Re: [GSoC proposal] Secure Image Loader


Andrew Fish
 



On Apr 8, 2021, at 2:07 PM, Marvin Häuser <mhaeuser@...> wrote:


08.04.2021 19:39:16 Andrew Fish <afish@...>:



On Apr 8, 2021, at 10:02 AM, Marvin Häuser <mhaeuser@...> wrote:

On 08.04.21 18:44, Andrew Fish via groups.io wrote:


On Apr 8, 2021, at 9:06 AM, Marvin Häuser <mhaeuser@... <mailto:mhaeuser@...>> wrote:

We use the loader code in userspace anyway for fuzzing and such. I also want to build a database of all sorts of UEFI binaries some time before the merge to confirm they are all accepted (Windows / macOS / Linux bootloaders, tools like memtest, drivers like iPXE). As part of that, I'm sure we can have a userspace tool that uses the code to emit parsing information.

But as the EDK II build system is very... not so userspace friendly, I will not promise it will be very nice. :)


Marvin,

The BaseTools can easily build C command line tools that are cross platform?

Actually GenFw [1] already does a lot of PE/COFF magic, so it should be relatively easy to add a -I, —info, and dump out an overview of a PE/COFF image, and make comments on things that are not secure. It would also probably be useful to dump out information about the Debug Directory entries, His sections, etc. for general debug.

I did not look at the code much, but I do know that BaseTools duplicates the PE/COFF code from MdePkg. Whether it was changed or not I cannot tell.


GenFw does the ELF to PE/COFF conversion, zeroing out Debug Directory Entries etc. so it should be correct. It is not like the PE/COFF spec is a moving target.


PE is not a moving target, but EDK II is. The fact that even old and proven code sometimes needs maintanance is evidental from the proposal and its so far positive feedback. I'm not ready to duplicate code, I'd rather take the utilities out of the current scope and discuss ways to consume MdePkg libraries later. In fact, I want to reduce code duplication as a "free benefit" from the changes, especially image hashing.


Marvin,

I was thinking more about tooling to introspect PE/COFF images. 

Trying to consolidate the BaseTools to use the common edk2 libraries would be doable, but I agree that is a separate project. The inspection tool feature could be a separate project too. 

I know it takes time, but I think it will be worth it. We have been debugging and fuzztesting our EDK II packages in userland for a while, and found it to be a great help. I hope you will agree. :)


Yea I’ve build emulators before that are just native OS C applications and they pull in the edk2 libs, not the BaseTools libs and it makes things like fuzzing much easier. Have a project to have only one validated PE/COFF lib seems very reasonable, I guess a lot of us are too trusting of our build servers. 

Thanks,

Andrew Fish

Best regards,
Marvin


Thanks,

Andrew Fish

Best regards,
Marvin


[1] https://github.com/tianocore/edk2/tree/master/BaseTools/Source/C/GenFw <https://github.com/tianocore/edk2/tree/master/BaseTools/Source/C/GenFw>
/Volumes/Case/edk2-github(eng/PR-557-XcodeResourceSections)>. edksetup.sh
Loading previous configuration from /Volumes/Case/edk2-github/Conf/BuildEnv.sh
WORKSPACE: /Volumes/Case/edk2-github
EDK_TOOLS_PATH: /Volumes/Case/edk2-github/BaseTools
CONF_PATH: /Volumes/Case/edk2-github/Conf
/Volumes/Case/edk2-github(eng/PR-557-XcodeResourceSections)>GenFw -h
GenFw Version 0.2 Developer Build based on Revision: Unknown

Usage: GenFw [options] <input_file>

Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.

