public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Andrew Fish" <afish@apple.com>
To: Michael Brown <mcb30@ipxe.org>
Cc: "Marvin Häuser" <mhaeuser@posteo.de>,
	devel@edk2.groups.io, "Laszlo Ersek" <lersek@redhat.com>,
	"Mike Kinney" <michael.d.kinney@intel.com>
Subject: Re: [edk2-devel] [GSoC proposal] Secure Image Loader
Date: Wed, 07 Apr 2021 15:02:47 -0700	[thread overview]
Message-ID: <22B1C414-E85C-460A-BFF0-123835899069@apple.com> (raw)
In-Reply-To: <471e56d3-934f-6bb3-52d7-4892f6a75509@ipxe.org>



> On Apr 7, 2021, at 2:50 PM, Michael Brown <mcb30@ipxe.org> wrote:
> 
> On 07/04/2021 22:31, Marvin Häuser wrote:
>> Sorry, but I do not see why this would be the case. In fact the solution is (temporary) co-existence, as already is the case with InstallProtocolInterface() and InstallMultipleProtocolInterfaces()
> 
> InstallMultipleProtocolInterfaces() is not a breaking change: the existence of InstallMultipleProtocolInterfaces() does not require any change to the way that InstallProtocolInterface() is implemented or consumed.
> 
> Code written before the invention of InstallMultipleProtocolInterfaces() will still work now, with no modifications required.
> 
>> the new APIs would be a superset of the old ones, latter can be implemented with former, as also previously done (*2_PROTOCOL instances and shims in e.g. EdkCompatibilityPkg). In some cases, the original protocol interfaces were actually deprecated successfully from the EDK II code base. I would probably offer PCDs to disable the expose of the old APIs, so platforms with little need for backwards-compatibility and more focus on security can tighten the constraints as they see fit. Considering the shimmed interfaces for the old protocols/PPIs/... can be implemented on top of the new public API, and the public API must not change, this code would be practically maintenance-free too in my opinion.
> 
> You have to remember that UEFI is not a monolithic codebase with a single maintaining organisation.  Implementing a *2_PROTOCOL and deprecating the original just causes pain for all the code in the world that is maintained outside of the EDK2 repository, since that code now has to support *both* the old and new protocols.
> 
>> As for your example, I do not believe what is described is "broken". 
> 
> To avoid distraction from that specific example: have a different example.  The EFI_USB_IO_PROTOCOL is fundamentally broken from the perspective of implementing a network device driver, since there is simply no way to enqueue a receive buffer that will wait for the next available packet.  But this won't get fixed, because it can't get fixed without breaking API compatibility.
> 
> (Incidentally, I've observed UEFI software in the wild (from Insyde) that works around these UEFI USB specification flaws by having all of the USB drivers bind to private protocols in addition to EFI_USB_IO_PROTOCOL, resulting in device drivers that point-blank fail to work with a standards-conformant UEFI USB host controller driver.)
> 
> 
> Don't get me wrong: I *am* in favour of improving the security of EDK2, and a formally verified loader is potentially useful for that.  But I could only consider it a good idea if it can be done without making breaking API changes for which I know I will personally have to maintain workarounds for the next ten years.
> 

Well it is just software at the end of the day. We could always wrap any Industry Standard API (PPI, Protocol, etc) in a library function and let people chose backward compatibility vs better security. The Library Class would be owned by the edk2 Open Source project so we have more control over it. 

The general UEFI (and UEFI PI) is we mostly add new things, and don’t depreciated things to maintain compatibility. So for example you can add a new Protocol to a handle so you have V1 and V2 of a protocol on the same handle. An example of this is SimpleTextIn and SimpleTextInEx. SimpleTextIn was modeled on the LCD of a serial terminal (our server roots) so it did not expose modifier keys, or have an easy way to implement snag keys so that is why SimpleTextInEx got added for the new functional. 

Thanks,

Andrew Fish

> Thanks,
> 
> Michael


  reply	other threads:[~2021-04-07 22:02 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-04 23:01 [GSoC proposal] Secure Image Loader Marvin Häuser
2021-04-06  9:41 ` [edk2-devel] " Nate DeSimone
2021-04-06 10:06   ` Marvin Häuser
2021-04-06 16:16     ` [EXTERNAL] " Bret Barkelew
2021-04-08 11:16     ` Laszlo Ersek
2021-04-08 14:13       ` Andrew Fish
2021-04-08 16:06         ` Marvin Häuser
2021-04-08 16:44           ` Andrew Fish
2021-04-08 17:02             ` Marvin Häuser
2021-04-08 17:39               ` Andrew Fish
2021-04-08 21:07                 ` Marvin Häuser
2021-04-08 21:48                   ` Andrew Fish
2021-04-08 22:42                   ` Michael Brown
2021-04-12 17:22   ` Marvin Häuser
2021-04-12 18:30     ` [EXTERNAL] " Bret Barkelew
2021-04-13  0:19     ` Michael D Kinney
2021-04-13  0:56       ` Nate DeSimone
2021-04-13  7:31         ` Marvin Häuser
2021-04-13 15:05           ` Andrew Fish
2021-04-13 18:04           ` Nate DeSimone
2021-04-13 18:08             ` Michael D Kinney
2021-04-13 18:14             ` Andrew Fish
2021-04-16  7:36               ` Marvin Häuser
2021-04-07 21:05 ` Michael Brown
2021-04-07 21:31   ` Marvin Häuser
2021-04-07 21:50     ` Michael Brown
2021-04-07 22:02       ` Andrew Fish [this message]
     [not found]       ` <1673B28429E5B4FE.4742@groups.io>
2021-04-07 22:10         ` Andrew Fish
2021-04-08  9:04           ` Marvin Häuser
2021-04-08  9:40             ` Michael Brown
2021-04-08  8:53       ` Marvin Häuser
2021-04-08  9:26         ` Michael Brown
2021-04-08  9:41           ` Marvin Häuser
2021-04-08  9:50             ` Marvin Häuser
2021-04-08  9:55             ` Michael Brown
2021-04-08 10:13               ` Marvin Häuser
2021-04-08 10:31                 ` Michael Brown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=22B1C414-E85C-460A-BFF0-123835899069@apple.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox