On Fri, Sep 29, 2023 at 10:47 AM Marvin Häuser <mhaeu...@posteo.de> wrote: > > > > On Sep 28, 2023, at 19:57, Pedro Falcato <pedro.falc...@gmail.com> wrote: > > > > On Wed, Sep 27, 2023 at 1:09 PM Gerd Hoffmann <kra...@redhat.com> wrote: > >> > >> Hi, > >> > >> I've noticed that the edk2 ext4 driver does case-insensitive filename > >> matching. I know the fat filesystem is case-insensitive, and the uefi > >> spec describing the fat filesystem also explicitly says it is > >> case-insensitive. On a quick scan I can't find anything in the uefi > >> spec requiring *all* filesystem drivers being case-insensitive though. > >> > >> So I'm wondering whenever the ext4 driver behavior is correct. It > >> certainly is different than the linux kernel's behavior which is (by > >> default) case-sensitive. > > Maybe when Linux starts adhering the spec for file names (the spec clearly > defines e.g. BOOTx64.EFI, while at least some distros/images use > bootx64.efi), this can be discussed. :) Let's not break various GRUB setups...
Agreed. > > > > > Ok, so this is a funny problem. When I was originally writing it, I > > noticed a good few consumers would expect case insensitiveness, so I > > ended up needing case insensitive string comparison. > > > > As an example, in my current system: > > Boot0001* ARCHLINUX > > HD(1,GPT,7e1b2e20-3013-4683-b8ab-bef1f9bfb1c8,0x800,0x32000)/File(\EFI\ARCHLINUX\GRUBX64.EFI) > > whereas the GRUB tooling installed itself as: > > /boot/efi/EFI/ARCHLINUX/grubx64.efi > > > > I treated some good bits of the filesystem driver as "should remain > > similar to FAT" due to compatibility reasons. > > Definitely must keep it that way. I think true user-facing case-sensitivity > is mostly a Linux thing, even recent macOS APFS is still only case-preserving > (UX-wise). There certainly is no real use-case for UEFI itself beyond things > like Linux interoperability. > > > I really really wouldn't > > be surprised if lots of EFI code out there relied on case > > insensitiveness or other FAT-ish stuff, instead of UNIX semantics. > > (funnily enough, EFI also has the restriction where every filename > > must be valid unicode, which is not the case on most UNIX systems out > > there, that take the file name as "bag of bytes - '/'") > > > >> > >> Also note that the linux kernel ext4 driver recently got support for > >> case-insensitive file names, which must be explicitly enabled for both > >> filesystems (EXT4_FEATURE_INCOMPAT_CASEFOLD) and directories > >> (EXT4_CASEFOLD_FL). > > > > Ugh, this is annoying, they didn't even bother documenting it... > > (https://www.kernel.org/doc/html/latest/filesystems/ext4/globals.html#super-incompat) > > This leaves me in the awkward spot where figuring the behavior out > > would require me to read the fs/ext4 code and thus be legally dubious, > > yay :^) > > All hail GPL... > > > > >> > >> On practical terms I've ran into actual problems due to Fedora mounting > >> the ESP at /boot/efi[1] and UKIs (unified kernel images) should be > >> placed in EFI/Linux on either ESP or XBOOTLDR partition, which on fedora > >> translates to /boot/efi/EFI/Linux (ESP) or /boot/EFI/Linux (XBOOTLDR). > >> So I have both /boot/efi and /boot/EFI ... > > > > Oh boy, that seems fun. So Ext4Dxe can only open one of the two dirs, right? > > Now that I think of it, there should be fun behavior when doing an EFI > > readdir, where you could find two dirents with "different" names but > > then opening both will lead to the same dirent being open twice... > > yuck > > Yes, but this often is not a concern due to case-preservation. There also > isn't much of a "right or wrong", as supporting case-insensitivity here could > change the semantics of existing desync'd sensitivity setups. However, > case-insensitivity would at least be more predictable. > > The only real options are: > > 1) We assume the host OS understands that UEFI is inherently case-sensitive > and doesn't do weird things, then the current behaviour makes sense. It's > efficient, doesn't touch unnecessary data, but it's not so predictable. Status quo, kind of works but breaks in Gerd's use case. > > 2) We assume the host OS understands this, but we consider this a risk to > security. Then it might make sense to reject FSes that feature this. > Obviously Secure Boot and such should be taking care of only invoking trusted > binaries, but someone might be trying to invoke ambiguous FS driver behaviour > because they are aware of an exploit vector. Nevertheless, this seems > unnecessary and overkill, also it doesn't fix the broken UX. It will actually > completely break that Linux use-case, which might be a bug or a feature. :) > But it's predictable! Probably not a way forward, yeah. > > 3) We assume the host OS does not do its job, but we are being nice anyway. > Then it might make sense to have opportunistic case-sensitivity, where > equality is preferred, but insensitive-equality is used as a fallback. This > fixes the issue when the OS is at least consistent in its > insensitivity-violation. However, as Pedro showed an example of a desync'd > device path and FS name, there is yet another loophole to (accidentally) > abuse the ambiguity. Not even some obviously crazy stuff like ranking by > editing distances can save you here. And it's also limited in predictability > when there is no exact match. > I'm relatively ok with this, aka doing an exact search first and *only* then doing a case insensitive search (if CASEFOLD_FL, we would skip the exact search). It should solve all compatibility problems with UNIXes, although at the moment I'm wary of any possible security concerns. > I don't think any option is particularly nice, but 1) is the easiest. :) 1) is the easiest, but it also has weird edge cases. 3) has the nice property of being compatible with both EFI/windows-style users (that expect insensitivity) and UNIX-style users (that don't expect it), but it also has weird edge cases (true insensitive behavior should make sure sHell.EFI and Shell.efi both resolve to the same file in every situation). Pick your poison :/ -- Pedro -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109193): https://edk2.groups.io/g/devel/message/109193 Mute This Topic: https://groups.io/mt/101615699/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