Options:
  -o FileName, --outputfile FileName
                        File will be created to store the output content.
  -e EFI_FILETYPE, --efiImage EFI_FILETYPE
                        Create Efi Image. EFI_FILETYPE is one of BASE,SMM_CORE,
                        PEI_CORE, PEIM, DXE_CORE, DXE_DRIVER, UEFI_APPLICATION,
                        SEC, DXE_SAL_DRIVER, UEFI_DRIVER, DXE_RUNTIME_DRIVER,
                        DXE_SMM_DRIVER, SECURITY_CORE, COMBINED_PEIM_DRIVER,
                        MM_STANDALONE, MM_CORE_STANDALONE,
                        PIC_PEIM, RELOCATABLE_PEIM, BS_DRIVER, RT_DRIVER,
                        APPLICATION, SAL_RT_DRIVER to support all module types
                        It can only be used together with --keepexceptiontable,
                        --keepzeropending, --keepoptionalheader, -r, -o option.
                        It is a action option. If it is combined with other action options,
                        the later input action option will override the previous one.
  -c, --acpi            Create Acpi table.
                        It can't be combined with other action options
                        except for -o, -r option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  -t, --terse           Create Te Image.
                        It can only be used together with --keepexceptiontable,
                        --keepzeropending, --keepoptionalheader, -r, -o option.
                        It is a action option. If it is combined with other action options,
                        the later input action option will override the previous one.
  -u, --dump            Dump TeImage Header.
                        It can't be combined with other action options
                        except for -o, -r option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  -z, --zero            Zero the Debug Data Fields in the PE input image file.
                        It also zeros the time stamp fields.
                        This option can be used to compare the binary efi image.
                        It can't be combined with other action options
                        except for -o, -r option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  -b, --exe2bin         Convert the input EXE to the output BIN file.
                        It can't be combined with other action options
                        except for -o, -r option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  -l, --stripped        Strip off the relocation info from PE or TE image.
                        It can't be combined with other action options
                        except for -o, -r option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  -s timedate, --stamp timedate
                        timedate format is "yyyy-mm-dd 00:00:00". if timedata
                        is set to NOW, current system time is used. The support
                        date scope is 1970-01-01 00+timezone:00:00
                        ~ 2038-01-19 03+timezone:14:07
                        The scope is adjusted according to the different zones.
                        It can't be combined with other action options
                        except for -o, -r option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  -m, --mcifile         Convert input microcode txt file to microcode bin file.
                        It can't be combined with other action options
                        except for -o option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  -j, --join            Combine multi microcode bin files to one file.
                        It can be specified with -a, -p, -o option.
                        No other options can be combined with it.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  -a NUM, --align NUM   NUM is one HEX or DEC format alignment value.
                        This option is only used together with -j option.
  -p NUM, --pad NUM     NUM is one HEX or DEC format padding value.
                        This option is only used together with -j option.
  --keepexceptiontable  Don't clear exception table.
                        This option can be used together with -e or -t.
                        It doesn't work for other options.
  --keepoptionalheader  Don't zero PE/COFF optional header fields.
                        This option can be used together with -e or -t.
                        It doesn't work for other options.
  --keepzeropending     Don't strip zero pending of .reloc.
                        This option can be used together with -e or -t.
                        It doesn't work for other options.
  -r, --replace         Overwrite the input file with the output content.
                        If more input files are specified,
                        the last input file will be as the output file.
  -g HiiPackageListGuid, --hiiguid HiiPackageListGuid
                        Guid is used to specify hii package list guid.
                        Its format is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
                        If not specified, the first Form FormSet guid is used.
  --hiipackage          Combine all input binary hii packages into
                        a single package list as the text resource data(RC).
                        It can't be combined with other action options
                        except for -o option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  --hiibinpackage       Combine all input binary hii packages into
                        a single package list as the binary resource section.
                        It can't be combined with other action options
                        except for -o option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  --rc FlieName         Append a Hii resource section to the
                        last PE/COFF section. The FileName is the resource section to append
                        If FileName does not exist this operation is skipped. This feature is
                        only intended for toolchains, like XCODE, that don't suport $(RC).
                        This option can only be combined with -e
  --rebase NewAddress   Rebase image to new base address. New address
                        is also set to the first none code section header.
                        It can't be combined with other action options
                        except for -o or -r option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  --address NewAddress  Set new address into the first none code
                        section header of the input image.
                        It can't be combined with other action options
                        except for -o or -r option. It is a action option.
                        If it is combined with other action options, the later
                        input action option will override the previous one.
  -v, --verbose         Turn on verbose output with informational messages.
  -q, --quiet           Disable all messages except key message and fatal error
  -d, --debug level     Enable debug messages, at input debug level.
  --version             Show program's version number and exit
  -h, --help            Show this help message and exit

Thanks,

Andrew Fish

Best regards,
Marvin

On 08.04.21 16:13, Andrew (EFI) Fish wrote:
At a minimum it would be nice if we had a tool that would point out the security faults with a given PE/COFF file layout.













Join devel@edk2.groups.io to automatically receive all group messages.