From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66])
 by mx.groups.io with SMTP id smtpd.web10.707.1617901356917824839
 for <devel@edk2.groups.io>;
 Thu, 08 Apr 2021 10:02:37 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@posteo.de header.s=2017 header.b=UL2TR6Cy;
 spf=pass (domain: posteo.de, ip: 185.67.36.66, mailfrom: mhaeuser@posteo.de)
Received: from submission (posteo.de [89.146.220.130]) 
	by mout02.posteo.de (Postfix) with ESMTPS id B64A42400FF
	for <devel@edk2.groups.io>; Thu,  8 Apr 2021 19:02:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017;
	t=1617901354; bh=C4Jw9juo7C97m6IZa1IyFjNbzZjOsBrbKlWhtnP6FUE=;
	h=Subject:To:Cc:From:Date:From;
	b=UL2TR6CySnEiuHJIxa2pEnX6UCgydTNzTAN7G1SyIYcgSMOdm5vi6baueGtZwuDxx
	 RKmGn4mMw2rsHRgiws6RP8GQcTxh8nREzAWa6KXv0HvRzH8fDr7bBh+1phDAfbRS7y
	 ybPT1YvhbEf4O5Bdcv3frHIbcfRN85A7J/cc0tt3RcJHu7eXs4fdu/3CZ1/xLjyryx
	 bzMo/jU1Hnc44PGW2Ydw1b+ac7CF08oOl43qhq8GjpeTFX0AvbDM6qaP+8CghW+R+J
	 NajeGajFI6Mgj6ollmLQxtAhAmd2Pvm2yJO550gzLoZSXhQ8MEPeC3SamwlGEgQ1Ei
	 Z09kcr5tIBRLg==
Received: from customer (localhost [127.0.0.1])
	by submission (posteo.de) with ESMTPSA id 4FGSHY1MxRz9rxD;
	Thu,  8 Apr 2021 19:02:32 +0200 (CEST)
Subject: Re: [edk2-devel] [GSoC proposal] Secure Image Loader
To: devel@edk2.groups.io, afish@apple.com
Cc: Laszlo Ersek <lersek@redhat.com>,
 Nate DeSimone <nathaniel.l.desimone@intel.com>,
 Mike Kinney <michael.d.kinney@intel.com>
References: <259a114d-7132-1774-d46a-8e8d9b4ff5e2@redhat.com>
 <C24A5B12-7144-4FA4-A42F-FB515620ADD3@apple.com>
 <8dcae34e-e975-9233-3738-62662201aae9@posteo.de>
 <00A00172-982E-4989-8AE3-EF390DB4E531@apple.com>
From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= <mhaeuser@posteo.de>
Message-ID: <2e051761-c7ed-c6c6-e8e6-fb45ba3d0a2d@posteo.de>
Date: Thu, 8 Apr 2021 19:02:32 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <00A00172-982E-4989-8AE3-EF390DB4E531@apple.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 08.04.21 18:44, Andrew Fish via groups.io wrote:
>
>
>> On Apr 8, 2021, at 9:06 AM, Marvin H=C3=A4user <mhaeuser@posteo.de=20
>> <mailto:mhaeuser@posteo.de>> wrote:
>>
>> We use the loader code in userspace anyway for fuzzing and such. I=20
>> also want to build a database of all sorts of UEFI binaries some time=
=20
>> before the merge to confirm they are all accepted (Windows / macOS /=20
>> Linux bootloaders, tools like memtest, drivers like iPXE). As part of=
=20
>> that, I'm sure we can have a userspace tool that uses the code to=20
>> emit parsing information.
>>
>> But as the EDK II build system is very... not so userspace friendly,=20
>> I will not promise it will be very nice. :)
>>
>
> Marvin,
>
> The BaseTools can easily build C command line tools that are cross=20
> platform?
>
> Actually GenFw [1] already does a lot of PE/COFF magic, so it should=20
> be relatively easy to add a -I, =E2=80=94info, and dump out an overview =
of a=20
> PE/COFF image, and make comments on things that are not secure. It=20
> would also probably be useful to dump out information about the Debug=20
> Directory entries, His sections, etc. for general debug.

I did not look at the code much, but I do know that BaseTools duplicates=
=20
the PE/COFF code from MdePkg. Whether it was changed or not I cannot tell.

