> On Apr 8, 2021, at 2:07 PM, Marvin Häuser <mhaeu...@posteo.de> wrote: > > > 08.04.2021 19:39:16 Andrew Fish <af...@apple.com <mailto:af...@apple.com>>: > >> >> >>> On Apr 8, 2021, at 10:02 AM, Marvin Häuser <mhaeu...@posteo.de> wrote: >>> >>> On 08.04.21 18:44, Andrew Fish via groups.io wrote: >>>> >>>> >>>>> On Apr 8, 2021, at 9:06 AM, Marvin Häuser <mhaeu...@posteo.de >>>>> <mailto:mhaeu...@posteo.de>> wrote: >>>>> >>>>> We use the loader code in userspace anyway for fuzzing and such. I also >>>>> want to build a database of all sorts of UEFI binaries some time before >>>>> the merge to confirm they are all accepted (Windows / macOS / Linux >>>>> bootloaders, tools like memtest, drivers like iPXE). As part of that, I'm >>>>> sure we can have a userspace tool that uses the code to emit parsing >>>>> information. >>>>> >>>>> But as the EDK II build system is very... not so userspace friendly, I >>>>> will not promise it will be very nice. :) >>>>> >>>> >>>> Marvin, >>>> >>>> The BaseTools can easily build C command line tools that are cross >>>> platform? >>>> >>>> Actually GenFw [1] already does a lot of PE/COFF magic, so it should be >>>> relatively easy to add a -I, —info, and dump out an overview of a PE/COFF >>>> image, and make comments on things that are not secure. It would also >>>> probably be useful to dump out information about the Debug Directory >>>> entries, His sections, etc. for general debug. >>> >>> I did not look at the code much, but I do know that BaseTools duplicates >>> the PE/COFF code from MdePkg. Whether it was changed or not I cannot tell. >>> >> >> GenFw does the ELF to PE/COFF conversion, zeroing out Debug Directory >> Entries etc. so it should be correct. It is not like the PE/COFF spec is a >> moving target. > > > PE is not a moving target, but EDK II is. The fact that even old and proven > code sometimes needs maintanance is evidental from the proposal and its so > far positive feedback. I'm not ready to duplicate code, I'd rather take the > utilities out of the current scope and discuss ways to consume MdePkg > libraries later. In fact, I want to reduce code duplication as a "free > benefit" from the changes, especially image hashing. >
Marvin, I was thinking more about tooling to introspect PE/COFF images. Trying to consolidate the BaseTools to use the common edk2 libraries would be doable, but I agree that is a separate project. The inspection tool feature could be a separate project too. > I know it takes time, but I think it will be worth it. We have been debugging > and fuzztesting our EDK II packages in userland for a while, and found it to > be a great help. I hope you will agree. :) > Yea I’ve build emulators before that are just native OS C applications and they pull in the edk2 libs, not the BaseTools libs and it makes things like fuzzing much easier. Have a project to have only one validated PE/COFF lib seems very reasonable, I guess a lot of us are too trusting of our build servers. Thanks, Andrew Fish > Best regards, > Marvin > >> >> Thanks, >> >> Andrew Fish >> >>> Best regards, >>> Marvin >>> >>>> >>>> [1] https://github.com/tianocore/edk2/tree/master/BaseTools/Source/C/GenFw >>>> <https://github.com/tianocore/edk2/tree/master/BaseTools/Source/C/GenFw> >>>> /Volumes/Case/edk2-github(eng/PR-557-XcodeResourceSections)>. edksetup.sh >>>> Loading previous configuration from >>>> /Volumes/Case/edk2-github/Conf/BuildEnv.sh >>>> WORKSPACE: /Volumes/Case/edk2-github >>>> EDK_TOOLS_PATH: /Volumes/Case/edk2-github/BaseTools >>>> CONF_PATH: /Volumes/Case/edk2-github/Conf >>>> /Volumes/Case/edk2-github(eng/PR-557-XcodeResourceSections)>GenFw -h >>>> GenFw Version 0.2 Developer Build based on Revision: Unknown >>>> >>>> Usage: GenFw [options] <input_file> >>>> >>>> Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved. >>>> >>>> Options: >>>> -o FileName, --outputfile FileName >>>> File will be created to store the output content. >>>> -e EFI_FILETYPE, --efiImage EFI_FILETYPE >>>> Create Efi Image. EFI_FILETYPE is one of >>>> BASE,SMM_CORE, >>>> PEI_CORE, PEIM, DXE_CORE, DXE_DRIVER, >>>> UEFI_APPLICATION, >>>> SEC, DXE_SAL_DRIVER, UEFI_DRIVER, >>>> DXE_RUNTIME_DRIVER, >>>> DXE_SMM_DRIVER, SECURITY_CORE, >>>> COMBINED_PEIM_DRIVER, >>>> MM_STANDALONE, MM_CORE_STANDALONE, >>>> PIC_PEIM, RELOCATABLE_PEIM, BS_DRIVER, RT_DRIVER, >>>> APPLICATION, SAL_RT_DRIVER to support all module >>>> types >>>> It can only be used together with >>>> --keepexceptiontable, >>>> --keepzeropending, --keepoptionalheader, -r, -o >>>> option. >>>> It is a action option. If it is combined with >>>> other action options, >>>> the later input action option will override the >>>> previous one. >>>> -c, --acpi Create Acpi table. >>>> It can't be combined with other action options >>>> except for -o, -r option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> -t, --terse Create Te Image. >>>> It can only be used together with >>>> --keepexceptiontable, >>>> --keepzeropending, --keepoptionalheader, -r, -o >>>> option. >>>> It is a action option. If it is combined with >>>> other action options, >>>> the later input action option will override the >>>> previous