From: Laszlo Ersek <lersek@redhat.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
"Zeng, Star" <star.zeng@intel.com>
Cc: "Ni, Ruiyu" <ruiyu.ni@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
"Dong, Eric" <eric.dong@intel.com>,
"leif.lindholm@linaro.org" <leif.lindholm@linaro.org>
Subject: Re: [PATCH] MdeModulePkg/UefiBootManagerLib: don't ASSERT on 'BootNext' varname
Date: Wed, 4 Oct 2017 16:40:38 +0200 [thread overview]
Message-ID: <5e81c006-bbe4-5124-4227-fb06805a1256@redhat.com> (raw)
In-Reply-To: <CAKv+Gu9WfoSj7ofHZVzyfv4CoQj5yCmNk5-9kOcm245tdDN0MQ@mail.gmail.com>
On 10/04/17 15:54, Ard Biesheuvel wrote:
> On 4 October 2017 at 14:49, Zeng, Star <star.zeng@intel.com> wrote:
>> Creating Boot000@ with gEfiGlobalVariableGuid can not succeed as it will be
>> rejected by MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf that
>> will check the VariableName against UEFI spec “Table 13. Global Variables”
>> if the VendorGuid is gEfiGlobalVariableGuid.
>>
>>
>>
>> I would suspect there is a bug at other place if the code ends up calling
>> this function(EfiBootManagerIsValidLoadOptionVariableName) on L"BootNext".
>>
>
> That still does not mean you should ASSERT() here. The state of the
> variable store != the internals of the code, and so it should be
> considered external input to some extent.
At least under some circumstances, I disagree with this. The assumption
that the variable store can be written only by privileged firmware
routines is core to Secure Boot, for example.
> ASSERTs are meant to catch
> programming errors, not errors in the varstore image.
I agree.
However, as a corollary to the above, if said "privileged routines" are
supposed to catch all invalid inputs passed to gRT->SetVariable(), then
the rest of the firmware is right to assume that the contents of the
variable store are valid. If it is found invalid at some point, then it
is indeed due to a programming error (somewhere in the
gRT->SetVariable() machinery, that is), so the ASSERT() is justified.
Another example in support of this argument is the Fault Tolerant Write
machinery -- the firmware tries very hard to recover from power loss
during a varstore update. If, on reboot, the error proves
non-recoverable (i.e. we cannot even roll back to a previous pristine
state), then that can be considered a bug (or design error) in FTW.
That said, I agree with the patch. BmCharToUint() explicitly documents
"conversion failed" as a return condition, and both functions that call
BmCharToUint(), namely EfiBootManagerIsValidLoadOptionVariableName() and
BmIsKeyOptionVariable(), check for that return condition.
Thanks,
Laszlo
next prev parent reply other threads:[~2017-10-04 14:37 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-03 17:17 [PATCH] MdeModulePkg/UefiBootManagerLib: don't ASSERT on 'BootNext' varname Ard Biesheuvel
2017-10-03 23:56 ` Zeng, Star
2017-10-03 23:59 ` Ard Biesheuvel
2017-10-04 0:18 ` Yao, Jiewen
2017-10-04 13:49 ` Zeng, Star
2017-10-04 13:54 ` Ard Biesheuvel
2017-10-04 14:09 ` Zeng, Star
2017-10-04 15:06 ` Laszlo Ersek
2017-10-05 7:31 ` Zeng, Star
2017-10-05 7:59 ` Laszlo Ersek
2017-10-05 9:08 ` Yao, Jiewen
2017-10-10 9:12 ` Ni, Ruiyu
2017-10-04 14:40 ` Laszlo Ersek [this message]
2017-10-04 15:01 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5e81c006-bbe4-5124-4227-fb06805a1256@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox