[GSoC] Proposal for a new Image Loader stack

[GSoC] Proposal for a new Image Loader stack

[Marvin Häuser]

Good day everyone,

Staging branch available at: 
https://github.com/tianocore/edk2-staging/tree/2021-gsoc-secure-loader

As part of an internship at ISP RAS, my colleague Vitaly and I developed 
a replacement for the current EDK II PE/COFF loader with the help of 
formal methods. The reason for this is that people both inside and 
outside of the community find the current solution to be unjustifiably 
hard to maintain, hard to integrate and expand, as well as hard to 
verify and review. Multiple bugs that affect its reliability have been 
unfixed for a significant amount of time. During the development of our 
proposed alternative, we managed to gain support from well-regarded 
community members like Laszlo, whom I would like to thank one more time 
for his review work on the publication, and all his efforts around the 
EDK II ecosystem, which unfortunately have come to a close recently.

The new solution follows much stricter API and coding practices, aims to 
be fully documented and provide additional security hardening, and the 
most important properties of the loading process have been formally 
verified to ensure functionality and safety. A significant amount of 
testing with real-world workloads has been performed already, but we are 
yet to present an exhaustive methodology. Please note that since the 
last fully verified snapshot, a lot of hacks needed to be implemented, 
e.g. around XIP TE Images, and as such code review will definitely be as 
important as ever.

To make efforts around Image formats easier in the future, a layer of 
abstraction has been introduced in the form of "UefiImageLib". Further 
explanation can be found in the branch README. The current design is not 
by any means finished, but hopefully it portraits the idea sufficiently 
well. Arguably this is the most important design aspect of the 
submission, as it will allow for bigger "PeCoffLib" changes without 
changing all of the callers, so please voice any sorts of wishes, 
feedback, and doubts regarding this new layer.

To gather feedback early and make initial inspection easier, a branch in 
edk2-staging has been set up to present the initial work-in-progress 
draft to the community. I would like to thank my mentors Bret and Ben 
for their efforts and support so far to get this proposal ready. Please 
note that this branch does not reflect the patch workflow, and as such 
has many changes I will submit as distinct patch sets at a later point 
in time. The branch README should hopefully give you a good idea about 
the project's state and goals.

Please do not start in-depth code reviews yet, as the current state is 
definitely still a work-in-progress. I would like to ask everyone 
interested, especially package maintainers close to Image loading code, 
to inspect the nature of the changes so far, especially any form of 
abstraction, and provide your impressions and concerns regarding the 
integration. Please also inspect the work-in-progress documentation 
linked in the README, which is far from exhaustive, but should hopefully 
provide a good-enough impression of the planned layout.

Several discussions with package maintainers about code directly and 
indirectly related to PE/COFF loading are ongoing already, and I believe 
we are already making some great progress. Thank you for your 
involvement and your time.

Best regards,
Marvin