From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+109193+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 06FAF7803CE
	for <rebecca@openfw.io>; Fri, 29 Sep 2023 10:56:05 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=I/9DpBfw7vhtISX0pYQnGw7+LZz0eQmwUaNB4H3g/XI=;
 c=relaxed/simple; d=groups.io;
 h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding;
 s=20140610; t=1695984964; v=1;
 b=Xl+DD+JglhkeD+2tjGMN2HuKmTVsc8iL08wybCcjzirPbxpRTYCq6bLPQabBl0UrA0luEgnc
 GGgxVrZTpK3AgM1T1lLbwdUbrz+1aFcwNcLYUjYq1q8xJtEYWITYeAhZbgrASwJltW87caAXtEI
 ZIOvNXAaVZ/v1mt9Bey8PQws=
X-Received: by 127.0.0.2 with SMTP id BNxvYY7687511xTjaiWA1Jy5; Fri, 29 Sep 2023 03:56:04 -0700
X-Received: from mail-ua1-f45.google.com (mail-ua1-f45.google.com [209.85.222.45])
 by mx.groups.io with SMTP id smtpd.web10.14563.1695984963672317381
 for <devel@edk2.groups.io>;
 Fri, 29 Sep 2023 03:56:03 -0700
X-Received: by mail-ua1-f45.google.com with SMTP id a1e0cc1a2514c-7ab9488f2f0so5190723241.3
        for <devel@edk2.groups.io>; Fri, 29 Sep 2023 03:56:03 -0700 (PDT)
X-Gm-Message-State: jHkWUD7m29Y1P1Eo2SlJEGaox7686176AA=
X-Google-Smtp-Source: AGHT+IEXjzm7WP9BEj4Q4stc5LimC+2+7FseuT0NQR2J6I8J4wfQw1BwDybUemrdBtoU9ipeQRgloPp6UEWBGbZlVDs=
X-Received: by 2002:a1f:c582:0:b0:49a:3d72:fe82 with SMTP id
 v124-20020a1fc582000000b0049a3d72fe82mr3809302vkf.12.1695984962563; Fri, 29
 Sep 2023 03:56:02 -0700 (PDT)
MIME-Version: 1.0
References: <6odzwzflo4id7ra3cphgk3rhfpr7iqojsfqkbu4tutapcyhk2v@njifptgxmw5n>
 <CAKbZUD2_hV28MHy7dL3sbHPOYtJ5Ok-Qx-PkCDzyfApE60V6KQ@mail.gmail.com> <944EB976-23EA-4921-AAF4-23435772C65A@posteo.de>
In-Reply-To: <944EB976-23EA-4921-AAF4-23435772C65A@posteo.de>
From: "Pedro Falcato" <pedro.falcato@gmail.com>
Date: Fri, 29 Sep 2023 11:55:51 +0100
Message-ID: <CAKbZUD17jgg0pVPndPEe+Jq7+LLPFZUVr7dV1K1Lxd_WD_c7oA@mail.gmail.com>
Subject: Re: [edk2-devel] efi and ext4 and case sensitive file names
To: =?UTF-8?Q?Marvin_H=C3=A4user?= <mhaeuser@posteo.de>
Cc: Gerd Hoffmann <kraxel@redhat.com>, edk2-devel-groups-io <devel@edk2.groups.io>, 
	Laszlo Ersek <lersek@redhat.com>
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,pedro.falcato@gmail.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=Xl+DD+Jg;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

On Fri, Sep 29, 2023 at 10:47=E2=80=AFAM Marvin H=C3=A4user <mhaeuser@poste=
o.de> wrote:
>
>
> > On Sep 28, 2023, at 19:57, Pedro Falcato <pedro.falcato@gmail.com> wrot=
e:
> >
> > On Wed, Sep 27, 2023 at 1:09=E2=80=AFPM Gerd Hoffmann <kraxel@redhat.co=
m> wrote:
> >>
> >>  Hi,
> >>
> >> I've noticed that the edk2 ext4 driver does case-insensitive filename
> >> matching.  I know the fat filesystem is case-insensitive, and the uefi
> >> spec describing the fat filesystem also explicitly says it is
> >> case-insensitive.  On a quick scan I can't find anything in the uefi
> >> spec requiring *all* filesystem drivers being case-insensitive though.
> >>
> >> So I'm wondering whenever the ext4 driver behavior is correct.  It
> >> certainly is different than the linux kernel's behavior which is (by
> >> default) case-sensitive.
>
> Maybe when Linux starts adhering the spec for file names (the spec clearl=
y defines e.g. BOOTx64.EFI, while at least some distros/images use bootx64.=
efi), this can be discussed. :) Let's not break various GRUB setups...

