From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web12.26463.1660725602418572442 for ; Wed, 17 Aug 2022 01:40:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ISVxiglF; spf=pass (domain: kernel.org, ip: 139.178.84.217, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A764561324 for ; Wed, 17 Aug 2022 08:40:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1146BC433D7 for ; Wed, 17 Aug 2022 08:40:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1660725601; bh=GxQuVgAVp66mICpredFUZmzJ7I1aePQYe/7XpKmJTiI=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=ISVxiglFEf6CSGdp8HpvAQozGw9muQzi4d4ORfYzgEVNLjsLwwAj5pOGotzw+fv2c +o6SygXHIav/Vz+OoKbRQ9n1tQ7hTiNFG/eSnSi8HoUq5LvpjguOLPGBhv6zR5VBZq T4+us1xCBxKj0wMZK5QgUbM6vkXetRb/ODrBBCk7hOvw9m3jT3WiZof7wPaOggZNXg wyUtvDY7vMyhInAV9zszbSAk2+kg+BD7JFvcYVFFCdg/qFJ5SDCbw77ang7cwi+ayL JA6EvkPvvcQOhWr9VSyr3YRpyPG5mX4PbdYWaM7p9RtvBxblIaZfIwagQ9bQu51XL6 YOyuE/al7plwA== Received: by mail-wr1-f54.google.com with SMTP id bs25so15407306wrb.2 for ; Wed, 17 Aug 2022 01:40:00 -0700 (PDT) X-Gm-Message-State: ACgBeo1ohOd/7Ot94No9vgsjW4o9KMGW67PKPFG2BRsg/6HpYwr6YyZP gIdhqlEszZfHJvGRUitEr6ms0Mc5f4SV23ihr/M= X-Google-Smtp-Source: AA6agR5QM8kIUpTbaEu9IFkGBg9EjgAiStDmyDe8Nr810txrzu87wrySVDBNjaawsRCINuW+sv/Zh4yAe4k2rR7qzZw= X-Received: by 2002:adf:f40c:0:b0:225:d09:246d with SMTP id g12-20020adff40c000000b002250d09246dmr6187999wro.561.1660725599245; Wed, 17 Aug 2022 01:39:59 -0700 (PDT) MIME-Version: 1.0 References: <20220815094030.465587-1-ardb@kernel.org> <20220815094030.465587-2-ardb@kernel.org> <3cc22b45-149b-15c5-257d-347d1a13cd96@redhat.com> <8a033ba8-967e-002d-2d39-6d19273403d2@hpe.com> In-Reply-To: <8a033ba8-967e-002d-2d39-6d19273403d2@hpe.com> From: "Ard Biesheuvel" Date: Wed, 17 Aug 2022 10:39:47 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [PATCH 1/2] OvmfPkg: Introduce NULL class library to inhibit driver load To: devel@edk2.groups.io, brian.johnson@hpe.com Cc: lersek@redhat.com, Yuan Yu , Gerd Hoffmann , Pawel Polawski , Oliver Steffen , Jiewen Yao Content-Type: text/plain; charset="UTF-8" On Tue, 16 Aug 2022 at 23:10, Brian J. Johnson wrote: > > On 8/16/22 07:30, Laszlo Ersek wrote: > > On 08/15/22 11:40, Ard Biesheuvel wrote: > >> Add a new library that can be incorporated into any driver built from > >> source, and which permits loading of the driver to be inhibited based on > >> the value of a QEMU fw_cfg boolean variable. This will be used in a > >> subsequent patch to allow dispatch of the IPv6 and IPv6 network protocol > > > > (1) typo? (should be "IPv4 and IPv6" I think) > > > >> driver to be controlled from the QEMU command line. > >> > >> Signed-off-by: Ard Biesheuvel > >> --- > >> OvmfPkg/Library/DriverLoadInhibitorLib/DriverLoadInhibitorLib.c | 30 ++++++++++++++++++++ > >> OvmfPkg/Library/DriverLoadInhibitorLib/DriverLoadInhibitorLib.inf | 28 ++++++++++++++++++ > >> OvmfPkg/OvmfPkg.dec | 4 +++ > >> 3 files changed, 62 insertions(+) > >> > >> diff --git a/OvmfPkg/Library/DriverLoadInhibitorLib/DriverLoadInhibitorLib.c b/OvmfPkg/Library/DriverLoadInhibitorLib/DriverLoadInhibitorLib.c > >> new file mode 100644 > >> index 000000000000..dc8544bc38be > >> --- /dev/null > >> +++ b/OvmfPkg/Library/DriverLoadInhibitorLib/DriverLoadInhibitorLib.c > >> @@ -0,0 +1,30 @@ > >> +// @file > >> +// Copyright (c) 2022, Google LLC. All rights reserved.
