narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Clone of ipxe replica repo
6,869 Commits
13 Branches
11 Tags
107 MiB
C 97.4%
Assembly 1.3%
Perl 0.6%
Makefile 0.4%
Python 0.2%
 
 
 
 
 
Go to file
Michael Brown 358db15612 [efi] Create safe wrappers for OpenProtocol() and CloseProtocol() 
The UEFI model for opening and closing protocols is broken by design
and cannot be repaired.

Calling OpenProtocol() to obtain a protocol interface pointer does
not, in general, provide any guarantees about the lifetime of that
pointer.  It is theoretically possible that the pointer has already
become invalid by the time that OpenProtocol() returns the pointer to
its caller.  (This can happen when a USB device is physically removed,
for example.)

Various UEFI design flaws make it occasionally necessary to hold on to
a protocol interface pointer despite the total lack of guarantees that
the pointer will remain valid.

The UEFI driver model overloads the semantics of OpenProtocol() to
accommodate the use cases of recording a driver attachment (which is
modelled as opening a protocol with EFI_OPEN_PROTOCOL_BY_DRIVER
attributes) and recording the existence of a related child controller
(which is modelled as opening a protocol with
EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER attributes).

The parameters defined for CloseProtocol() are not sufficient to allow
the implementation to precisely identify the matching call to
OpenProtocol().  While the UEFI model appears to allow for matched
open and close pairs, this is merely an illusion.  Calling
CloseProtocol() will delete *all* matching records in the protocol
open information tables.

Since the parameters defined for CloseProtocol() do not include the
attributes passed to OpenProtocol(), this means that a matched
open/close pair using EFI_OPEN_PROTOCOL_GET_PROTOCOL can inadvertently
end up deleting the record that defines a driver attachment or the
existence of a child controller.  This in turn can cause some very
unexpected side effects, such as allowing other UEFI drivers to start
controlling hardware to which iPXE believes it has exclusive access.
This rarely ends well.

To prevent this kind of inadvertent deletion, we establish a
convention for four different types of protocol opening:

- ephemeral opens: always opened with ControllerHandle = NULL

- unsafe opens: always opened with ControllerHandle = AgentHandle

- by-driver opens: always opened with ControllerHandle = Handle

- by-child opens: always opened with ControllerHandle != Handle

This convention ensures that the four types of open never overlap
within the set of parameters defined for CloseProtocol(), and so a
close of one type cannot inadvertently delete the record corresponding
to a different type.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
 		2025-03-24 13:19:23 +00:00
.github/workflows [ci] Update action versions to silence GitHub warnings 2024-03-07 23:25:35 +00:00
contrib [crypto] Update cmsdetach to work with python-asn1 version 3.0.0 2025-03-17 11:48:06 +00:00
src [efi] Create safe wrappers for OpenProtocol() and CloseProtocol() 2025-03-24 13:19:23 +00:00
COPYING [legal] Update GPLv2 licence text 2015-02-26 17:59:53 +00:00
COPYING.GPLv2 [legal] Update GPLv2 licence text 2015-02-26 17:59:53 +00:00
COPYING.UBDL [legal] Add support for the Unmodified Binary Distribution Licence 2015-03-02 12:07:14 +00:00
README [doc] Re-add README file 2010-05-28 00:03:47 +01:00

README 

iPXE README File

Quick start guide:

   cd src
   make

For any more detailed instructions, see http://ipxe.org