Re: [edk2-devel] [GSoC proposal] Secure Image Loader

["Michael Brown" <mcb30@ipxe.org>]

On 05/04/2021 00:01, Marvin Häuser wrote:
> 3. During my initial exploration, I discovered defective PPIs and 
> protocols (e.g. returning data with no corresponding size) originating 
> from the UEFI PI and UEFI specifications. Changes need to be discussed, 
> settled on, and submitted to the UEFI Forum.

Would any of these changes break backwards compatibility?  With the UEFI 
development model, any protocol that has ever existed in the 
specification will practically need to always be supported in that form: 
breaking backwards compatibility is simply not an option.

For example: there is a fundamental design flaw in the LoadImage() and 
StartImage() API that makes it logically impossible for arbitrary code 
to install an EFI_LOADED_IMAGE_PROTOCOL instance (see 
https://github.com/ipxe/ProxyLoaderPkg/#why-is-it-needed for details on 
this).  But there's zero chance that this design flaw will ever be 
fixed, because there's no way to eliminate code that relies on the 
existing LoadImage()/StartImage() APIs.

So: if the formally verified image loader can fit within the constraints 
of "must not modify any externally exposed APIs" then it sounds like a 
potentially good idea.  If it requires breaking changes to public APIs 
then I don't see how it could be integrated in practice.

Thanks,

Michael