> >> +// SPDX-License-Identifier: BSD-2-Clause-Patent > >> +// > >> + > >> +#include > >> + > >> +#include > >> +#include > >> + > >> +STATIC CHAR16 mExitData[] = L"Driver dispatch inhibited by QEMU fw_cfg variable."; > >> + > >> +EFI_STATUS > >> +EFIAPI > >> +DriverLoadInhibitorLibConstructor ( > >> + IN EFI_HANDLE Handle, > >> + IN EFI_SYSTEM_TABLE *SystemTable > >> + ) > >> +{ > >> + RETURN_STATUS Status; > >> + BOOLEAN Enabled; > >> + > >> + Status = QemuFwCfgParseBool (FixedPcdGetPtr (PcdDriverInhibitorFwCfgVarName), > >> + &Enabled); > >> + if (!RETURN_ERROR (Status) && !Enabled) { > >> + return gBS->Exit (Handle, EFI_REQUEST_UNLOAD_IMAGE, sizeof mExitData, > >> + mExitData); > > > > (2) Per UEFI spec, ExitData should be allocated with > > gBS->AllocatePool(). > > > > (3) EFI_REQUEST_UNLOAD_IMAGE is from the PI spec; while not wrong, I > > think it's strange to use here. EFI_ABORTED or something similar from > > the UEFI spec would be a better fit IMO. > > > > (4) And then, the big problem: > > > > I agree that returning an error from the constructor would not be > > beneficial, as it would cause an assertion to fail in the > > ProcessLibraryConstructorList() function, in the generated "AutoGen.c" > > file. > > > > However, calling gBS->Exit() from a constructor seems unsafe to me, with > > regard to library destructors. > > > > Now, in the current case (considering patch#2), this unsafety is not > > visible. That's because: > > > > (quoting ProcessLibraryConstructorList() and > > ProcessLibraryDestructorList() from > > "Build/OvmfX64/NOOPT_GCC5/X64/NetworkPkg/Ip4Dxe/Ip4Dxe/DEBUG/AutoGen.c", > > from an earlier build on my machine anyway): > > > >> VOID > >> EFIAPI > >> ProcessLibraryConstructorList ( > >> IN EFI_HANDLE ImageHandle, > >> IN EFI_SYSTEM_TABLE *SystemTable > >> ) > >> { > >> EFI_STATUS Status; > >> > >> Status = PlatformDebugLibIoPortConstructor (); > >> ASSERT_RETURN_ERROR (Status); > >> > >> Status = UefiBootServicesTableLibConstructor (ImageHandle, SystemTable); > >> ASSERT_EFI_ERROR (Status); > >> > >> Status = DevicePathLibConstructor (ImageHandle, SystemTable); > >> ASSERT_EFI_ERROR (Status); > >> > >> Status = UefiRuntimeServicesTableLibConstructor (ImageHandle, SystemTable); > >> ASSERT_EFI_ERROR (Status); > >> > >> Status = UefiLibConstructor (ImageHandle, SystemTable); > >> ASSERT_EFI_ERROR (Status); > >> > >> Status = UefiHiiServicesLibConstructor (ImageHandle, SystemTable); > >> ASSERT_EFI_ERROR (Status); > >> > >> Status = DpcLibConstructor (ImageHandle, SystemTable); > >> ASSERT_EFI_ERROR (Status); > >> > >> } > >> > >> > >> > >> VOID > >> EFIAPI > >> ProcessLibraryDestructorList ( > >> IN EFI_HANDLE ImageHandle, > >> IN EFI_SYSTEM_TABLE *SystemTable > >> ) > >> { > >> > >> } > > > > there is no library destruction to speak of -- none of the used library > > instances have resources they need to release at destruction time. > > > > However, the general case looks problematic. The new library constructor > > call would be inserted *somewhere* in ProcessLibraryConstructorList() -- > > the insertion point is likely "mostly unspecified", as no library > > instance depends on DriverLoadInhibitorLib, and DriverLoadInhibitorLib > > seems to depend on relatively few lib classes too. Therefore, in theory > > anyway, the new lib constructor could call gBS->Exit() somewhere in the > > middle of ProcessLibraryConstructorList(), with only some of the library > > constructors having been executed. > > > > Then the questions are > > > > - does gBS->Exit() call ProcessLibraryDestructorList() or not? > > > > - if it does not, that could lead to memory leaks. > > > > - If it does though, is ProcessLibraryDestructorList() smart enough to > > call only those destructors whose constructors have previously run? > > > > - If not, it could call destructors on never-constructed data. > > > > Unfortunately, this looks really tough to figure out; testing it (with > > some actual library destructors) could be