one. >>>> -u, --dump Dump TeImage Header. >>>> It can't be combined with other action options >>>> except for -o, -r option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> -z, --zero Zero the Debug Data Fields in the PE input image >>>> file. >>>> It also zeros the time stamp fields. >>>> This option can be used to compare the binary efi >>>> image. >>>> It can't be combined with other action options >>>> except for -o, -r option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> -b, --exe2bin Convert the input EXE to the output BIN file. >>>> It can't be combined with other action options >>>> except for -o, -r option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> -l, --stripped Strip off the relocation info from PE or TE image. >>>> It can't be combined with other action options >>>> except for -o, -r option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> -s timedate, --stamp timedate >>>> timedate format is "yyyy-mm-dd 00:00:00". if >>>> timedata >>>> is set to NOW, current system time is used. The >>>> support >>>> date scope is 1970-01-01 00+timezone:00:00 >>>> ~ 2038-01-19 03+timezone:14:07 >>>> The scope is adjusted according to the different >>>> zones. >>>> It can't be combined with other action options >>>> except for -o, -r option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> -m, --mcifile Convert input microcode txt file to microcode bin >>>> file. >>>> It can't be combined with other action options >>>> except for -o option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> -j, --join Combine multi microcode bin files to one file. >>>> It can be specified with -a, -p, -o option. >>>> No other options can be combined with it. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> -a NUM, --align NUM NUM is one HEX or DEC format alignment value. >>>> This option is only used together with -j option. >>>> -p NUM, --pad NUM NUM is one HEX or DEC format padding value. >>>> This option is only used together with -j option. >>>> --keepexceptiontable Don't clear exception table. >>>> This option can be used together with -e or -t. >>>> It doesn't work for other options. >>>> --keepoptionalheader Don't zero PE/COFF optional header fields. >>>> This option can be used together with -e or -t. >>>> It doesn't work for other options. >>>> --keepzeropending Don't strip zero pending of .reloc. >>>> This option can be used together with -e or -t. >>>> It doesn't work for other options. >>>> -r, --replace Overwrite the input file with the output content. >>>> If more input files are specified, >>>> the last input file will be as the output file. >>>> -g HiiPackageListGuid, --hiiguid HiiPackageListGuid >>>> Guid is used to specify hii package list guid. >>>> Its format is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx >>>> If not specified, the first Form FormSet guid is >>>> used. >>>> --hiipackage Combine all input binary hii packages into >>>> a single package list as the text resource >>>> data(RC). >>>> It can't be combined with other action options >>>> except for -o option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> --hiibinpackage Combine all input binary hii packages into >>>> a single package list as the binary resource >>>> section. >>>> It can't be combined with other action options >>>> except for -o option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> --rc FlieName Append a Hii resource section to the >>>> last PE/COFF section. The FileName is the resource >>>> section to append >>>> If FileName does not exist this operation is >>>> skipped. This feature is >>>> only intended for toolchains, like XCODE, that >>>> don't suport $(RC). >>>> This option can only be combined with -e >>>> --rebase NewAddress Rebase image to new base address. New address >>>> is also set to the first none code section header. >>>> It can't be combined with other action options >>>> except for -o or -r option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> --address NewAddress Set new address into the first none code >>>> section header of the input image. >>>> It can't be combined with other action options >>>> except for -o or -r option. It is a action option. >>>> If it is combined with other action options, the >>>> later >>>> input action option will override the previous one. >>>> -v, --verbose Turn on verbose output with informational messages. >>>> -q, --quiet Disable all messages except key message and fatal >>>> error >>>> -d, --debug level Enable debug messages, at input debug level. >>>> --version Show program's version number and exit >>>> -h, --help Show this help message and exit >>>> >>>> Thanks, >>>> >>>> Andrew Fish >>>> >>>>> Best regards, >>>>> Marvin >>>>> >>>>> On 08.04.21 16:13, Andrew (EFI) Fish wrote: >>>>>> At a minimum it would be nice if we had a tool that would point out the >>>>>> security faults with a given PE/COFF file layout. >>>>>> >>>>>> >>>>>> >>>>>>> … >>>>> >>>>> >>>>> >>>> >>>> >>> > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73884): https://edk2.groups.io/g/devel/message/73884 Mute This Topic: https://groups.io/mt/81853302/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
