Acidanthera UEFI Development Kit based on EDK II edk2-stable202311
Go to file
Marvin Häuser af9f4495e9 EmbeddedPkg/PrePiLib: Deduplicate MemoryAllocationLib declarations 2023-12-20 13:59:27 +03:00
.azurepipelines .azurepipelines: Fix Python version (to 3.12) 2023-10-31 14:40:50 +00:00
.devcontainer CI: Constructed separate workflows for common, arm, x86 packages and CodeQL. 2023-12-20 13:53:23 +03:00
.github CI: Constructed separate workflows for common, arm, x86 packages and CodeQL. 2023-12-20 13:53:23 +03:00
.mergify .mergify/config.yml: Remove rebase_fallback attribute (deprecated) 2023-02-13 15:58:21 -08:00
.pytool CI: Constructed separate workflows for common, arm, x86 packages and CodeQL. 2023-12-20 13:53:23 +03:00
ArmPkg SecurePE: Replaced old PE loader with Secure one. 2023-12-20 13:48:26 +03:00
ArmPlatformPkg SecurePE: Replaced old PE loader with Secure one. 2023-12-20 13:48:26 +03:00
ArmVirtPkg Build: Renamed XIPFLAGS as SECPEIFLAGS, added comment in build_rule.template on its usage. 2023-12-20 13:51:20 +03:00
BaseTools BaseTools/GenFvInternalLib: Remove unused BaseOfCode parameter 2023-12-20 13:57:24 +03:00
Conf BaseTools:Delete FrameworkDatabase from BaseTools/Conf 2019-05-09 15:03:30 +08:00
CryptoPkg UefiCpuPkg/CpuPageTableLib: Add intrinsic lib to fix MSVC build 2023-12-20 13:55:44 +03:00
DynamicTablesPkg DynamicTablesPkg: Fix ETE _UID Creation 2023-11-21 14:13:54 +00:00
EmbeddedPkg EmbeddedPkg/PrePiLib: Deduplicate MemoryAllocationLib declarations 2023-12-20 13:59:27 +03:00
EmulatorPkg MdePkg/MemoryAllocationLib: Add Allocate(Aligned)CodePages 2023-12-20 13:57:24 +03:00
Ext4Pkg Ext4Pkg: Various improvements based on Sydr fuzzing results. 2023-12-20 13:36:38 +03:00
FatPkg FatPkg: Adds support for read-only mode 2023-12-20 13:55:44 +03:00
FmpDevicePkg FmpDevicePkg: CI: Add PrEval entry 2023-10-23 20:17:52 +00:00
IntelFsp2Pkg BaseTools: Removed GCC48/49 toolchains, refactored tools_def.template. 2023-12-20 13:51:20 +03:00
IntelFsp2WrapperPkg IntelFsp2WrapperPkg/FspWrapperMultiPhaseProcessLib: Fix CLANGPDB build 2023-12-20 13:50:12 +03:00
MdeModulePkg MdePkg/MemoryAllocationLib: Add Allocate(Aligned)CodePages 2023-12-20 13:57:24 +03:00
MdePkg MdePkg/MemoryAllocationLib: Add Allocate(Aligned)CodePages 2023-12-20 13:57:24 +03:00
NetworkPkg SecurePE: Replaced old PE loader with Secure one. 2023-12-20 13:48:26 +03:00
OpenCorePkg@ca9a501490 BaseTools: Replaced GenFw with ImageTool and MicroTool. 2023-12-20 13:50:12 +03:00
OvmfPkg BaseTools: Removed GCC48/49 toolchains, refactored tools_def.template. 2023-12-20 13:51:20 +03:00
PcAtChipsetPkg PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe: rename LibRtcVirtualNotifyEvent 2023-10-18 16:15:41 +00:00
PrmPkg PrmPkg: CI: Add PrEval entry 2023-10-23 20:17:52 +00:00
RedfishPkg RedfishPkg/BaseUcs2Utf8Lib: Fix out of bounds shift in UTF8ToUCS2Char 2023-12-20 13:36:38 +03:00
SecurityPkg SecurePE: Replaced old PE loader with Secure one. 2023-12-20 13:48:26 +03:00
ShellPkg SecurePE: Replaced old PE loader with Secure one. 2023-12-20 13:48:26 +03:00
SignedCapsulePkg SecurePE: Replaced old PE loader with Secure one. 2023-12-20 13:48:26 +03:00
SourceLevelDebugPkg SecurePE: Replaced old PE loader with Secure one. 2023-12-20 13:48:26 +03:00
StandaloneMmPkg MdePkg/MemoryAllocationLib: Add Allocate(Aligned)CodePages 2023-12-20 13:57:24 +03:00
UefiCpuPkg MdePkg/MemoryAllocationLib: Add Allocate(Aligned)CodePages 2023-12-20 13:57:24 +03:00
UefiPayloadPkg MdePkg/MemoryAllocationLib: Add Allocate(Aligned)CodePages 2023-12-20 13:57:24 +03:00
UnitTestFrameworkPkg MdePkg/MemoryAllocationLib: Add Allocate(Aligned)CodePages 2023-12-20 13:57:24 +03:00
.editorconfig Add a .editorconfig file to tell editors basic formatting details 2023-09-08 18:56:52 +00:00
.git-blame-ignore-revs edk2: Add .git-blame-ignore-revs file 2023-04-16 18:04:21 +00:00
.gitignore .gitignore: Add compile_flags.txt 2023-12-20 13:36:38 +03:00
.gitmodules BaseTools: Replaced GenFw with ImageTool and MicroTool. 2023-12-20 13:50:12 +03:00
.mailmap .mailmap: add entries for Rebecca Cran 2020-09-22 13:53:46 +00:00
CONTRIBUTING.md Add a stub CONTRIBUTING.md pointing to the wiki 2020-08-18 18:07:43 +00:00
License-History.txt
License.txt
LoaderFlow.png SecurePE: Replaced old PE loader with Secure one. 2023-12-20 13:48:26 +03:00
Maintainers.txt Maintainers.txt: Remove unused OvmfPkg Confidential Computing path 2023-11-09 20:23:32 +00:00
README.md SecurePE: Replaced old PE loader with Secure one. 2023-12-20 13:48:26 +03:00
ReadMe.rst ReadMe.rst: Add CodeQL/analyze directory under other licenses 2023-11-07 03:19:26 +00:00
docker-compose.yaml CI: Constructed separate workflows for common, arm, x86 packages and CodeQL. 2023-12-20 13:53:23 +03:00
edksetup.bat edksetup.bat: if toolsetup.bat fails, just exit 2023-05-08 19:03:18 +00:00
edksetup.sh Remove bashisms from edksetup.sh and BaseTools/BuildEnv 2023-05-10 12:02:34 +00:00
pip-requirements.txt .pytool: Integration of edk2-pytools 2023-10-28 14:59:29 +00:00

README.md

PE/COFF loader designed with formal methods

This branch demonstrates the integration of a new PE/COFF loader designed with the help of formal methods into the EDK II infrastructure.

Introduction

The PE/COFF loader is one of the central components of the firmware core and its trust base. Every Image which is part of a UEFI system, including platform drivers from the primary firmware storage, Option ROMs from external hardware, and OS loaders from arbitrary storage, is verified and loaded by this library. Clearly it is a key component to ensure platform reliability and software compatibility, and can only be modified with great care. It also is an essential component for security technologies such as Secure Boot and Measured Boot.

image

Unfortunately, over the years, the current solution has been subject to bug reports affecting platform reliability, some of which have been unresolved to date. Please refer to the TianoCore BugZilla and especially discussions on the edk2-devel mailing list for further reading. Due to the incremental changes to the existing solution over the years, the state of a sound solution has been lost, and it has become a maintenance burden that is hard to fix and further advance incrementally. At the same time, the demand on not only tested but proven security has become more important in the recent times.

The usage of formal methods to design the new solution greatly helped restore the state of a truly sound solution, resolving many issues regarding inter-API guarantees and Image format validation. Many new abstractions have been introduced, external code has been centralized, and the overall flexibility has been improved, to hopefully aid developers to extend the codebase more easily in the future. Beyond that, the formal model ensures a high level of confidence that security-wise there have been no regressions, and there might even be potential improvements.

Please also refer to the new work-in-progress documentation available at MdePkg/Library/BasePeCoffLib2/Documentation.md

Further abstraction

The new solution has been implemented as a new library class in MdePkg. PeCoffLib2 features a new API that allows for a more resilient and a more flexible caller design. Most notably, all Image operations have been integrated into the API design rather than the callers accessing the library context and duplicating certain work. PeCoffLib remains intact as deprecated API to support legacy code during the transition period.

To increase platform flexibility, a new layer of abstraction is introduced in the form of the library class UefiImageLib, which can be found at MdePkg/Include/Library/UefiImageLib.h. Currently, it is a subset of the APIs provided by PeCoffLib2 that is expected to be compatible with most other common executable formats, plus a few convenience functions. As part of the proposal, the instance UefiImageLibPeCoff is provided, which is basically a shim for PeCoffLib2. In the future, instances to support other file formats can be introduced without having to integrate them across the entire EDK II tree.

Issues of the current solution

  • High level of maintenance cost due to convoluted function contracts
  • Error-prone design promoting the introduction of code bugs
  • Multiple real-world bugs affecting reliability, some unaddressed for years
  • A lot of duplicate caller-side code that decreases the flexibility of porting and integration (e.g. Image permissions in PEI)
  • Dependency on Image re-parsing for production code

Benefits of the new solution

  • Fixes all known reported BugZilla tickets on PE/COFF loader reliability
  • Formal methods increase confidence in a high level of reliability and security
  • Improved design eases future maintenance and extension
  • Architecture-independent Image processing (e.g. for emulation)
  • Support for more granular Image section permissions (e.g. read-only)

Benefits of the formal methods involved

  • Complete proof arithmetic cannot overflow (excluding intentional modulo arithmetic)
  • Mostly complete proof memory accesses are safe (requires axioms)
  • Complete proof of Image format compliance verification
  • Complete proof of Image loading
  • Mostly complete proof of Image relocation (final memory state cannot be easily described)

Further notes about the formal approach

  • A snapshot of the new PE/COFF loader code will be provided with annotations and proving results
  • The snapshot will not be current and updating the old code is out of the scope of this project, however the functional changes should be manageable to review
  • We are currently investigating whether deploying the proving environment as a Docker container is feasible
  • There may be aids to compare the updates over the last fully verified state (e.g. stripped versions of the code with diffs)
  • If accepted, the new PE/COFF loader code should be developed further without updating the formal annotations, but with thorough review of important invariants and sufficient documentation

Current progress, future goals, and further notes

  • OVMF boots to Shell with SMM and Secure Boot enabled
  • Linux EmulatorPkg boots
  • Extended support for Image protection has been implemented
  • FFS and DebugTable enhancements have been implemented
  • Not all features have been implemented, e.g. RISC-V support
  • There are unrelated changes present to help testing and validation
  • Specified interfaces need adjustments (e.g. security architectural protocol)
  • Some validation is still absent

BZs fixed by integrating the new PE/COFF loader

BZs easier to address by integrating the new PE/COFF loader