Re: [edk2-devel] [PATCH 1/2] OvmfPkg: Introduce NULL class library to inhibit driver load

["Ard Biesheuvel" <ardb@kernel.org>]

On Tue, 16 Aug 2022 at 23:10, Brian J. Johnson <brian.johnson@hpe.com> wrote:
>
> On 8/16/22 07:30, Laszlo Ersek wrote:
> > On 08/15/22 11:40, Ard Biesheuvel wrote:
> >> Add a new library that can be incorporated into any driver built from
> >> source, and which permits loading of the driver to be inhibited based on
> >> the value of a QEMU fw_cfg boolean variable. This will be used in a
> >> subsequent patch to allow dispatch of the IPv6 and IPv6 network protocol
> >
> > (1) typo? (should be "IPv4 and IPv6" I think)
> >
> >> driver to be controlled from the QEMU command line.
> >>
> >> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> >> ---
> >>   OvmfPkg/Library/DriverLoadInhibitorLib/DriverLoadInhibitorLib.c   | 30 ++++++++++++++++++++
> >>   OvmfPkg/Library/DriverLoadInhibitorLib/DriverLoadInhibitorLib.inf | 28 ++++++++++++++++++
> >>   OvmfPkg/OvmfPkg.dec                                               |  4 +++
> >>   3 files changed, 62 insertions(+)
> >>
> >> diff --git a/OvmfPkg/Library/DriverLoadInhibitorLib/DriverLoadInhibitorLib.c b/OvmfPkg/Library/DriverLoadInhibitorLib/DriverLoadInhibitorLib.c
> >> new file mode 100644
> >> index 000000000000..dc8544bc38be
> >> --- /dev/null
> >> +++ b/OvmfPkg/Library/DriverLoadInhibitorLib/DriverLoadInhibitorLib.c
> >> @@ -0,0 +1,30 @@
> >> +// @file
> >> +// Copyright (c) 2022, Google LLC. All rights reserved.<BR>
> >> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +//
> >> +
> >> +#include <PiDxe.h>
> >> +
> >> +#include <Library/QemuFwCfgSimpleParserLib.h>
> >> +#include <Library/UefiBootServicesTableLib.h>
> >> +
> >> +STATIC CHAR16 mExitData[] = L"Driver dispatch inhibited by QEMU fw_cfg variable.";
> >> +
> >> +EFI_STATUS
> >> +EFIAPI
> >> +DriverLoadInhibitorLibConstructor (
> >> +  IN  EFI_HANDLE        Handle,
> >> +  IN  EFI_SYSTEM_TABLE  *SystemTable
> >> +  )
> >> +{
> >> +  RETURN_STATUS     Status;
> >> +  BOOLEAN           Enabled;
> >> +
> >> +  Status = QemuFwCfgParseBool (FixedPcdGetPtr (PcdDriverInhibitorFwCfgVarName),
> >> +             &Enabled);
> >> +  if (!RETURN_ERROR (Status) && !Enabled) {
> >> +    return gBS->Exit (Handle, EFI_REQUEST_UNLOAD_IMAGE, sizeof mExitData,
> >> +                  mExitData);
> >
> > (2) Per UEFI spec, ExitData should be allocated with
> > gBS->AllocatePool().
> >
> > (3) EFI_REQUEST_UNLOAD_IMAGE is from the PI spec; while not wrong, I
> > think it's strange to use here. EFI_ABORTED or something similar from
> > the UEFI spec would be a better fit IMO.
> >
> > (4) And then, the big problem:
> >
> > I agree that returning an error from the constructor would not be
> > beneficial, as it would cause an assertion to fail in the
> > ProcessLibraryConstructorList() function, in the generated "AutoGen.c"
> > file.
> >
> > However, calling gBS->Exit() from a constructor seems unsafe to me, with
> > regard to library destructors.
> >
> > Now, in the current case (considering patch#2), this unsafety is not
> > visible. That's because:
> >
> > (quoting ProcessLibraryConstructorList() and
> > ProcessLibraryDestructorList() from
> > "Build/OvmfX64/NOOPT_GCC5/X64/NetworkPkg/Ip4Dxe/Ip4Dxe/DEBUG/AutoGen.c",
> > from an earlier build on my machine anyway):
> >
> >> VOID
> >> EFIAPI
> >> ProcessLibraryConstructorList (
> >>    IN EFI_HANDLE        ImageHandle,
> >>    IN EFI_SYSTEM_TABLE  *SystemTable
> >>    )
> >> {
> >>    EFI_STATUS  Status;
> >>
> >>    Status = PlatformDebugLibIoPortConstructor ();
> >>    ASSERT_RETURN_ERROR (Status);
> >>
> >>    Status = UefiBootServicesTableLibConstructor (ImageHandle, SystemTable);
> >>    ASSERT_EFI_ERROR (Status);
> >>
> >>    Status = DevicePathLibConstructor (ImageHandle, SystemTable);
> >>    ASSERT_EFI_ERROR (Status);
> >>
> >>    Status = UefiRuntimeServicesTableLibConstructor (ImageHandle, SystemTable);
> >>    ASSERT_EFI_ERROR (Status);
> >>
> >>    Status = UefiLibConstructor (ImageHandle, SystemTable);
> >>    ASSERT_EFI_ERROR (Status);
> >>
> >>    Status = UefiHiiServicesLibConstructor (ImageHandle, SystemTable);
> >>    ASSERT_EFI_ERROR (Status);
> >>
> >>    Status = DpcLibConstructor (ImageHandle, SystemTable);
> >>    ASSERT_EFI_ERROR (Status);
> >>
> >> }
> >>
> >>
> >>
> >> VOID
> >> EFIAPI
> >> ProcessLibraryDestructorList (
> >>    IN EFI_HANDLE        ImageHandle,
> >>    IN EFI_SYSTEM_TABLE  *SystemTable
> >>    )
> >> {
> >>
> >> }
> >
> > there is no library destruction to speak of -- none of the used library
> > instances have resources they need to release at destruction time.
> >
> > However, the general case looks problematic. The new library constructor
> > call would be inserted *somewhere* in ProcessLibraryConstructorList() --
