uefi: fs: Add file times plumbing

[Ayush1325]

• Add plumbing to allow conversions to and from UEFI Time to Rust SystemTime.
• Also add FileTimes implementation.

cc @nicholasbishop

r? @petrochenkov

[petrochenkov]

(I'll initially mark these PRs as waiting on author in the sense that, that they are waiting for the author to summon @nicholasbishop and get a review. It can be marked as ready when there's a review.)
@rustbot author

[Ayush1325]

@rustbot label +O-UEFI

[joboet]

I'm a bit worried about the edge cases here. It's not that uncommon to end up with a system time of 1970-1-1 if the devices clock is uninitialised. If the current timezone is positive, this might lead to a panic when converting it to a UNIX time. Considering the insanely large bounds afforded by secs being 64-bit, using a signed integer in the conversion algorithm would allow converting dates before the UNIX epoch as well.

Aside from that, the checked methods on SystemTime operate on the assumption that the operation will fail if the time is not representable in the operating system format – but this is currently not the case: UEFI allows times from the year 1900 up to and including the year 9999, whereas a Duration since the UNIX epoch allows representing times from 1970 up to the heat death of the universe, but not before that. I think it would be better to use the UEFI time representation for SystemTime and only convert it into a Duration for the addition/subtraction operations.

[joboet]

I'd use subtraction here, just like the formula in the UEFI spec.

Suggested change

	dur.as_secs().checked_add_signed(-timezone as i64).unwrap()
	dur.as_secs().checked_sub_signed(timezone as i64).expect("times should be representable as local UEFI times")

[Ayush1325]

checked_sub_signed is currently unstable. I can add the feature if that is fine though.

[joboet]

This is clear by operator precedence, and the source doesn't use parenthesis here either.

Suggested change

	let doe = z - (era * 146097);
	let doe = z - era * 146097;

[Ayush1325]

I'm a bit worried about the edge cases here. It's not that uncommon to end up with a system time of 1970-1-1 if the devices clock is uninitialised. If the current timezone is positive, this might lead to a panic when converting it to a UNIX time. Considering the insanely large bounds afforded by secs being 64-bit, using a signed integer in the conversion algorithm would allow converting dates before the UNIX epoch as well.

Aside from that, the checked methods on SystemTime operate on the assumption that the operation will fail if the time is not representable in the operating system format – but this is currently not the case: UEFI allows times from the year 1900 up to and including the year 9999, whereas a Duration since the UNIX epoch allows representing times from 1970 up to the heat death of the universe, but not before that. I think it would be better to use the UEFI time representation for SystemTime and only convert it into a Duration for the addition/subtraction operations.

Yes, I did come to the same conclusion. I think the reason I initially went with duration was to have a simple implementation for all the function implemented on SystemTime (since all the results there are in Duration). I will try representing SystemTime using UEFI Time internally and see how it looks.

[bors]

☔ The latest upstream changes (presumably #145300) made this pull request unmergeable. Please resolve the merge conflicts.

[Ayush1325]

@rustbot ready

ping @nicholasbishop @joboet

[petrochenkov]

r? @joboet

[nicholasbishop]

Time implements Default, so can't we keep deriving Default here and remove ZERO_TIME?

[Ayush1325]

Fixed

[joboet]

Can we avoid this panic? As the SystemTime was created successfully (i.e. checked_add did not return an error), this panic will come as a surprise to users.

A better way perhaps would be to try the initial timezone first, and if that fails, return the closest timezone (minute offset) that still allows the time to be represented. If filesystems ignore the timezone field, this would lead to the first and last 1440 minutes being collapsed into one minute, which doesn't seem too bad.

[Ayush1325]

I have added the appropriate helpers to use the closest timezone. I have also added the tests that I have used locally to check the new timezone.

[nicholasbishop]

uefi lgtm

View changes since this review

[nicholasbishop]

Suggested change

	/// Create UEFI Time with the closes timezone (minute offset) that still allows the time to be
	/// Create UEFI Time with the closest timezone (minute offset) that still allows the time to be

[Ayush1325]

Fixed

[beetrees]

Thanks for working on this.

View changes since this review

[beetrees]

UEFI allows creation time to be set, so created should be part of the FileTimes struct (a future PR can then use it to implement set_created in an extension trait like on Windows and Apple platforms).

[Ayush1325]

Done

[beetrees]

.timezone and .daylight will always be zero here (unless set_accessed/set_modified was called previously and that time had to have it's timezone adjusted to fit in the range of EFI_TIME). The EDK II FAT driver will ignore the timezone when setting the time.. As FAT stores timestamps in the system local time, this conversion should use the current system timezone from the runtime services GetTime in order to be compatible with that driver's behaviour. This conversion should be done in the File::set_times implementation to have consistent behaviour in the (unlikely) event the timezone is changed between the call to set_accessed and the actual setting of the file times in File::set_times (which I believe isn't being implemented in this PR); therefore the FileTimes struct should look something like struct FileTimes { accessed: SystemTime, modified: SystemTime, created: SystemTime }.

[Ayush1325]

I have converted all FileTimes members to be SystemTime.

