public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: "Ni, Ruiyu" <ruiyu.ni@intel.com>,
	"Zimmer, Vincent" <vincent.zimmer@intel.com>,
	"Dong, Eric" <eric.dong@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>,
	Andrew Fish <afish@apple.com>,
	"Gao, Liming" <liming.gao@intel.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Richardson, Brian" <brian.richardson@intel.com>,
	"Carsey, Jaben" <jaben.carsey@intel.com>,
	"Zeng, Star" <star.zeng@intel.com>
Subject: Re: [PATCH v2 0/7] MdeModulePkg: add support for dispatching foreign arch PE/COFF images
Date: Wed, 19 Sep 2018 09:46:00 +0000	[thread overview]
Message-ID: <AA3293D9-4FE7-462F-B2E5-1AB64EF47C2E@intel.com> (raw)
In-Reply-To: <A32C5C6B-3B31-4CE4-BA45-4D2365FE97F7@intel.com>

One more, did you enable tpm to see if tpm measurement still works well ?

Also did defer image solution still takes effect with this change?

Sorry to ask many questions, I want to make sure the current security design still work with this new capability. 

thank you!
Yao, Jiewen


> 在 2018年9月19日,下午5:30,Yao, Jiewen <jiewen.yao@intel.com> 写道:
> 
> Thank you Ard. Good to know. 
> 
> Did you also try some security test, such as input a bad image to see if the code can return failure gracefully? 
> 
> Or enable secure boot to see if the image verification process still works well ?
> 
> thank you!
> Yao, Jiewen
> 
> 
>>> 在 2018年9月18日,下午9:53,Ard Biesheuvel <ard.biesheuvel@linaro.org> 写道:
>>> 
>>> On 18 September 2018 at 00:32, Yao, Jiewen <jiewen.yao@intel.com> wrote:
>>> HI Ard
>>> This is a great feature.
>>> 
>> 
>> Thanks!
>> 
>>> May I know what test has been done for this patch series?
>>> 
>>> Would you please share that information? No matter your unit test, or system level test.
>>> 
>> 
>> I have used ArmVirtPkg/ArmVirtQemu.dsc built for AARCH64 in two configurations:
>> - one replacing the native FAT driver built from source with the EBC
>> binary version
>> - another one replacing the FAT driver and including the X86 emulator [0]
>> 
>> The tests involved accessing a FAT partition (both builds) and running
>> the X86 version of iPXE (the latter build only)
>> 
>> 
>> 
>> [0] https://github.com/ardbiesheuvel/X86EmulatorPkg
>> 
>> 
>>>> -----Original Message-----
>>>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
>>>> Ard Biesheuvel
>>>> Sent: Saturday, September 15, 2018 9:29 PM
>>>> To: edk2-devel@lists.01.org
>>>> Cc: Ni, Ruiyu <ruiyu.ni@intel.com>; Zimmer, Vincent
>>>> <vincent.zimmer@intel.com>; Dong, Eric <eric.dong@intel.com>; Andrew
>>>> Fish <afish@apple.com>; Carsey, Jaben <jaben.carsey@intel.com>;
>>>> Richardson, Brian <brian.richardson@intel.com>; Gao, Liming
>>>> <liming.gao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>;
>>>> Zeng, Star <star.zeng@intel.com>
>>>> Subject: [edk2] [PATCH v2 0/7] MdeModulePkg: add support for dispatching
>>>> foreign arch PE/COFF images
>>>> 
>>>> Add the basic plumbing to DXE core, the PCI bus driver and the boot manager
>>>> to allow PE/COFF images to be dispatched that target an architecture that is
>>>> not native for the platform, but which is supported by one of potentially
>>>> several available emulators.
>>>> 
>>>> One implementation of such an emulator can be found here:
>>>> https://github.com/ardbiesheuvel/X86EmulatorPkg
>>>> 
>>>> This also allows us to get rid of the special treatment of EBC images in
>>>> core code. Instead, the EbcDxe driver is augmented with an implementation
>>>> of the EDK2 PE/COFF image emulator so that internal knowledge of how EBC
>>>> is implemented (I-cache flushing, thunks) is removed from the DXE core.
>>>> 
>>>> Changes since v2:
>>>> - subsume the EBC handling into the EDK2 emulator protocol and abstract
>>>> away from EBC specifics in core code.
>>>> - allow multiple emulator implementations to co-exist
>>>> - incorporate Star's review feedback
>>>> 
>>>> Cc: Vincent Zimmer <vincent.zimmer@intel.com>
>>>> Cc: Brian Richardson <brian.richardson@intel.com>
>>>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>>>> Cc: Andrew Fish <afish@apple.com>
>>>> Cc: Leif Lindholm <leif.lindholm@linaro.org>
>>>> Cc: Star Zeng <star.zeng@intel.com>
>>>> Cc: Eric Dong <eric.dong@intel.com>
>>>> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
>>>> Cc: Liming Gao <liming.gao@intel.com>
>>>> Cc: Jaben Carsey <jaben.carsey@intel.com>
>>>> Cc: Steven Shi <steven.shi@intel.com>
>>>> 
>>>> Ard Biesheuvel (7):
>>>> MdeModulePkg: introduce PE/COFF image emulator protocol
>>>> MdeModulePkg/DxeCore: invoke the emulator protocol for foreign
>>>> images
>>>> MdeModulePkg/PciBusDxe: invoke PE/COFF emulator for foreign option
>>>>   ROMs
>>>> MdeModulePkg/UefiBootManagerLib: allow foreign Driver#### images
>>>> MdeModulePkg/EbcDxe: implement the PE/COFF emulator protocol
>>>> MdePkg/UefiBaseType.h: treat EBC as a non-native machine type
>>>> MdeModulePkg/DxeCore: remove explicit EBC handling
>>>> 
>>>> MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h       |   1 +
>>>> MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf  |   1 +
>>>> .../Bus/Pci/PciBusDxe/PciOptionRomSupport.c   |  51 ++++++-
>>>> MdeModulePkg/Core/Dxe/DxeMain.h               |   6 +-
>>>> MdeModulePkg/Core/Dxe/DxeMain.inf             |   2 +-
>>>> MdeModulePkg/Core/Dxe/Image/Image.c           | 141
>>>> +++++++++++-------
>>>> .../Include/Protocol/PeCoffImageEmulator.h    |  99 ++++++++++++
>>>> .../Library/UefiBootManagerLib/BmLoadOption.c |  51 ++++++-
>>>> .../Library/UefiBootManagerLib/InternalBm.h   |   1 +
>>>> .../UefiBootManagerLib/UefiBootManagerLib.inf |   1 +
>>>> MdeModulePkg/MdeModulePkg.dec                 |   4 +
>>>> MdeModulePkg/Universal/EbcDxe/EbcDxe.inf      |   3 +
>>>> MdeModulePkg/Universal/EbcDxe/EbcInt.c        | 124
>>>> +++++++++++++++
>>>> MdeModulePkg/Universal/EbcDxe/EbcInt.h        |   3 +
>>>> MdePkg/Include/Uefi/UefiBaseType.h            |   8 +-
>>>> 15 files changed, 432 insertions(+), 64 deletions(-)
>>>> create mode 100644
>>>> MdeModulePkg/Include/Protocol/PeCoffImageEmulator.h
>>>> 
>>>> --
>>>> 2.17.1
>>>> 
>>>> _______________________________________________
>>>> edk2-devel mailing list
>>>> edk2-devel@lists.01.org
>>>> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel


