[RFC] efi_loader: workaround for EDK2's shell.efi

Message ID 20180809061538.6624-1-takahiro.akashi@linaro.org
State New
Headers show
Series
  • [RFC] efi_loader: workaround for EDK2's shell.efi
Related show

Commit Message

AKASHI Takahiro Aug. 9, 2018, 6:15 a.m.
The commit 21b3edfc964 ("efi_loader: check parameters of CreateEvent")
enforces a strict parameter check at CreateEvent().  Unfortunately,
however, EDK2's Shell.efi calls this function with notify_tpl == 0.

The patch above does right thing and we'd better fix the issue on EDK2
side, and yet we might want a workaround allowing for running un-modified
version of EDK2 in short-term solution.

The patch provides a minimum mitigation of parameter check.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 lib/efi_loader/efi_boottime.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Alexander Graf Aug. 9, 2018, 6:55 a.m. | #1
On 09.08.18 07:15, AKASHI Takahiro wrote:
> The commit 21b3edfc964 ("efi_loader: check parameters of CreateEvent")
> enforces a strict parameter check at CreateEvent().  Unfortunately,
> however, EDK2's Shell.efi calls this function with notify_tpl == 0.
> 
> The patch above does right thing and we'd better fix the issue on EDK2
> side, and yet we might want a workaround allowing for running un-modified
> version of EDK2 in short-term solution.

... of the EDK2 shell ...

and it's not just about short term - we always want to be compatible :).

So what's the reason this does not trigger in edk2? Are they considering
TPL 0 a valid TPL always or did they just forget the check in create
event? If they always consider TPL 0 valid, we better change
is_valid_tpl to ensure compatibility with edk2's behavior.

> The patch provides a minimum mitigation of parameter check.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  lib/efi_loader/efi_boottime.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c
> index 2281703f261..e7a19c35415 100644
> --- a/lib/efi_loader/efi_boottime.c
> +++ b/lib/efi_loader/efi_boottime.c
> @@ -627,7 +627,8 @@ efi_status_t efi_create_event(uint32_t type, efi_uintn_t notify_tpl,
>  		return EFI_INVALID_PARAMETER;
>  	}
>  
> -	if (is_valid_tpl(notify_tpl) != EFI_SUCCESS)
> +	/* notify_tpl == 0: workaround for EDK2's Shell.efi */

That comment is too undescriptive. Better write something like "EDK2
accepts TPL 0 in CreateEvent, so to ensure compatibility we should do
the same. EDK2 Shell.efi depends on this."


Alex

> +	if (notify_tpl && (is_valid_tpl(notify_tpl) != EFI_SUCCESS))
>  		return EFI_INVALID_PARAMETER;
>  
>  	evt = calloc(1, sizeof(struct efi_event));
>
AKASHI Takahiro Aug. 9, 2018, 8:30 a.m. | #2
On Thu, Aug 09, 2018 at 07:55:06AM +0100, Alexander Graf wrote:
> 
> 
> On 09.08.18 07:15, AKASHI Takahiro wrote:
> > The commit 21b3edfc964 ("efi_loader: check parameters of CreateEvent")
> > enforces a strict parameter check at CreateEvent().  Unfortunately,
> > however, EDK2's Shell.efi calls this function with notify_tpl == 0.
> > 
> > The patch above does right thing and we'd better fix the issue on EDK2
> > side, and yet we might want a workaround allowing for running un-modified
> > version of EDK2 in short-term solution.
> 
> ... of the EDK2 shell ...
> 
> and it's not just about short term - we always want to be compatible :).

Okay.

> So what's the reason this does not trigger in edk2? Are they considering
> TPL 0 a valid TPL always or did they just forget the check in create
> event? If they always consider TPL 0 valid, we better change
> is_valid_tpl to ensure compatibility with edk2's behavior.

I'm not confident about what Shell's intent is.
Created here is an event to be used to raise a signal for "notification
of Ctrl-C keystrokes," and hence Shell expects such key data to always
be sent to a task whatever its TPL is?