Best regards,
Marvin

>
> [1]=20
> https://github.com/tianocore/edk2/tree/master/BaseTools/Source/C/GenFw=
=20
> <https://github.com/tianocore/edk2/tree/master/BaseTools/Source/C/GenFw>
> /Volumes/Case/edk2-github(eng/PR-557-XcodeResourceSections)>. edksetup.s=
h
> Loading previous configuration from=20
> /Volumes/Case/edk2-github/Conf/BuildEnv.sh
> WORKSPACE: /Volumes/Case/edk2-github
> EDK_TOOLS_PATH: /Volumes/Case/edk2-github/BaseTools
> CONF_PATH: /Volumes/Case/edk2-github/Conf
> /Volumes/Case/edk2-github(eng/PR-557-XcodeResourceSections)>GenFw -h
> GenFw Version 0.2 Developer Build based on Revision: Unknown
>
> Usage: GenFw [options] <input_file>
>
> Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.
>
> Options:
> =C2=A0 -o FileName, --outputfile FileName
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 File will be created to store the output content.
> =C2=A0 -e EFI_FILETYPE, --efiImage EFI_FILETYPE
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 Create Efi Image. EFI_FILETYPE is one of=20
> BASE,SMM_CORE,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 PEI_CORE, PEIM, DXE_CORE, DXE_DRIVER,=20
> UEFI_APPLICATION,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 SEC, DXE_SAL_DRIVER, UEFI_DRIVER,=20
> DXE_RUNTIME_DRIVER,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 DXE_SMM_DRIVER, SECURITY_CORE,=20
> COMBINED_PEIM_DRIVER,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 MM_STANDALONE, MM_CORE_STANDALONE,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 PIC_PEIM, RELOCATABLE_PEIM, BS_DRIVER, RT_DRIVER,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 APPLICATION, SAL_RT_DRIVER to support all=20
> module types
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can only be used together with=20
> --keepexceptiontable,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 --keepzeropending, --keepoptionalheader, -r,=20
> -o option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It is a action option. If it is combined with=20
> other action options,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 the later input action option will override=20
> the previous one.
> =C2=A0 -c, --acpi=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Create Acpi t=
able.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o, -r option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 -t, --terse =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Create Te Image.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can only be used together with=20
> --keepexceptiontable,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 --keepzeropending, --keepoptionalheader, -r,=20
> -o option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It is a action option. If it is combined with=20
> other action options,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 the later input action option will override=20
> the previous one.
> =C2=A0 -u, --dump=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Dump TeImage =
Header.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o, -r option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 -z, --zero=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Zero the Debu=
g Data Fields in the PE input=20
> image file.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It also zeros the time stamp fields.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 This option can be used to compare the binary=20
> efi image.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o, -r option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 -b, --exe2bin =C2=A0 =C2=A0 =C2=A0 =C2=A0 Convert the input EXE t=
o the output BIN file.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o, -r option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 -l, --stripped=C2=A0 =C2=A0 =C2=A0 =C2=A0 Strip off the relocatio=
n info from PE or TE image.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o, -r option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 -s timedate, --stamp timedate
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 timedate format is "yyyy-mm-dd 00:00:00". if=20
> timedata
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 is set to NOW, current system time is used.=20
> The support
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 date scope is 1970-01-01 00+timezone:00:00
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 ~ 2038-01-19 03+timezone:14:07
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 The scope is adjusted according to the=20
> different zones.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o, -r option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 -m, --mcifile =C2=A0 =C2=A0 =C2=A0 =C2=A0 Convert input microcode=
 txt file to microcode=20
> bin file.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 -j, --join=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Combine multi=
 microcode bin files to one file.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can be specified with -a, -p, -o option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 No other options can be combined with it.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 -a NUM, --align NUM =C2=A0 NUM is one HEX or DEC format alignment=
 value.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 This option is only used together with -j option.
> =C2=A0 -p NUM, --pad NUM =C2=A0 =C2=A0 NUM is one HEX or DEC format padd=
ing value.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 This option is only used together with -j option.
> =C2=A0 --keepexceptiontable=C2=A0 Don't clear exception table.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 This option can be used together with -e or -t.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It doesn't work for other options.
> =C2=A0 --keepoptionalheader=C2=A0 Don't zero PE/COFF optional header fie=
lds.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 This option can be used together with -e or -t.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It doesn't work for other options.
> =C2=A0 --keepzeropending =C2=A0 =C2=A0 Don't strip zero pending of .relo=
c.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 This option can be used together with -e or -t.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It doesn't work for other options.
> =C2=A0 -r, --replace =C2=A0 =C2=A0 =C2=A0 =C2=A0 Overwrite the input fil=
e with the output content.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If more input files are specified,
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 the last input file will be as the output file.
> =C2=A0 -g HiiPackageListGuid, --hiiguid HiiPackageListGuid
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 Guid is used to specify hii package list guid.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 Its format is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If not specified, the first Form FormSet guid=20
> is used.
> =C2=A0 --hiipackage=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Combine all input =
binary hii packages into
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 a single package list as the text resource=20
> data(RC).
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 --hiibinpackage =C2=A0 =C2=A0 =C2=A0 Combine all input binary hii=
 packages into
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 a single package list as the binary resource=20
> section.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 --rc FlieName =C2=A0 =C2=A0 =C2=A0 =C2=A0 Append a Hii resource s=
ection to the
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 last PE/COFF section. The FileName is the=20
> resource section to append
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If FileName does not exist this operation is=20
> skipped. This feature is
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 only intended for toolchains, like XCODE, that=20
> don't suport $(RC).
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 This option can only be combined with -e
> =C2=A0 --rebase NewAddress =C2=A0 Rebase image to new base address. New =
address
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 is also set to the first none code section header.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o or -r option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 --address NewAddress=C2=A0 Set new address into the first none co=
de
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 section header of the input image.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 It can't be combined with other action options
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 except for -o or -r option. It is a action option.
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 If it is combined with other action options,=20
> the later
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 input action option will override the previous=20
> one.
> =C2=A0 -v, --verbose =C2=A0 =C2=A0 =C2=A0 =C2=A0 Turn on verbose output =
with informational=20
> messages.
> =C2=A0 -q, --quiet =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Disable all messag=
es except key message and=20
> fatal error
> =C2=A0 -d, --debug level =C2=A0 =C2=A0 Enable debug messages, at input d=
ebug level.
> =C2=A0 --version =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Show program'=
s version number and exit
> =C2=A0 -h, --help=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Show this hel=
p message and exit
>
> Thanks,
>
> Andrew Fish
>
>> Best regards,
>> Marvin
>>
>> On 08.04.21 16:13, Andrew (EFI) Fish wrote:
>>> At a minimum it would be nice if we had a tool that would point out=20
>>> the security faults with a given PE/COFF file layout.
>>>
>>>
>>>
>>>> On Apr 8, 2021, at 4:16 AM, Laszlo Ersek <lersek@redhat.com=20
>>>> <mailto:lersek@redhat.com>> wrote:
>>>>
>>>> =EF=BB=BFOn 04/06/21 12:06, Marvin H=C3=A4user wrote:
>>>>> Good day Nate,
>>>>>
>>>>> Comments are inline.
>>>>>
>>>>> Best regards,
>>>>> Marvin
>>>>>
>>>>>> On 06.04.21 11:41, Nate DeSimone wrote:
>>>>>> Hi Marvin,
>>>>>>
>>>>>> Great to meet you and welcome back! Glad you hear you are intereste=
d!
>>>>>> Completing a formal verification of a PE/COFF loader is certainly
>>>>>> impressive. Was this done with some sort of automated theorem=20
>>>>>> proving?
>>>>>> It would seem a rather arduous task doing an inductive proof for an
>>>>>> algorithm like that by hand!
>>>>> I would call it "semi-automated", a great deal of intermediate goals
>>>>> (preconditions, postconditions, invariants, assertions, ...) were
>>>>> required to show all interesting properties. But yes, the actual pro=
of
>>>>> steps are automated by common SMT solvers. It was done using the
>>>>> AstraVer Toolset and ACSL, latter basically a language to express=20
>>>>> logic
>>>>> statements with C-like syntax.
>>>>>
>>>>>> I completely agree with you that getting a formally verified PE/COF=
F
>>>>>> loader into mainline is undoubtably valuable and would pay security
>>>>>> dividends for years to come.
>>>>> I'm glad to hear that. :)
>>>>>
>>>>>> Admittedly, this is an area of computer science that I don't have a
>>>>>> great deal of experience with. The furthest I have gone on this top=
ic
>>>>>> is writing out proofs for simple algorithms on exams in my Algorith=
ms
>>>>>> class in college. Regardless you have a much better idea of what th=
e
>>>>>> current status is of the work that you and Vitaly have done. I gues=
s
>>>>>> my only question is do you think there is sufficient work=20
>>>>>> remaining to
>>>>>> fill the 10 week GSoC development window?