easier. > > > > > > FWIW, there are two call sites for ProcessLibraryDestructorList() (for > > UEFI/DXE drivers anyway); both in > > "MdePkg/Library/UefiDriverEntryPoint/DriverEntryPoint.c": > > > > - One is inside the _ModuleEntryPoint() function. > > > > This call is reached only when the function designated as ENTRY_POINT > > in the driver's INF file returns (note, said function is not the > > actual entry point function of the driver -- the actual entry point is > > the _ModuleEntryPoint() function). > > > > When gBS->Exit() is called, the CoreExit() function > > [MdeModulePkg/Core/Dxe/Image/Image.c] long-jumps back to > > CoreStartImage(), and no part of the driver's _ModuleEntryPoint() is > > again used. So the first ProcessLibraryDestructorList() call site, > > namely the one in ModuleEntryPoint(), is not reached when gBS->Exit() > > is called. > > > > - The other ProcessLibraryDestructorList() call site is in > > _DriverUnloadHandler() > > [MdePkg/Library/UefiDriverEntryPoint/DriverEntryPoint.c]. > > > > Now it's not easy at all to say whether gBS->Exit() utilizes this > > function or not, when it unloads the image (because, per spec, > > gBS->Exit() *is* responsible for unloading the image). > > > > However, we need not track that down right now, to see that the > > proposed patch is unsafe in this aspect. That's because > > _ModuleEntryPoint() does the following: > > > >> // > >> // Call constructor for all libraries > >> // > >> ProcessLibraryConstructorList (ImageHandle, SystemTable); > >> > >> // > >> // Install unload handler... > >> // > >> if (_gDriverUnloadImageCount != 0) { > >> Status = gBS->HandleProtocol ( > >> ImageHandle, > >> &gEfiLoadedImageProtocolGuid, > >> (VOID **)&LoadedImage > >> ); > >> ASSERT_EFI_ERROR (Status); > >> LoadedImage->Unload = _DriverUnloadHandler; > >> } > > > > In other words, even if CoreExit() might call Unload --> > > _DriverUnloadHandler() --> ProcessLibraryDestructorList() somewhere, > > _ModuleEntryPoint() sets "Unload" to "_DriverUnloadHandler" only > > *after* ProcessLibraryConstructorList() returns. And the proposed > > patch calls gBS->Exit() from *inside* ProcessLibraryConstructorList(), > > that is, when "Unload" is not set yet. > > Agree with all of the above. At this point, I think the only way to do this properly is to create an alternative UefiDriverEntrypoint library with the fw_cfg check folded into it. This is easy to do and addresses all the concerns raised here (as it can force the driver entry point function to return any value at any point) but the code duplication is unfortunate. > > On physical machines, I've seen firmware options for disabling the IP > > stack entirely; I wonder how those firmwares do it... > > I don't know how any physical machine handles that particular option. > But one approach would be to add a GUID to the depex of the module you > want to control, and install it only when you want the module to be > dispatched. That's pretty straightforward, although it does result in > "Driver %g was discovered but not loaded!!" messages from > CoreDisplayDiscoveredNotDispatched() if sufficient debugging is enabled. > I think the diagnostic is fine. But I don't think adding DEPEXes to UEFI drivers (as opposed to DXE drivers) is proper, or even supported. It would also require the drivers in other packages to be updated. What i i like about the current approach is that the library can tie any driver or app dispatch to any fw_cfg variable in QEMU (provided that its build is directed by the .dsc in question). Switching to an alternate UefiDriverEntrypoint implementation would limit this to drivers, but this is fine for the purpose at hand.