Deunan wrote on 2023-07-30, 17:39:
Not that I know of. Every BIOS I've disassembled always looks for the 55 AA signature, then checks the size byte, then calculates the checksum - if everything is well, the code gets executed.
That's basically all the BIOS has to do. The C000-EFFF space (later reduced to C000-DFFF with 128KB mainboard BIOSes) is not meant to only contain option ROMs. It may also contain shared memory buffers of network cards, memory-mapped I/O functionality (although that wouldn't make that much sense on a 8088 IBM PC, as IN/OUT is fast enough for control functionality), or even the EMS page frame. The 55 AA signature is meant to indicate that there actually is an option ROM at the address currently scanned by the BIOS, and that it needs execution during POST. If anything else is found (data ROM, floating bus at FF, random emory contents), that range is ignored. To reduce likelyhood of shared memory actually looking like a valid option ROM, there also is an 8-bit checksum over the whole ROM that needs to match. Furthermore, the choice of 55 AA validates (in 8-bit systems) that the data is not just a random result of a bus that is not driven at all, but that every single data line of that bus is actively toggling from 55 to AA when reading the second byte. This also validates that no data trace between the option ROM and the ISA bus is broken. Detecting (or dealing with) broken traces / loose pins in sockets was a design consideration of the POST processes in the 80s: For example. the IBM EGA card POST for example causes the card to output differntly colored test patterns for a short time and uses a read-back feature to poll the pixel data sent to the monitor to identify that the card is working as intended.
Actually, it might be quite interesting what happens if you put a valid option ROM image into an EMS page and then press Ctrl-Alt-Del to reboot. If you don't hit the reset button, the EMS hardware has no way of knowing that a reset has happened, and thus certainly can't unmap the page that contains the option ROM image from the page frame. So likely that "option ROM" gets executed from RAM. A well-designed EMS card will actually unmap all pages if it receives the RESETDRV signal on the ISA bus, so this issue can only arise on a warm start. Would be a nice way for a virus to persist across warm starts without obviously disturbing the reboot cycle. Some viruses (like Parity Boot) caught Ctrl-Alt-Del, and performed a "hot start" circumventing the complete BIOS POST procedure.