>>>>> Please don't get me wrong, but I would be surprised if the UEFI
>>>>> specification changes I'd like to discuss alone would be completed
>>>>> within 10 weeks, let alone implementation throughout the codebase.=
=20
>>>>> While
>>>>> I think the plain amount of code may be a bit less than say a
>>>>> MinPlatform port, the changes are much deeper and require much more
>>>>> caution to avoid regressions (e.g. by invalidating undocumented
>>>>> assertions). This sadly is not a matter of just replacing the=20
>>>>> underlying
>>>>> library implementation or "plug-in and play" at all. It furthermore
>>>>> affects many parts of the stack, the core dispatchers used for all
>>>>> platforms, image emulation (EBC), UEFI userland emulation=20
>>>>> (EmuPkg), and
>>>>> so on. I was rather worried the scope is too broad time-wise, but=20
>>>>> it can
>>>>> be narrowed/widened as you see fit really. This is one of *the* core
>>>>> components used on millions of device, and many package=20
>>>>> maintainers need
>>>>> to review and validate the changes, this must really be done right t=
he
>>>>> first try. :)
>>>>>
>>>>>> Certainly we can use some of that time to perform the code=20
>>>>>> reviews you
>>>>>> mention and write up formal ECRs for the UEFI spec changes that you
>>>>>> believe are needed.
>>>>> I believed that was part of the workload, yes, but even without it I
>>>>> think there is plenty to do.
>>>>>
>>>>>> Thank you for sending the application and alerting us to the great
>>>>>> work you and Vitaly have done! I'll read your paper more closely an=
d
>>>>>> come back with any questions I still have.
>>>>> Thank you, I will gladly explain anything unclear. Just try to not=
=20
>>>>> give
>>>>> Laszlo too many flashbacks. :)
>>>> I haven't commented yet in this thread, as I thought my stance on thi=
s
>>>> undertaking was (or should be) obvious.
>>>>
>>>> I very much welcome a replacement for the PE/COFF parser (as I consid=
er
>>>> its security issues unfixable in an incremental manner). From my=20
>>>> reading
>>>> of Marvin's and Vitaly's paper (draft), they have my full trust,=20
>>>> and I'm
>>>> ready to put their upcoming code to use in ArmVirtPkg and OvmfPkg wit=
h
>>>> minimal actual code review. If fixing the pervasive security problems
>>>> around this area cannot avoid spiraling out to other core code in edk=
2,
>>>> such as dispatchers, and even to the PI / UEFI specs, so be it.
>>>>
>>>> Regarding GSoC itself: as I stated elsewhere previously, I support
>>>> edk2's participation in GSoC, while at the same time I'm not
>>>> volunteering for mentorship at all. I'm uncertain if GSoC is the best
>>>> framework for upstreaming such a large undertaking, but if it can hel=
p,
>>>> we should use it as much as possible.
>>>>
>>>> Thanks
>>>> Laszlo
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>> With Best Regards,
>>>>>> Nate
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io>=20
>>>>>>> <devel@edk2.groups.io <mailto:devel@edk2.groups.io>> On Behalf=20
>>>>>>> Of Marvin
>>>>>>> H=C3=A4user
>>>>>>> Sent: Sunday, April 4, 2021 4:02 PM
>>>>>>> To: devel@edk2.groups.io <mailto:devel@edk2.groups.io>; Laszlo=20
>>>>>>> Ersek <lersek@redhat.com <mailto:lersek@redhat.com>>; Andrew Fish
>>>>>>> <afish@apple.com <mailto:afish@apple.com>>; Kinney, Michael D=20
>>>>>>> <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>
>>>>>>> Subject: [edk2-devel] [GSoC proposal] Secure Image Loader
>>>>>>>
>>>>>>> Good day everyone,
>>>>>>>
>>>>>>> I'll keep the introduction brief because I've been around for a=20
>>>>>>> while
>>>>>>> now. :) I'm
>>>>>>> Marvin H=C3=A4user, a third-year Computer Science student from TU
>>>>>>> Kaiserslautern,
>>>>>>> Germany. Late last year, my colleague Vitaly from ISP RAS and me
>>>>>>> introduced a
>>>>>>> formally verified Image Loader for UEFI usage at ISP RAS Open[1] d=
ue
>>>>>>> to various
>>>>>>> defects we outlined in the corresponding paper. Thank you once aga=
in
>>>>>>> Laszlo
>>>>>>> for your *incredible* review work on the publication part.