> > the insertion point is likely "mostly unspecified", as no library
> > instance depends on DriverLoadInhibitorLib, and DriverLoadInhibitorLib
> > seems to depend on relatively few lib classes too. Therefore, in theory
> > anyway, the new lib constructor could call gBS->Exit() somewhere in the
> > middle of ProcessLibraryConstructorList(), with only some of the library
> > constructors having been executed.
> >
> > Then the questions are
> >
> > - does gBS->Exit() call ProcessLibraryDestructorList() or not?
> >
> >    - if it does not, that could lead to memory leaks.
> >
> >    - If it does though, is ProcessLibraryDestructorList() smart enough to
> >      call only those destructors whose constructors have previously run?
> >
> >      - If not, it could call destructors on never-constructed data.
> >
> > Unfortunately, this looks really tough to figure out; testing it (with
> > some actual library destructors) could be easier.
> >
> >
> > FWIW, there are two call sites for ProcessLibraryDestructorList() (for
> > UEFI/DXE drivers anyway); both in
> > "MdePkg/Library/UefiDriverEntryPoint/DriverEntryPoint.c":
> >
> > - One is inside the _ModuleEntryPoint() function.
> >
> >    This call is reached only when the function designated as ENTRY_POINT
> >    in the driver's INF file returns (note, said function is not the
> >    actual entry point function of the driver -- the actual entry point is
> >    the _ModuleEntryPoint() function).
> >
> >    When gBS->Exit() is called, the CoreExit() function
> >    [MdeModulePkg/Core/Dxe/Image/Image.c] long-jumps back to
> >    CoreStartImage(), and no part of the driver's _ModuleEntryPoint() is
> >    again used. So the first ProcessLibraryDestructorList() call site,
> >    namely the one in ModuleEntryPoint(), is not reached when gBS->Exit()
> >    is called.
> >
> > - The other ProcessLibraryDestructorList() call site is in
> >    _DriverUnloadHandler()
> >    [MdePkg/Library/UefiDriverEntryPoint/DriverEntryPoint.c].
> >
> >    Now it's not easy at all to say whether gBS->Exit() utilizes this
> >    function or not, when it unloads the image (because, per spec,
> >    gBS->Exit() *is* responsible for unloading the image).
> >
> >    However, we need not track that down right now, to see that the
> >    proposed patch is unsafe in this aspect. That's because
> >    _ModuleEntryPoint() does the following:
> >
> >>    //
> >>    // Call constructor for all libraries
> >>    //
> >>    ProcessLibraryConstructorList (ImageHandle, SystemTable);
> >>
> >>    //
> >>    //  Install unload handler...
> >>    //
> >>    if (_gDriverUnloadImageCount != 0) {
> >>      Status = gBS->HandleProtocol (
> >>                      ImageHandle,
> >>                      &gEfiLoadedImageProtocolGuid,
> >>                      (VOID **)&LoadedImage
> >>                      );
> >>      ASSERT_EFI_ERROR (Status);
> >>      LoadedImage->Unload = _DriverUnloadHandler;
> >>    }
> >
> >    In other words, even if CoreExit() might call Unload -->
> >    _DriverUnloadHandler() --> ProcessLibraryDestructorList() somewhere,
> >    _ModuleEntryPoint() sets "Unload" to "_DriverUnloadHandler" only
> >    *after* ProcessLibraryConstructorList() returns. And the proposed
> >    patch calls gBS->Exit() from *inside* ProcessLibraryConstructorList(),
> >    that is, when "Unload" is not set yet.
> >

Agree with all of the above. At this point, I think the only way to do
this properly is to create an alternative UefiDriverEntrypoint library
with the fw_cfg check folded into it. This is easy to do and addresses
all the concerns raised here (as it can force the driver entry point
function to return any value at any point) but the code duplication is
unfortunate.


> > On physical machines, I've seen firmware options for disabling the IP
> > stack entirely; I wonder how those firmwares do it...
>
> I don't know how any physical machine handles that particular option.
> But one approach would be to add a GUID to the depex of the module you
> want to control, and install it only when you want the module to be
> dispatched.  That's pretty straightforward, although it does result in
> "Driver %g was discovered but not loaded!!" messages from
> CoreDisplayDiscoveredNotDispatched() if sufficient debugging is enabled.
>

I think the diagnostic is fine. But I don't think adding DEPEXes to
UEFI drivers (as opposed to DXE drivers) is proper, or even supported.
It would also require the drivers in other packages to be updated.

What i i like about the current approach is that the library can tie
any driver or app dispatch to any fw_cfg variable in QEMU (provided
that its build is directed by the .dsc in question). Switching to an
alternate UefiDriverEntrypoint implementation would limit this to
drivers, but this is fine for the purpose at hand.