Agreed.
>
> >
> > Ok, so this is a funny problem. When I was originally writing it, I
> > noticed a good few consumers would expect case insensitiveness, so I
> > ended up needing case insensitive string comparison.
> >
> > As an example, in my current system:
> > Boot0001* ARCHLINUX
> > HD(1,GPT,7e1b2e20-3013-4683-b8ab-bef1f9bfb1c8,0x800,0x32000)/File(\EFI\=
ARCHLINUX\GRUBX64.EFI)
> > whereas the GRUB tooling installed itself as:
> > /boot/efi/EFI/ARCHLINUX/grubx64.efi
> >
> > I treated some good bits of the filesystem driver as "should remain
> > similar to FAT" due to compatibility reasons.
>
> Definitely must keep it that way. I think true user-facing case-sensitivi=
ty is mostly a Linux thing, even recent macOS APFS is still only case-prese=
rving (UX-wise). There certainly is no real use-case for UEFI itself beyond=
 things like Linux interoperability.
>
> > I really really wouldn't
> > be surprised if lots of EFI code out there relied on case
> > insensitiveness or other FAT-ish stuff, instead of UNIX semantics.
> > (funnily enough, EFI also has the restriction where every filename
> > must be valid unicode, which is not the case on most UNIX systems out
> > there, that take the file name as "bag of bytes - '/'")
> >
> >>
> >> Also note that the linux kernel ext4 driver recently got support for
> >> case-insensitive file names, which must be explicitly enabled for both
> >> filesystems (EXT4_FEATURE_INCOMPAT_CASEFOLD) and directories
> >> (EXT4_CASEFOLD_FL).
> >
> > Ugh, this is annoying, they didn't even bother documenting it...
> > (https://www.kernel.org/doc/html/latest/filesystems/ext4/globals.html#s=
uper-incompat)
> > This leaves me in the awkward spot where figuring the behavior out
> > would require me to read the fs/ext4 code and thus be legally dubious,
> > yay :^)
>
> All hail GPL...
>
> >
> >>
> >> On practical terms I've ran into actual problems due to Fedora mountin=
g
> >> the ESP at /boot/efi[1] and UKIs (unified kernel images) should be
> >> placed in EFI/Linux on either ESP or XBOOTLDR partition, which on fedo=
ra
> >> translates to /boot/efi/EFI/Linux (ESP) or /boot/EFI/Linux (XBOOTLDR).
> >> So I have both /boot/efi and /boot/EFI ...
> >
> > Oh boy, that seems fun. So Ext4Dxe can only open one of the two dirs, r=
ight?
> > Now that I think of it, there should be fun behavior when doing an EFI
> > readdir, where you could find two dirents with "different" names but
> > then opening both will lead to the same dirent being open twice...
> > yuck
>
> Yes, but this often is not a concern due to case-preservation. There also=
 isn't much of a "right or wrong", as supporting case-insensitivity here co=
uld change the semantics of existing desync'd sensitivity setups. However, =
case-insensitivity would at least be more predictable.
>
> The only real options are:
>
> 1) We assume the host OS understands that UEFI is inherently case-sensiti=
ve and doesn't do weird things, then the current behaviour makes sense. It'=
s efficient, doesn't touch unnecessary data, but it's not so predictable.

Status quo, kind of works but breaks in Gerd's use case.
>
> 2) We assume the host OS understands this, but we consider this a risk to=
 security. Then it might make sense to reject FSes that feature this. Obvio=
usly Secure Boot and such should be taking care of only invoking trusted bi=
naries, but someone might be trying to invoke ambiguous FS driver behaviour=
 because they are aware of an exploit vector. Nevertheless, this seems unne=
cessary and overkill, also it doesn't fix the broken UX. It will actually c=
ompletely break that Linux use-case, which might be a bug or a feature. :) =
But it's predictable!

Probably not a way forward, yeah.
>
> 3) We assume the host OS does not do its job, but we are being nice anywa=
y. Then it might make sense to have opportunistic case-sensitivity, where e=
quality is preferred, but insensitive-equality is used as a fallback. This =
fixes the issue when the OS is at least consistent in its insensitivity-vio=
lation. However, as Pedro showed an example of a desync'd device path and F=
S name, there is yet another loophole to (accidentally) abuse the ambiguity=
. Not even some obviously crazy stuff like ranking by editing distances can=
 save you here. And it's also limited in predictability when there is no ex=
act match.
>

I'm relatively ok with this, aka doing an exact search first and
*only* then doing a case insensitive search (if CASEFOLD_FL, we would
skip the exact search). It should solve all compatibility problems
with UNIXes, although at the moment I'm wary of any possible security
concerns.

> I don't think any option is particularly nice, but 1) is the easiest. :)

1) is the easiest, but it also has weird edge cases.
3) has the nice property of being compatible with both
EFI/windows-style users (that expect insensitivity) and UNIX-style
users (that don't expect it), but it also has weird edge cases (true
insensitive behavior should make sure sHell.EFI and Shell.efi both
resolve to the same file in every situation).

Pick your poison :/

--=20
Pedro


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109193): https://edk2.groups.io/g/devel/message/109193
Mute This Topic: https://groups.io/mt/101615699/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-