>>>>>>>
>>>>>>> I now want to make an effort to mainline it, preferably as part of
>>>>>>> the current
>>>>>>> Google Summer of Code event. To be clear, my internship at ISP=20
>>>>>>> RAS has
>>>>>>> concluded, and while Vitaly will be available for design discussio=
n,
>>>>>>> he has other
>>>>>>> priorities at the moment and the practical part will be on me. I=
=20
>>>>>>> have
>>>>>>> previously
>>>>>>> submitted a proposal via the GSoC website for your review.
>>>>>>>
>>>>>>> There are many things to consider:
>>>>>>> 1. The Image Loader is a core component, and there needs to be a
>>>>>>> significant
>>>>>>> level of quality and security assurance.
>>>>>>> 2. Being consumed by many packages, the proposed patch set will ta=
ke
>>>>>>> a lot of
>>>>>>> time to review and integrate.
>>>>>>> 3. During my initial exploration, I discovered defective PPIs and
>>>>>>> protocols (e.g.
>>>>>>> returning data with no corresponding size) originating from the UE=
FI
>>>>>>> PI and
>>>>>>> UEFI specifications. Changes need to be discussed, settled on, and
>>>>>>> submitted to
>>>>>>> the UEFI Forum.
>>>>>>> 4. Some UEFI APIs like the Security Architecture protocols are
>>>>>>> inconveniently
>>>>>>> abstract, see 5.
>>>>>>> 5. Some of the current code does not use the existing context, or
>>>>>>> accesses it
>>>>>>> outside of the exposed APIs. The control flow of the dispatchers m=
ay
>>>>>>> need to be
>>>>>>> adapted to make the context available to appropriate APIs.
>>>>>>>
>>>>>>> But obviously there are not only unpleasant considerations:
>>>>>>> A. The Image Loader is mostly formally verified, and only very few
>>>>>>> changes will
>>>>>>> be required from the last proven state. This gives a lot of trust =
in
>>>>>>> its correctness
>>>>>>> and safety.
>>>>>>> B. All outlined defects that are of critical nature have been fixe=
d
>>>>>>> successfully.
>>>>>>> C. The Image Loader has been tested with real-world code loading
>>>>>>> real-world
>>>>>>> OSes on thousands of machines in the past few months, including
>>>>>>> rejecting
>>>>>>> malformed images (configurable by PCD).
>>>>>>> D. The new APIs will centralise everything PE, reducing code
>>>>>>> duplication and
>>>>>>> potentially unsafe operations.
>>>>>>> E. Centralising and reduced parse duplication may improve=20
>>>>>>> overall boot
>>>>>>> performance.
>>>>>>> F. The code has been coverage-tested to not contain dead code.
>>>>>>> G. The code has been fuzz-tested including sanitizers to not invok=
e
>>>>>>> undefined
>>>>>>> behaviour.
>>>>>>> H. I already managed to identify a malformed image in OVMF with=20
>>>>>>> its help
>>>>>>> (incorrectly reported section alignment of an Intel IPXE driver). =
A
>>>>>>> fix will be
>>>>>>> submitted shortly.
>>>>>>> I. I plan to support PE section permissions, allowing for=20
>>>>>>> read-only data
>>>>>>> segments when enabled.
>>>>>>>
>>>>>>> There are likely more points for both lists, but I hope this gives=
 a
>>>>>>> decent
>>>>>>> starting point for discussion. What are your thoughts on the matte=
r?
>>>>>>> I strongly
>>>>>>> encourage everyone to read the section regarding defects of our
>>>>>>> publication[2]
>>>>>>> to better understand the motivation. The vague points above can of
>>>>>>> course be
>>>>>>> elaborated in due time, as you see fit.
>>>>>>>
>>>>>>> Thank you for your time!
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Marvin
>>>>>>>
>>>>>>>
>>>>>>> [1] https://github.com/mhaeuser/ISPRASOpen-SecurePE=20
>>>>>>> <https://github.com/mhaeuser/ISPRASOpen-SecurePE>
>>>>>>> [2] https://arxiv.org/pdf/2012.05471.pdf=20
>>>>>>> <https://arxiv.org/pdf/2012.05471.pdf>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>
>=20