> > The patch provides a minimum mitigation of parameter check.
> > 
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> >  lib/efi_loader/efi_boottime.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c
> > index 2281703f261..e7a19c35415 100644
> > --- a/lib/efi_loader/efi_boottime.c
> > +++ b/lib/efi_loader/efi_boottime.c
> > @@ -627,7 +627,8 @@ efi_status_t efi_create_event(uint32_t type, efi_uintn_t notify_tpl,
> >  		return EFI_INVALID_PARAMETER;
> >  	}
> >  
> > -	if (is_valid_tpl(notify_tpl) != EFI_SUCCESS)
> > +	/* notify_tpl == 0: workaround for EDK2's Shell.efi */
> 
> That comment is too undescriptive. Better write something like "EDK2
> accepts TPL 0 in CreateEvent, so to ensure compatibility we should do
> the same. EDK2 Shell.efi depends on this."

Nice!

Thanks,
-Takahiro AKASHI

> 
> Alex
> 
> > +	if (notify_tpl && (is_valid_tpl(notify_tpl) != EFI_SUCCESS))
> >  		return EFI_INVALID_PARAMETER;
> >  
> >  	evt = calloc(1, sizeof(struct efi_event));
> >
Alexander Graf Aug. 9, 2018, 10:38 a.m. | #3
> Am 09.08.2018 um 09:30 schrieb AKASHI Takahiro <takahiro.akashi@linaro.org>:
> 
>> On Thu, Aug 09, 2018 at 07:55:06AM +0100, Alexander Graf wrote:
>> 
>> 
>>> On 09.08.18 07:15, AKASHI Takahiro wrote:
>>> The commit 21b3edfc964 ("efi_loader: check parameters of CreateEvent")
>>> enforces a strict parameter check at CreateEvent().  Unfortunately,
>>> however, EDK2's Shell.efi calls this function with notify_tpl == 0.
>>> 
>>> The patch above does right thing and we'd better fix the issue on EDK2
>>> side, and yet we might want a workaround allowing for running un-modified
>>> version of EDK2 in short-term solution.
>> 
>> ... of the EDK2 shell ...
>> 
>> and it's not just about short term - we always want to be compatible :).
> 
> Okay.
> 
>> So what's the reason this does not trigger in edk2? Are they considering
>> TPL 0 a valid TPL always or did they just forget the check in create
>> event? If they always consider TPL 0 valid, we better change
>> is_valid_tpl to ensure compatibility with edk2's behavior.
> 
> I'm not confident about what Shell's intent is.
> Created here is an event to be used to raise a signal for "notification
> of Ctrl-C keystrokes," and hence Shell expects such key data to always
> be sent to a task whatever its TPL is?

Leif, can you please help out here?


Thanks!

Alex
Heinrich Schuchardt Aug. 9, 2018, 12:21 p.m. | #4
On 08/09/2018 08:15 AM, AKASHI Takahiro wrote:
> The commit 21b3edfc964 ("efi_loader: check parameters of CreateEvent")

scripts/checkpatch.pl wants 12 digits for the commit reference.

ERROR: Please use git commit description style 'commit <12+ chars of
sha1> ("<title line>")'

Please, check patches before submitting.

The commit 21b3edfc9644 ("efi_loader: check parameters of CreateEvent")

> enforces a strict parameter check at CreateEvent().  Unfortunately,
> however, EDK2's Shell.efi calls this function with notify_tpl == 0.
> 
> The patch above does right thing and we'd better fix the issue on EDK2
> side, and yet we might want a workaround allowing for running un-modified
> version of EDK2 in short-term solution.
> 
> The patch provides a minimum mitigation of parameter check.
> 

This patch relates to test number 5.1.1.1.7 in Self Certification Test
(SCT) II Case Specification June 2017.

