From: "Marvin Häuser" <mhaeuser@posteo.de>
To: devel@edk2.groups.io, mcb30@ipxe.org,
Laszlo Ersek <lersek@redhat.com>, Andrew Fish <afish@apple.com>,
Michael Kinney <michael.d.kinney@intel.com>
Subject: Re: [edk2-devel] [GSoC proposal] Secure Image Loader
Date: Thu, 8 Apr 2021 12:13:24 +0200 [thread overview]
Message-ID: <4710c380-5f54-4bc6-d43c-e372f484a062@posteo.de> (raw)
In-Reply-To: <f43f8599-1c9b-d96d-4d0f-324e76c9b163@ipxe.org>
On 08.04.21 11:55, Michael Brown wrote:
> On 08/04/2021 10:41, Marvin Häuser wrote:
>> No, backwards-compatibility will not be broken in the sense that the
>> old API is absent or malfunctioning.
>
> Perfect. :)
>
>> As I *have* said, I imagine there to be an option (default true) to
>> expose both variants.
>
> Very much less perfect. The mere existence of such an option
> immediately reimposes the burden on external code to support both,
> because it opens up the possibility of running on systems where the
> option is set to false.
One more time, I do not know why any non-platform code would call those
APIs. Preferably, they would be private implementation details to me. I
understand that you are displeased with your maintenance burden in iPXE,
and I can assure you, you are not alone. We want to support hotswap with
one of our UEFI applications, and I am currently contemplating
overriding Uninstall(Multiple)ProtocolInterface(s) to try to ensure
security. I hear you, totally. :)
>> With default settings, I want the loader to be at the very least
>> mostly plug-'n'-play with existing platform drivers and OS loaders
>> from the real world. "Mostly" can be clarified further once we have a
>> detailed plan on the changes (and responses to e.g. malformed binary
>> issues with iPXE and GNU-EFI).
>
> Yes; thank you for https://github.com/ipxe/ipxe/pull/313. It will
> take some time to review.
>
> As a practical consideration: unless there is a security reason to do
> otherwise, you should almost certainly relax the constraints on images
> that your loader will accept, to avoid causing unnecessary end-user
> disruption. What is the *security* reason behind your alignment
> requirements (which clearly are not required by any other toolchain,
> including those used for signing Secure Boot binaries)?
Sorry if that was not clear from the PR, I hoped it was. It's the fact
that memory permissions can only be enforced page-wise. So, when two
sections with different permissions share a page, at the very least this
page must be applied with relaxed permissions. I do not like relaxing
permissions. :)
There already is a PCD to relax this, and both iPXE and GNU-EFI images
load correctly and securely with it. Just the more relaxed loading is,
the more awkward cases need to be considered when applying memory
permission attributes. Logically, as the original ELF was correctly
aligned segment-wise, the case I described above will not really happen.
Yet it is now the firmware's burden to check all sections with
overlapping pages for their attributes and adjust. As, please do not
take this offensively, it is "only" iPXE images and the GNU shim loader
affected so far, I hope that in due time all images can be updated (the
shim can be used for older releases of any distribution as well!) and
the constraints be tightened. Yet, of course, this is up to the EDK II
maintainers to decide.
I furthermore hope that, at some point, both iPXE and shim switch to EDK
II for PE generation to ensure consistency of the binary generation.
Best regards,
Marvin
>
> Thanks,
>
> Michael
>
>
>
>
>
next prev parent reply other threads:[~2021-04-08 10:13 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-04 23:01 [GSoC proposal] Secure Image Loader Marvin Häuser
2021-04-06 9:41 ` [edk2-devel] " Nate DeSimone
2021-04-06 10:06 ` Marvin Häuser
2021-04-06 16:16 ` [EXTERNAL] " Bret Barkelew
2021-04-08 11:16 ` Laszlo Ersek
2021-04-08 14:13 ` Andrew Fish
2021-04-08 16:06 ` Marvin Häuser
2021-04-08 16:44 ` Andrew Fish
2021-04-08 17:02 ` Marvin Häuser
2021-04-08 17:39 ` Andrew Fish
2021-04-08 21:07 ` Marvin Häuser
2021-04-08 21:48 ` Andrew Fish
2021-04-08 22:42 ` Michael Brown
2021-04-12 17:22 ` Marvin Häuser
2021-04-12 18:30 ` [EXTERNAL] " Bret Barkelew
2021-04-13 0:19 ` Michael D Kinney
2021-04-13 0:56 ` Nate DeSimone
2021-04-13 7:31 ` Marvin Häuser
2021-04-13 15:05 ` Andrew Fish
2021-04-13 18:04 ` Nate DeSimone
2021-04-13 18:08 ` Michael D Kinney
2021-04-13 18:14 ` Andrew Fish
2021-04-16 7:36 ` Marvin Häuser
2021-04-07 21:05 ` Michael Brown
2021-04-07 21:31 ` Marvin Häuser
2021-04-07 21:50 ` Michael Brown
2021-04-07 22:02 ` Andrew Fish
[not found] ` <1673B28429E5B4FE.4742@groups.io>
2021-04-07 22:10 ` Andrew Fish
2021-04-08 9:04 ` Marvin Häuser
2021-04-08 9:40 ` Michael Brown
2021-04-08 8:53 ` Marvin Häuser
2021-04-08 9:26 ` Michael Brown
2021-04-08 9:41 ` Marvin Häuser
2021-04-08 9:50 ` Marvin Häuser
2021-04-08 9:55 ` Michael Brown
2021-04-08 10:13 ` Marvin Häuser [this message]
2021-04-08 10:31 ` Michael Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4710c380-5f54-4bc6-d43c-e372f484a062@posteo.de \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox