logoalt Hacker News

wmfyesterday at 8:57 PM1 replyview on HN

CSM does not bypass secure boot or any initialization that UEFI performs (because UEFI runs before the CSM).


Replies

liffikyesterday at 9:00 PM

You are absolutely correct, and I highly appreciate the clarification! I definitely misspoke in my previous comment.

CSM doesn't magically bypass an active Secure Boot state. Rather, to even boot via CSM, Secure Boot typically must be disabled in the firmware settings beforehand. What I really meant is that by targeting Legacy/CSM, I bypassed the development requirement of writing an EFI application, dealing with complex UEFI protocols, or figuring out how to get a payload signed.

You are also completely right about the initialization sequence. UEFI still runs first (SEC/PEI/DXE phases) and touches RAM before the CSM hands control over to my MBR payload. My 16-bit approach mostly just helps minimize any additional memory clobbering that a more complex, modern UEFI bootloader environment might introduce.

Thanks for keeping me technically honest!

P.S. Still using AI to translate my thoughts!