[202405] ImageValidation.py: Don't parse entire image#1127
Merged
Javagedes merged 1 commit intomicrosoft:release/202405from Aug 29, 2024
Javagedes:202405-image-validation
Merged
[202405] ImageValidation.py: Don't parse entire image#1127Javagedes merged 1 commit intomicrosoft:release/202405from Javagedes:202405-image-validation
Javagedes merged 1 commit intomicrosoft:release/202405from
Javagedes:202405-image-validation
Conversation
This commit modifies the PE parsing functionality to only parse the headers of the image, rather than the entire image. This change is made to improve performance and also the probability of failing to parse the entire image. This comes after this commit (erocarrera/pefile#365) in pefile resulted in efi image parsing failures, breaking the build. This commit also wraps the parsing of the image in a try-except block to catch any exceptions that may be raised during parsing, to cleanly exit.
os-d
approved these changes
Aug 29, 2024
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## release/202405 #1127 +/- ##
===============================================
Coverage 1.59% 1.59%
===============================================
Files 1448 1448
Lines 362487 362487
Branches 5632 5632
===============================================
Hits 5776 5776
Misses 356604 356604
Partials 107 107
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
Author
Not upstreamed yet |
apop5
approved these changes
Aug 29, 2024
apop5
pushed a commit
to apop5/mu_basecore
that referenced
this pull request
Jan 2, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- microsoft#340
- microsoft#537
- microsoft#539
- microsoft#747
- microsoft#1100
- microsoft#1127
- microsoft#1142
- microsoft#1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
to apop5/mu_basecore
that referenced
this pull request
Feb 2, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- microsoft#340
- microsoft#537
- microsoft#539
- microsoft#747
- microsoft#1100
- microsoft#1127
- microsoft#1142
- microsoft#1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
to apop5/mu_basecore
that referenced
this pull request
Feb 3, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- microsoft#340
- microsoft#537
- microsoft#539
- microsoft#747
- microsoft#1100
- microsoft#1127
- microsoft#1142
- microsoft#1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Feb 3, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Feb 10, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Feb 14, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Feb 14, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
to apop5/mu_basecore
that referenced
this pull request
Feb 24, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- microsoft#340
- microsoft#537
- microsoft#539
- microsoft#747
- microsoft#1100
- microsoft#1127
- microsoft#1142
- microsoft#1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Feb 27, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Feb 28, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Mar 2, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Mar 3, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
to apop5/mu_basecore
that referenced
this pull request
Dec 2, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- microsoft#340
- microsoft#537
- microsoft#539
- microsoft#747
- microsoft#1100
- microsoft#1127
- microsoft#1142
- microsoft#1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
to apop5/mu_basecore
that referenced
this pull request
Dec 15, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- microsoft#340
- microsoft#537
- microsoft#539
- microsoft#747
- microsoft#1100
- microsoft#1127
- microsoft#1142
- microsoft#1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
to apop5/mu_basecore
that referenced
this pull request
Dec 16, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- microsoft#340
- microsoft#537
- microsoft#539
- microsoft#747
- microsoft#1100
- microsoft#1127
- microsoft#1142
- microsoft#1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
to apop5/mu_basecore
that referenced
this pull request
Dec 17, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- microsoft#340
- microsoft#537
- microsoft#539
- microsoft#747
- microsoft#1100
- microsoft#1127
- microsoft#1142
- microsoft#1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
to apop5/mu_basecore
that referenced
this pull request
Dec 22, 2025
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- microsoft#340
- microsoft#537
- microsoft#539
- microsoft#747
- microsoft#1100
- microsoft#1127
- microsoft#1142
- microsoft#1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
to apop5/mu_basecore
that referenced
this pull request
Jan 7, 2026
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- microsoft#340
- microsoft#537
- microsoft#539
- microsoft#747
- microsoft#1100
- microsoft#1127
- microsoft#1142
- microsoft#1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Jan 10, 2026
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Jan 12, 2026
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Jan 15, 2026
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Jan 28, 2026
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
apop5
pushed a commit
that referenced
this pull request
Feb 5, 2026
The addition of an PE/COFF image validation build plugin that will
verify all pe images against requirements defined in the configuration
file.
This plugin only runs if a path to a config file is provided via the
command line (PE_VALIDATION_PATH) or preferably Platform hardcoded in
the PlatformBuild.py file, so that each platform can have their own
requirements.
Previously, ImageValidation was an "opt-in" plugin by setting a build
variable `PE_VALIDATION_PATH`, however with this pull request, Image
Validation will be on by default, with some default configuration that
can be changed with a custom configuration yaml file.
The default requirements are:
1. All efi binaries must not be both write and execute
2. All efi binaries must have an image base of 0x0
3. All dxe phase binaries must be 4k section aligned, with the one
exception of AARCH64 DXE_RUNTIME_DRIVERS, which must be 64k aligned.
compiled binaries that need to be opted out of, can do so by adding an
`IGNORE_LIST` in the configuration file
```json
{
"IGNORE_LIST": ["Shell.efi", "etc"]
}
```
In previous iterations, the profile was determined by parsing the
makefile, looking for MODULE_TYPE. As each OS / tool chain may use a
different makefile type, this was not a reliable method. This updates
the plugin to read the INF for the compiled efi file to determine the
MODULE_TYPE and thus the profile.
The PE parsing functionality was modified to only parse the
headers of the image, rather than the entire image. This change is made
to improve performance and also the probability of failing to parse the
entire image. This comes after this commit
(erocarrera/pefile#365) in pefile resulted in
efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to
catch any exceptions that may be raised during parsing, to cleanly exit.
- Print directory paths considered invalid to aid debugging
- Build native OS file paths using os.path.join for walk dirs
- Clean up trailing whitespace throughout the file
Add gitignore style syntax for file exclusion
Contains:
- #340
- #537
- #539
- #747
- #1100
- #1127
- #1142
- #1140
Confirmed successful execution of the plugin on Windows with QemuQ35 and
Ubuntu with QemuSbsa
Validated on qemuq35 that the module type was successfully parsed.
Validated pipelines build on mu_tiano_platforms
- Local build with the plugin
- Tested invalid directory printing by adding an invalid arch
to `TARGET_ARCH` (so the directory doesn't exist in build output).
Ensured existing syntax (filename only) continues to work. Ensured
gitignore style syntax now works.
Platforms that begin to fail this test will need to generate a
configuration yaml file, and set a stuart build variable,
`PE_VALIDATION_PATH` to it. It is suggested to do this in the Platform's
`PlatformBuild.py`.
**The Correct Integration** is to evaluate the binary and why it is not
meeting the requirements. The platform can elect to update the
compilation of the binary to meet the requirements, add or override
validation rules for certain MODULE_TYPEs, or simply add the binary to
the ignore list. Please review the Plugin's readme.md file for more
details on doing any of these things.
Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This commit modifies the PE parsing functionality to only parse the headers of the image, rather than the entire image. This change is made to improve performance and also the probability of failing to parse the entire image. This comes after this commit (erocarrera/pefile#365) in pefile resulted in efi image parsing failures, breaking the build.
This commit also wraps the parsing of the image in a try-except block to catch any exceptions that may be raised during parsing, to cleanly exit.
See: microsoft/mu_tiano_platforms#1025 and erocarrera/pefile#421
How This Was Tested
Validated pipelines build on mu_tiano_platforms
Integration Instructions
N/A