[beetrees]

FAT timestamps are always stored in local time in the system timezone, and the EDK II FAT driver uses EFI_UNSPECIFIED_TIMEZONE to represent this. Therefore, if the modified/accessed/created EFI time has a timezone of unspecified, this conversion should use the timezone from the runtime services GetTime in order to be compatible.

[Ayush1325]

Since this PR does not have any boundary code, I have added helper uefi_to_systemtime that uses the timezone from current time in unspecified timezone cases.
When converting back to UEFI time, I am also using local timezone now in the helper systemtime_to_uefi

All these helpers are local fs since we do not know if some other subsystem might want to handle these specific cases differently.

[joboet]

This is the wrong sign – you need to add the new timezone offset. Also, this will panic for positive timezones when the duration is very small – the overflow check should occur below.

[Ayush1325]

The UEFI fields are in locatime. And it is given in the spec that LocalTime = UTC - Timezone. When converting from UEFI to our time in secs from epoch, we do LocalTime + Timezone since we want to have the secs when time is in UTC.
So to get back localtime, wouldn't we do UTC secs - Timezone?

[joboet]

Ah, I got confused because RFC 3339 uses the exact opposite sign convention. You are indeed correct.

[joboet]

This will still panic for Duration::ZERO in e.g. timezone 1440 though.

[joboet]

Maybe you could rename this to SYSTEMTIME_TIMEZONE so that its clearer in which direction the delta applies?

[Ayush1325]

Renamed

[joboet]

Suggested change

	let Some(secs) = secs.checked_sub(TIMEZONE_DELTA) else {
	let Some(secs) = secs.checked_add_signed((timezone - SYSTEMTIME_TIMEZONE) as i64 * SECS_IN_MINUTE) else {

[Ayush1325]

This should also not be needed now. The first subtraction contains the comment explaining why it is fine to unwrap, since it can never fail.

[joboet]

Is there a usecase for to_uefi outside of to_uefi_loose? Otherwise you could update the timezone here instead of returning an error.

[Ayush1325]

Well, I am not sure how to deal with the other case (end of re-presentable time) early. So not sure if there is much benefit if I need to do a recursive call at the end.

I can think about optimizing it more over the weekend if that is required. But it is possible that having this strict version of the function will be required when adding something in the future anyway.

[beetrees]

This should also take the daylight value from time::system_time_internal::now().

[Ayush1325]

Added

[beetrees]

Suggested change

	accessed: SystemTime,
	modified: SystemTime,
	created: SystemTime,
	accessed: Option<SystemTime>,
	modified: Option<SystemTime>,
	created: Option<SystemTime>,

Apologies, my suggestion in my previous review comment was incomplete. These all need to be optional as when using FileTimes to set file timestamps it's possible to only set some of the timestamps.

[Ayush1325]

Fixed

[beetrees]

Suggested change

	#[allow(dead_code)]
	#[expect(dead_code)]

To ensure the attribute gets removed once the function is used (same with the #[allow(dead_code)] on systemtime_to_uefi).

[Ayush1325]

Fixed

[phip1611]

LGTM.

PS: Still not familiar with the development model and best practices within Rust std itself.

View changes since this review

[phip1611]

is returning a Result here enforced by higher-level APIs in Rust STD? If not, why not return Option<SystemTime>?

[Ayush1325]

Yup, it is.

[phip1611]

why dead code?

[Ayush1325]

Well, just to keep the PRs small to review, and maintain continuity in future PRs. Any interactions with these conversions will require implementing GetInfo, which uses a C DST (and hence would require care and proper review) and thus needs to be a separate PR.

Also, the to and fro conversion are strongly related. So best to present them in the same PR.

It might be 2026 by the time that I start upstreaming code that requires conversion from UEFI to systemtime. So I would probably forget a lot of the important information in the current discussion. Having a conversion function already present saves having to repeat the same discussion (or worse, letting wrong code be merged).

[rustbot]

This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

[joboet]

If I understand correctly, UEFI's EFI_FILE_INFO always contains the file times, right? Then this shouldn't be FileTimes, but rather unconditionally contain the SystemTimes. That also gets rid of the weird unsupported error in the accessors below.

[joboet]

Something is wrong in the code, this should succeed (localtime = UTC - timezone, so the local time is after the 1st of january 1900).

[joboet]

This is incorrect, if 1450 * SECS_IN_MINUTE is representable in timezone 10, then times after that should be too, right?

[joboet]

The timezone for SystemTime is -1440, since that is the timezone with the earliest representable value. So the sign of this value should be flipped (as well as the sign of the additions/subtractions you use it for).

[joboet]

Splitting this calculation is confusing to me, as we want to do a conversion from the original timezone to timezone -1440. Could you perhaps normalise the timezone first (change UNSPECIFIED_TIMEZONE to UTC) and then do the conversion in one go?

[joboet]

This will still panic for Duration::ZERO in e.g. timezone 1440 though.

[bors]

☔ The latest upstream changes (presumably #147826) made this pull request unmergeable. Please resolve the merge conflicts.