Fixes: 21b3edfc9644 ("efi_loader: check parameters of CreateEvent")

> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  lib/efi_loader/efi_boottime.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c
> index 2281703f261..e7a19c35415 100644
> --- a/lib/efi_loader/efi_boottime.c
> +++ b/lib/efi_loader/efi_boottime.c
> @@ -627,7 +627,8 @@ efi_status_t efi_create_event(uint32_t type, efi_uintn_t notify_tpl,
>  		return EFI_INVALID_PARAMETER;
>  	}
>  
> -	if (is_valid_tpl(notify_tpl) != EFI_SUCCESS)
> +	/* notify_tpl == 0: workaround for EDK2's Shell.efi */
> +	if (notify_tpl && (is_valid_tpl(notify_tpl) != EFI_SUCCESS))

Thanks for catching this.

The UEFI 2.7 spec has the following parameter description:

NotifyTpl: The task priority level of event notifications, if needed.

CreateEvent is implemented in EDK2 CoreCreateEvent() which calls
CoreCreateEventEx(). The latter has the following test:

  if ((Type & (EVT_NOTIFY_WAIT | EVT_NOTIFY_SIGNAL)) != 0) {
    if (NotifyTpl != TPL_APPLICATION &&
        NotifyTpl != TPL_CALLBACK &&
        NotifyTpl != TPL_NOTIFY) {
      return EFI_INVALID_PARAMETER;
    }
  }

In my patch I missed to check parameter Type first.

Please, change your patch so that it matches what test case 5.1.1.1.7
checks (i.e. the EDK 2 logic).

Best regards

Heinrich

>  		return EFI_INVALID_PARAMETER;
>  
>  	evt = calloc(1, sizeof(struct efi_event));
>
Leif Lindholm Aug. 9, 2018, 1:08 p.m. | #5
On Thu, Aug 09, 2018 at 03:15:38PM +0900, AKASHI Takahiro wrote:
> The commit 21b3edfc964 ("efi_loader: check parameters of CreateEvent")
> enforces a strict parameter check at CreateEvent().  Unfortunately,
> however, EDK2's Shell.efi calls this function with notify_tpl == 0.

I find this done in CreatePopulateInstallShellProtocol() in
Application/Shell/ShellProtocol.c, is that the one you see?

> The patch above does right thing and we'd better fix the issue on EDK2
> side, and yet we might want a workaround allowing for running un-modified
> version of EDK2 in short-term solution.

Where we find non-spec-compliant code in EDK2, we want to fix EDK2.
That doesn't mean that we don't perhaps want to work around it in
U-Boot anyway. But if we do, I would prefer if we could spam the
console a bit as well, to warn people of badly behaving apps.

However...

> The patch provides a minimum mitigation of parameter check.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  lib/efi_loader/efi_boottime.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c
> index 2281703f261..e7a19c35415 100644
> --- a/lib/efi_loader/efi_boottime.c
> +++ b/lib/efi_loader/efi_boottime.c
> @@ -627,7 +627,8 @@ efi_status_t efi_create_event(uint32_t type, efi_uintn_t notify_tpl,
>  		return EFI_INVALID_PARAMETER;
>  	}
>  
> -	if (is_valid_tpl(notify_tpl) != EFI_SUCCESS)
> +	/* notify_tpl == 0: workaround for EDK2's Shell.efi */
> +	if (notify_tpl && (is_valid_tpl(notify_tpl) != EFI_SUCCESS))

From the UEFI spec (2.7) description of CreateEvent() boot service:
---
The EVT_NOTIFY_WAIT and EVT_NOTIFY_SIGNAL flags are exclusive. If
neither flag is specified, the caller does not require any
notification concerning the event and the NotifyTpl, NotifyFunction,
and NotifyContext parameters are ignored.
---

So it's not a workaround for Shell specifically.
However, based on that text, something like

    if (type & (EVT_NOTIFY_WAIT | EVT_NOTIFY_SIGNAL))
        if ((is_valid_tpl(notify_tpl) != EFI_SUCCESS))

may resolve this in a more compliant way.

Of course, this may require additional changes to the remainder of the
function.

/
    Leif

>  		return EFI_INVALID_PARAMETER;
>  
>  	evt = calloc(1, sizeof(struct efi_event));
> -- 
> 2.18.0
>
AKASHI Takahiro Aug. 10, 2018, 12:15 a.m. | #6
Leif, Heinrich,

Thank you for your comments. I should have been more careful
in reading UEFI specification :)

On Thu, Aug 09, 2018 at 02:08:32PM +0100, Leif Lindholm wrote:
> On Thu, Aug 09, 2018 at 03:15:38PM +0900, AKASHI Takahiro wrote:
> > The commit 21b3edfc964 ("efi_loader: check parameters of CreateEvent")
> > enforces a strict parameter check at CreateEvent().  Unfortunately,
> > however, EDK2's Shell.efi calls this function with notify_tpl == 0.
> 
> I find this done in CreatePopulateInstallShellProtocol() in
> Application/Shell/ShellProtocol.c, is that the one you see?

Right.

> > The patch above does right thing and we'd better fix the issue on EDK2
> > side, and yet we might want a workaround allowing for running un-modified
> > version of EDK2 in short-term solution.
> 
> Where we find non-spec-compliant code in EDK2, we want to fix EDK2.
> That doesn't mean that we don't perhaps want to work around it in
> U-Boot anyway. But if we do, I would prefer if we could spam the
> console a bit as well, to warn people of badly behaving apps.
> 
> However...
> 
> > The patch provides a minimum mitigation of parameter check.
> > 
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> >  lib/efi_loader/efi_boottime.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c
> > index 2281703f261..e7a19c35415 100644
> > --- a/lib/efi_loader/efi_boottime.c
> > +++ b/lib/efi_loader/efi_boottime.c
> > @@ -627,7 +627,8 @@ efi_status_t efi_create_event(uint32_t type, efi_uintn_t notify_tpl,
> >  		return EFI_INVALID_PARAMETER;
> >  	}
> >  
> > -	if (is_valid_tpl(notify_tpl) != EFI_SUCCESS)
> > +	/* notify_tpl == 0: workaround for EDK2's Shell.efi */
> > +	if (notify_tpl && (is_valid_tpl(notify_tpl) != EFI_SUCCESS))
> 
> From the UEFI spec (2.7) description of CreateEvent() boot service:
> ---
> The EVT_NOTIFY_WAIT and EVT_NOTIFY_SIGNAL flags are exclusive. If
> neither flag is specified, the caller does not require any
> notification concerning the event and the NotifyTpl, NotifyFunction,
> and NotifyContext parameters are ignored.
> ---
> 
> So it's not a workaround for Shell specifically.
> However, based on that text, something like
> 
>     if (type & (EVT_NOTIFY_WAIT | EVT_NOTIFY_SIGNAL))
>         if ((is_valid_tpl(notify_tpl) != EFI_SUCCESS))
> 
> may resolve this in a more compliant way.

OK. I will respin my patch, also addressing Heinrich's comments.

-Takahiro AKASHI


> Of course, this may require additional changes to the remainder of the
> function.
> 
> /
>     Leif
> 
> >  		return EFI_INVALID_PARAMETER;
> >  
> >  	evt = calloc(1, sizeof(struct efi_event));
> > -- 
> > 2.18.0
> >

Patch

diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c
index 2281703f261..e7a19c35415 100644
--- a/lib/efi_loader/efi_boottime.c
+++ b/lib/efi_loader/efi_boottime.c
@@ -627,7 +627,8 @@  efi_status_t efi_create_event(uint32_t type, efi_uintn_t notify_tpl,
 		return EFI_INVALID_PARAMETER;
 	}
 
-	if (is_valid_tpl(notify_tpl) != EFI_SUCCESS)
+	/* notify_tpl == 0: workaround for EDK2's Shell.efi */
+	if (notify_tpl && (is_valid_tpl(notify_tpl) != EFI_SUCCESS))
 		return EFI_INVALID_PARAMETER;
 
 	evt = calloc(1, sizeof(struct efi_event));