  reply	other threads:[~2018-09-19  9:46 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-15 13:28 [PATCH v2 0/7] MdeModulePkg: add support for dispatching foreign arch PE/COFF images Ard Biesheuvel
2018-09-15 13:28 ` [PATCH v2 1/7] MdeModulePkg: introduce PE/COFF image emulator protocol Ard Biesheuvel
2018-09-15 13:28 ` [PATCH v2 2/7] MdeModulePkg/DxeCore: invoke the emulator protocol for foreign images Ard Biesheuvel
2018-09-15 13:28 ` [PATCH v2 3/7] MdeModulePkg/PciBusDxe: invoke PE/COFF emulator for foreign option ROMs Ard Biesheuvel
2018-09-15 13:28 ` [PATCH v2 4/7] MdeModulePkg/UefiBootManagerLib: allow foreign Driver#### images Ard Biesheuvel
2018-09-15 13:28 ` [PATCH v2 5/7] MdeModulePkg/EbcDxe: implement the PE/COFF emulator protocol Ard Biesheuvel
2018-09-15 13:28 ` [PATCH v2 6/7] MdePkg/UefiBaseType.h: treat EBC as a non-native machine type Ard Biesheuvel
2018-09-15 13:28 ` [PATCH v2 7/7] MdeModulePkg/DxeCore: remove explicit EBC handling Ard Biesheuvel
2018-09-18  9:05   ` Ni, Ruiyu
2018-09-18 13:47     ` Ard Biesheuvel
2018-09-19  2:16       ` Ni, Ruiyu
2018-09-19  4:56         ` Ard Biesheuvel
2018-09-18  7:32 ` [PATCH v2 0/7] MdeModulePkg: add support for dispatching foreign arch PE/COFF images Yao, Jiewen
2018-09-18 13:53   ` Ard Biesheuvel
2018-09-19  9:29     ` Yao, Jiewen
2018-09-19  9:46       ` Yao, Jiewen [this message]
2018-09-19 13:55         ` Ard Biesheuvel
2018-09-19 14:15           ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=AA3293D9-4FE7-462F-B2E5-1AB64EF47C2E@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox