you to boot an EFI loader from FAT32 volumes.
- The updated firmware that supports Boot Camp also allows booting the BIOS way, i.e. from the boot sector of a hard disk partition or El Torito image.
- The firmware uses the ConSplitter driver from Intel's implementation. The ConsoleControl protocol can be used to switch between graphical and text modes. Source code and headers are available as part of the TianoCore EDK.
- The standard GraphicsConsole driver is there, too, and provides the text console on top of the actual UGA video card driver. (There is no need to manually load the GraphicsConsole driver, see below.)
- There are EFI drivers for the built-in Ethernet as well as for AirPort and for the IR remote control. The remote control can actually be used to control the boot volume chooser!
- Using bless, one can set the Mac to load any EFI application on boot. However, the console will still be in graphical mode, so you won't see anything in most cases.
- When you use bless to set the boot file to an EFI driver (like the GraphicsConsole.efi driver as per the Nakfull Propaganda instructions), then the file will be loaded, but control will return to the EFI firmware because it is not an application. At this point a built-in boot menu is displayed, and on the first keypress the console is switched to text mode so you can see it. (Note: It appears that this no longer works on the Mac Book Pro.)
- Using TextMode.efi (a small EFI application) instead will switch the console to text mode immediately and return to the built-in boot menu without requiring a key press.
More on the graphical boot volume chooser:
- It displays any "blessed" volume on any available disk, including external USB and FireWire hard disks, USB flash memory disks, flash memory cards in USB card readers, and CD/DVD drives.
- It supports HFS+ partitions on disks formatted with GPT, Apple Partition Map, and even MBR.
- Apparently it doesn't support FAT partitions at all, because it looks at the info in the HFS+ volume header placed there by bless. You can use FAT only for the default boot volume (see above).
- El Torito is supported as well, but the boot image must contain a HFS+ file system to show up in the chooser. It appears that some kind of partition table (e.g. an Apple Partition Map) is also required; this might be a minor issue caused by the sector size. (Note: This no longer works with the firmware updates for Boot Camp. Details are still under investigation.)
- Displays the volume icon as set in the Finder's "More info" dialog. (NTFS partitions will always display the generic disk icon because the firmware can't read that file system.)
- The volume name label displayed is taken from a pre-rendered graphics file. It can be controlled through bless options, but the --label option is broken in current versions. More info on labels.
- The chooser can be controlled by keyboard, mouse, or IR remote control.
Based on preliminary analysis of apple_hardware_test from 10.4.4, only the following device classes are handled and/or accepted by included EFI modules:
|Apple Inc.||ATI Technologies Inc.||Nvidia Corporation|
|Broadcom Corporation||ATTO||Adaptec Inc.|
|Promise||NEC Corporation||Agere Systems|
|Mellanox Technology||Intel Corporation||Marvell Semiconductor Inc?.|
|Atheros Communications Inc.||Pangea FireWire||UniNorth 2.0 FireWire|
|K2 FireWire||KeyLargo USB||Pangea USB|
|K2-GMAC||K2 USB||Shasta FireWire|
|NV11 GeForce2 MX||NV11 DDR GeForce2 MX||NV11 GeForce2 Go|
|NV20 GeForce3||NV20DDR GeForce3 Ti||NV17 GeForce4 MX|
|NV17M GeForce4 Go||NV18 GeForce4 MX||GeForce4 Ti 4600|
|NV31 GeForce4 MX||NV34 GeForce FX 5200||NV40 GeForce 6800 ultra|
|NV40 GeForce 6800 gt||NV43 GeForce 6600||RV100|
|IntraServer, fc||PCIx IntraServer, fc||ExpressPCIProUL3D|
|ExpressPCI UL3S 66||LSILogic,scsi||2930CU|
|USB Host Controller||USB 2.0 Host Controller||BCM5703|
|M35a AirPort Card||GMA 900||GMA 950|
|82573V Ethernet||Yukon Gigabit Adapter 88E8053||Pre-2.0 PCI Specification Device|
|Non-VGA||VGA Compatible||Mass Storage Controller|
|Token Ring||FDDI||Display Controller|
|PC Compatible||8514||Multimedia Device|
|PCI/CardBus||Simple Communications Controller||Serial|
|Generic XT Compatible||16450 Compatible||16550 Compatible|
|ECP 1.X Compliant||Base Systems Peripheral||PIC (Programmable Interrupt Controller)|
|Generic 8259||DMA (Direct Memory Access)||EISA|
|System Timer||RTC (Real Time Clock)||Generic|
|Input Device||Keyboard||Digitizer (Pen)|
|Serial Bus Controller||Firewire (IEEE 1394)||ACCESS.bus|
|SSA (Serial Storage Archetecture)||USB (Universal Serial Bus)||Fibre Channel|
On a new Intel iMac, here is the output of:
MacInTouch also has the output of System Profiler. :D
Intel provides a sample EFI implementation on their EFI website, complete with source code. OS X almost certainly requires more than what this implementation provides (the sample was created in 2003 and probably lacks key functionalities), but it should be a good starting point to get a feel for how an EFI system is partitioned (assuming 10.4.4 uses GPT partitoning) and how it boots.
Also included are IA-32 images that allow standard PC systems to boot to EFI for educational and testing purposes: http://developer.intel.com/technology/efi/main_sample.htm
Apple EFI Runtime
The AppleEFIRuntime.kext file from 10.4.4 does not currently load on a 10.4.3-based system because of missing symbols:
kextload: extension AppleEFIRuntime.kext appears to be valid kld(): Undefined symbols: _gPEEFISystemTable kextload: kld_load_from_memory() failed for module /[...]/AppleEFIRuntime.kext/Contents/MacOS/AppleEFIRuntime kextload: a link/load error occured for kernel extension AppleEFIRuntime.kext load failed for extension AppleEFIRuntime.kext (run kextload with -t for diagnostic output)
According to an unofficial Apple/Intel FAQ, the graphics drivers seem to have a direct association with EFI modules. This can be seen in the System Profiler listing that they provide as "EFI Driver Version: 01.00.063". Some users have commented that an EFI module may be responsible for ROM BIOS initialization on ATI graphics cards.
Relation with TPM
Additionally, the lack of presence of a TPM kernel extension in 10.4.4 means that the functionality probably now exists as an EFI module. There is also a possible association with Don't Steal Mac OS X.kext, which presumably acts to support memory page encryption and decryption.
We know that there must be some sort of TPM support provided by (or through) a kernel extension because the ioreg output on an Intel iMac shows:
| +-o TPM
However, the above has not been proven and even if it is the study of how EFI works on Macs does not imply a DMCA violation because EFI is not a DRM scheme. Rather EFI is merely the evolution of BIOS technology which has no DRM role.
EFI Shell on an iMac
There is NO EFI Shell built-in with the original Apple EFI firmware because of the size problem. The only way to boot to EFI Shell is to write a simple application that can modify the BOOT-NEXT or BOOT-FROM-FILE variable. These variables are used to control the booting behaviour of the computer, and default behaviour is booting from HD.
Someone said that they can use Intel EFI Simple Imp to boot to EFI Shell. I'm sorry but that is not the real Shell. It boot from the CSM not the EFI core.
Please visit this website for a complete guide on how to build and enter an EFI Shell on an Intel iMac.
If you want to experiment with EFI on an Intel Mac, you may want to take a look at rEFIt, a simple boot menu and toolkit for EFI. It gives you direct access to the EFI shell and the built-in EFI maintenance menus.
Booting an EFI Implementation on any BIOS-PC
Intel provides a sample implementation (BIOS32 and ia32-Embedded) that runs on top of any normal PCs, unloading BIOS16 (going into protective mode) and loading EFI calls. This possibility is discussed here and can be useful for the execution any .efi files and perhaps, eventually, OS X.
- For more info go here: Intel Developer EFI Tools
For booting EFI implemetation, get the EFI Sample Implementation, decompress it and then locate the files that are .img in the Binary folder (eg. Binary/ia32EMB/IMAGES/ia32EMB.img). Use a disk utility like dd or makedisk to write the image to a floppy, and then boot your system from it.
Important Info: This disk does not change anything in your disks or BIOS. Caution: be careful using any formatting tools available from the EFI shell, as they can damage your system!
This disk will not allow you to access the NVRAM variables on an EFI-based system that is booting in legacy mode (such as an InsydeH2O-based or Framework-based system). NVRAM variables that you create from the shell are stored on the floppy disk itself and not on the system.
Intel now can provide a better solution for booting to EFI on any legacy BIOS based computers. Now EDK supports a new module named DUET or Developer�s UEFI Emulation. It supports boot via floppy, USB or network and has the newest EFI Shell built-in.Please go to the TianoCore for more information.