FIRMWARE_INFORMATION_LOADER_BLOCK

The FIRMWARE_INFORMATION_LOADER_BLOCK is a structure within the LOADER_PARAMETER_BLOCK, which is in turn the structure through which the kernel and HAL learn the initialisation data that was gathered by the loader. It was appended for Windows Vista, apparently as part of the reworking NTLDR into a boot manager and boot loader, and especially because the new loader may use the Extensible Firmware Interface (EFI). It has grown since: the following changes of size are known:

These sizes, and the offsets, names and types in the table that follows are from type information in public symbol files for the kernel in occasional Windows versions: for Windows Vista and Windows 7, but then not again until the 1803 release of Windows 10. How the type information gets into symbol files for some versions but not others is not known. Type information is also present in most versions of a statically linked library named CLFSMGMT.LIB which Microsoft distributes with the Software Development Kit (SDK). This is enough to complete the layout for all versions since Windows Vista. Additionally, a C-language definition has been published in a header named arc.h from the Windows Driver Kit (WDK) for Windows 10 in its original and 1511 releases—but see notes after the table for a discrepancy.

struct {
    /*  bit flags, see below  */
};

union {
    EFI_FIRMWARE_INFORMATION EfiInformation;
    PCAT_FIRMWARE_INFORMATION PcatInformation;

} u;

The first of the bit flags selects from the union u according to the firmware type. Windows 10 adds more bit flags to support Isolated User Mode (IUM) and the security of memory that is saved during hibernation (and whose protection is thus dependent on firmware):

ULONG FirmwareTypeEfi : 1;

ULONG FirmwareTypeUefi : 1;

ULONG EfiRuntimeUseIum : 1;

ULONG EfiRuntimePageProtectionEnabled : 1;

ULONG EfiRuntimePageProtectionSupported : 1;

ULONG Reserved : 31;

ULONG Reserved : 28;

ULONG Reserved : 29;

Type information in CLFSMGMT.LIB has FirmwareTypeEfi change to FirmwareTypeUefi for version 6.2 and stay changed, but the C-language definition in ARC.H for both the original and 1511 releases of Windows 10 keeps to FirmwareTypeEfi. It may be relevant that Microsoft has ARC.H at two locations. For instance, symbol files for the kernel in the original Windows 10 place ARC.H at

d:\th.public.fre\halkit\inc

but symbol files for the same version’s user-mode AppXDeploymentClient.dll have it at

d:\th.public.fre\internal\sdk\inc\minwin

and the CLFSMGMT.LIB from the SDK for the original Windows 10 apparently got it from there too. More research is required.

PCAT

The PCAT_FIRMWARE_INFORMATION structure has just the one member: a ULONG named PlaceHolder, which does indeed look to be unused.

EFI

The business of the FIRMWARE_INFORMATION_LOADER_BLOCK has always been to provide EFI_FIRMWARE_INFORMATION. The latter is known only within the former. That the bit flag for distinguishing whether the former contines as PCAT_FIRMWARE_INFORMATION or as EFI_FIRMWARE_INFORMATION is now joined with EFI-specific flags is here taken as suggesting that the PCAT_FIRMWARE_INFORMATION is retained just as a formality. For the following layout of the EFI_FIRMWARE_INFORMATION, the offsets are from the start of the FIRMWARE_INFORMATION_LOADER_BLOCK.

ULONG FirmwareVersion;

VIRTUAL_EFI_RUNTIME_SERVICES *VirtualEfiRuntimeServices;

NTSTATUS SetVirtualAddressMapStatus;

ULONG MissedMappingsCount;

LIST_ENTRY FirmwareResourceList;

PVOID EfiMemoryMap;

ULONG EfiMemoryMapSize;

ULONG EfiMemoryMapDescriptorSize;