Network Boot from Bell Labs June 6, 2020 Kernel/VM Online Part 1 @retrage

Network Boot

What’s Network Boot? • Downloads OS image from remote server and boots OS • BIOS has network stack to make it possible • Existing network boots: • PXE Boot • HTTP Boot Se e Se e A Ne o k S ack Clien Clien A BIOS Ne o k S ack

PXE Boot • Widely used, industry standard • Legacy BIOS/UEFI • iPXE • Transferring using TFTP • Requires dedicated server Existing Network Boots

HTTP Boot • Supported from UEFI 2.5 (2015) • Transferring using HTTP • No dedicated server required • Modern features • DNS support • TLS support (HTTPS Boot) • @tnishinaga’s blog post[1] Existing Network Boots EFI_HTTP_PROTOCOL + Ge ModeDa a(): EFI_HTTP_GET_MODE_DATA + Con g e(): EFI_HTTP_CONFIGURE + Re e (): EFI_HTTP_REQUEST + Cancel(): EFI_HTTP_CANCEL + Re on e(): EFI_HTTP_RESPONSE + Poll(): EFI_HTTP_POLL

Unified Extensible Firmware Interface

UEFI is Extensible • UEFI is modular design • Module is called Protocol • UEFI loads protocols • EFI_BOOT_SERVICES has protocol installer functions P c P c P c UEFI D e EFI_BOOT_SERVICES.I a P c I e face() + Ha d e: EFI_HANDLE* + P c : EFI_GUID* + I e faceT e: EFI_INTERFACE_TYPE + I e face: VOID*

Simple File System Protocol • Provides a file system independent file operation interface • However, UEFI supports FAT only by default UEFI Protocol Example EFI_SIMPLE_FILE_SYSTEM_PROTOCOL.O e V e() + T : EFI_SIMPLE_FILE_SYSTEM_PROTOCOL* + R : EFI_FILE_PROTOCOL** 1 EFI_FILE_PROTOCOL + O e (): EFI_FILE_OPEN + C e(): EFI_FILE_CLOSE + De e e(): EFI_FILE_DELETE + Read(): EFI_FILE_READ + W e(): EFI_FILE_WRITE + Ge P (): EFI_FILE_GET_POSITION + Se P (): EFI_FILE_SET_POSITION + Ge I (): EFI_FILE_GET_INFO + Ge I (): EFI_FILE_SET_INFO + F (): EFI_FILE_FLUSH + O e E (): EFI_FILE_OPEN_EX + ReadE (): EFI_FILE_READ_EX + W eE (): EFI_FILE_WRITE_EX + F E (): EFI_FILE_FLUSH_EX

Is there any use case for Simple File System Protocol?

Rootkits: Ultimately Practical Use case Strong Evidence of UEFI Flexibility • UEFI rootkit is a malware targets UEFI • Deploys another malware (Kernel Rootkits, Agents) • Hacking Team’s rkloader[2] and LoJax[3] • NTFS-3G was ported to UEFI to implant kernel rootkit against Windows

If a network transparent file system exists, it can be used for more flexible network boot.

“Here’s Glenda.”

Plan 9 File Protocol (9P) • Plan 9 from Bell Labs[7] • “Everything is a file.” • 9P provides file system operation interface for local/ remote processes[8] Ser er T alk R alk T ersion R ersion Ta ach Ra ach Topen Ropen Tread Rread

OK. But is 9P still used?

9P Use cases Linux • v9fs: 9P fs client[4]

9P Use cases Linux • v9fs: 9P fs client[4] VirtIO • virtio-9p: 9P server[5] • For sharing host files

9P Use cases Linux • v9fs: 9P fs client[4] VirtIO • virtio-9p: 9P server[5] • For sharing host files Windows • WSL2: 9P fs client[6] • For sharing Linux files

GLENDA: ALL YOUR FS ARE BELONG TO US.

9pfsPkg: 9P Client for UEFI Network Transparent File System • Provides Simple File System Protocol interface • Advantages: • Can operate a remote 9P file system like a local file system • Can use existing UEFI tools without any modification • No dedicated server required • Source code available at: https://github.com/yabits/9pfsPkg

9P Boot Overview • UEFI loads 9pfsPkg UEFI driver and registers 9P FS volume • 9pfsPkg communicates with 9P server using UEFI network stack • 9P server operates files in exported directory (e.g. /tmp/9) UEFI 9 f P V e C e Se e 9P Se e Ne S ac / /9 F e S e

Booting from Remote Like a Boss Only a Local File System (FS0:) Exists

Booting from Remote Like a Boss Load 9pfsPkg UEFI Driver (9pfs.efi)

Booting from Remote Like a Boss New 9P File System (FS1:) Appeared with Strange Device Path

Booting from Remote Like a Boss Boot GRUB as If Local Disk

9pfsPkg Application

Proxy Boot: Booting from Cloud Storage Booting from Google Cloud Platform Storage • Mount GCP Storage (GCS) using gcsfuse[9] on the server • Set the GCS mount directory (e.g. /mnt/gcs) as 9P exported directory • From UEFI, GCS is mounted indirectly as if local disk 8QWLWOHG'LDJUDPGUDZLR *&3 6WRUDJH 8(), SIV3NJ 9ROXPH 36HUYHU 1HWZRUN6WDFN )86( JFVIXVH PQWJFV &OLHQW 6HUYHU

Proxy Boot: Booting from GCS Upload Boot Image to GCS Bucket

Proxy Boot: Booting from GCS Mount GCS Bucket using gcsfuse

Proxy Boot: Booting from GCS Boot BitVisor from CGS Bucket via 9P Server

Summary • Existing network-aware boots are less flexible • UEFI can handle non-FAT file system using external UEFI drivers • 9P is useful for file sharing • 9pfsPkg is a 9P client for UEFI with Simple File System Protocol interface • Provides network transparent file system boot (9P Boot) • Can boot from cloud storage without any effort (Proxy Boot) • Call for 9pfsPkg Applications: Any Idea?

References • [0] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf • [1] https://tnishinaga.hatenablog.com/entry/2017/12/22/221956 • [2] https://github.com/hackedteam/vector-edk • [3] https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf • [4] https://www.kernel.org/doc/Documentation/filesystems/9p.txt • [5] https://www.linux-kvm.org/page/9p_virtio • [6] https://youtu.be/63wVlI9B3Ac?t=481 • [7] https://9p.io/plan9/ • [8] http://man.cat-v.org/plan_9/5/ • [9] https://github.com/GoogleCloudPlatform/gcsfuse

9pfsPkg Details • 9P.2000L (9P Linux extension) compliant • Read-only file system • TCP/IPv4 support • Static IP only • Configurable via UEFI variables • Authentication not implemented yet • Known Issue: ExitBootServices() hangs