From: "Michael Brown" <mcb30@ipxe.org>
To: "Marvin Häuser" <mhaeuser@posteo.de>,
devel@edk2.groups.io, "Laszlo Ersek" <lersek@redhat.com>,
"Andrew Fish" <afish@apple.com>,
"Michael Kinney" <michael.d.kinney@intel.com>
Subject: Re: [edk2-devel] [GSoC proposal] Secure Image Loader
Date: Thu, 8 Apr 2021 10:26:27 +0100 [thread overview]
Message-ID: <cb8388d5-5581-a5ee-0a39-8ee714b269dc@ipxe.org> (raw)
In-Reply-To: <3bfbdd8d-9417-77f4-6444-5841e685548f@posteo.de>
On 08/04/2021 09:53, Marvin Häuser wrote:
> On 07.04.21 23:50, Michael Brown wrote:
>> InstallMultipleProtocolInterfaces() is not a breaking change: the
>> existence of InstallMultipleProtocolInterfaces() does not require any
>> change to the way that InstallProtocolInterface() is implemented or
>> consumed.
>>
>> Code written before the invention of
>> InstallMultipleProtocolInterfaces() will still work now, with no
>> modifications required.
>
> The same is true for the *2_PROTOCOL instances, I do not see how you
> distinct between them. Could you elaborate, please?
The distinction is very straightforward. If you plan to *remove*
support for the older protocols, then you by definition place a burden
on all externally maintained code to support both protocols. If the
older protocol will continue to be supported then no such burden is created.
This is why I am asking you if your proposed changes require *breaking*
backwards compatibility. You still haven't answered this key question.
>> You have to remember that UEFI is not a monolithic codebase with a
>> single maintaining organisation. Implementing a *2_PROTOCOL and
>> deprecating the original just causes pain for all the code in the
>> world that is maintained outside of the EDK2 repository, since that
>> code now has to support *both* the old and new protocols.
>
> I am aware, but actually it's not far from it nowadays. In contrast to
> the days of Aptio IV, I believe all big vendors maintain forks of EDK
> II. I know the fork nature taints the issue, but also see last quote
> comment.
This is empirically not true. Buy a selection of devices in the wild,
and you'll find a huge amount of non-EDK2 code on them.
I would be extremely happy if every vendor just used the EDK2 code: it
would make my life a lot easier. But it's not what happens in the real
world.
> I see that there is no EFI_USB_IO2_PROTOCOL instance to argue by. Yet
> there are EFI_BLOCK_IO2_PROTOCOL and EFI_LOAD_FILE2_PROTOCOL. Former, in
> my opinion, close in nature to your your example, and latter close to
> the nature on what I plan to propose. Sorry, but I do not see how what I
> suggest has not been done multiple times in the past already.
>
> Please also look at it from an angle of trust. How can I trust the
> "secure" advertisements of UEFI / EDK II when the specification
> *dictates* the usage of intrinsically insecure APIs?
> The consequence for security-critical situations would be to necessarily
> abandon UEFI and come up with a new design. In who's interest is this?
Again, we return to the question that you have not yet answered: do your
proposed changes require breaking backwards compatibility?
Please do answer this question: if you're *not* proposing to break the
platform in a way that would prevent older binaries from working without
modification, then we have no disagreement! :)
>> Don't get me wrong: I *am* in favour of improving the security of
>> EDK2, and a formally verified loader is potentially useful for that.
>> But I could only consider it a good idea if it can be done without
>> making breaking API changes for which I know I will personally have to
>> maintain workarounds for the next ten years.
>
> Sorry, but you seem to have missed my points regarding these concerns,
> at least you did not address them I believe. I don't know why you need
> to (actively) maintain workarounds for APIs external code has no reason
> to use, especially when the legacy implementation would quite literally
> be a wrapper function.
<same comment as above>
Thanks,
Michael
next prev parent reply other threads:[~2021-04-08 9:26 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-04 23:01 [GSoC proposal] Secure Image Loader Marvin Häuser
2021-04-06 9:41 ` [edk2-devel] " Nate DeSimone
2021-04-06 10:06 ` Marvin Häuser
2021-04-06 16:16 ` [EXTERNAL] " Bret Barkelew
2021-04-08 11:16 ` Laszlo Ersek
2021-04-08 14:13 ` Andrew Fish
2021-04-08 16:06 ` Marvin Häuser
2021-04-08 16:44 ` Andrew Fish
2021-04-08 17:02 ` Marvin Häuser
2021-04-08 17:39 ` Andrew Fish
2021-04-08 21:07 ` Marvin Häuser
2021-04-08 21:48 ` Andrew Fish
2021-04-08 22:42 ` Michael Brown
2021-04-12 17:22 ` Marvin Häuser
2021-04-12 18:30 ` [EXTERNAL] " Bret Barkelew
2021-04-13 0:19 ` Michael D Kinney
2021-04-13 0:56 ` Nate DeSimone
2021-04-13 7:31 ` Marvin Häuser
2021-04-13 15:05 ` Andrew Fish
2021-04-13 18:04 ` Nate DeSimone
2021-04-13 18:08 ` Michael D Kinney
2021-04-13 18:14 ` Andrew Fish
2021-04-16 7:36 ` Marvin Häuser
2021-04-07 21:05 ` Michael Brown
2021-04-07 21:31 ` Marvin Häuser
2021-04-07 21:50 ` Michael Brown
2021-04-07 22:02 ` Andrew Fish
[not found] ` <1673B28429E5B4FE.4742@groups.io>
2021-04-07 22:10 ` Andrew Fish
2021-04-08 9:04 ` Marvin Häuser
2021-04-08 9:40 ` Michael Brown
2021-04-08 8:53 ` Marvin Häuser
2021-04-08 9:26 ` Michael Brown [this message]
2021-04-08 9:41 ` Marvin Häuser
2021-04-08 9:50 ` Marvin Häuser
2021-04-08 9:55 ` Michael Brown
2021-04-08 10:13 ` Marvin Häuser
2021-04-08 10:31 ` Michael Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cb8388d5-5581-a5ee-0a39-8ee714b269dc@ipxe.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox