Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Network Boot from Bell Labs

Network Boot from Bell Labs

This presentation was given at Kernel/VM Online Part 1.
The existing network boot methods (PXE Boot, HTTP Boot) are inflexible because of network awareness. Plan 9 File Protocol (9P) provides a network transparent file system and still widely used. In this presentation, I introduce 9pfsPkg, a 9P file system client for UEFI. It provides a network transparent file system with the EFI_SIMPLE_FILE_SYSTEM_PROTOCOL interface so that existing non-network aware UEFI tools can use without any modification. It can boot from a remote 9P server (9P Boot). To demonstrate 9pfsPkg flexibility, I also introduce Proxy Boot. It can mount and boot cloud storage (Google Cloud Storage) via the server with less effort.

8dc3958dc2480bd681e4b5c197817047?s=128

Akira Moroo

June 06, 2020
Tweet

Transcript

  1. Network Boot from Bell Labs June 6, 2020 Kernel/VM Online

    Part 1 @retrage
  2. Network Boot

  3. What’s Network Boot? • Downloads OS image from remote server

    and boots OS • BIOS has network stack to make it possible • Existing network boots: • PXE Boot • HTTP Boot Se e Se e A Ne o k S ack Clien Clien A BIOS Ne o k S ack
  4. PXE Boot • Widely used, industry standard • Legacy BIOS/UEFI

    • iPXE • Transferring using TFTP • Requires dedicated server Existing Network Boots
  5. HTTP Boot • Supported from UEFI 2.5 (2015) • Transferring

    using HTTP • No dedicated server required • Modern features • DNS support • TLS support (HTTPS Boot) • @tnishinaga’s blog post[1] Existing Network Boots EFI_HTTP_PROTOCOL + Ge ModeDa a(): EFI_HTTP_GET_MODE_DATA + Con g e(): EFI_HTTP_CONFIGURE + Re e (): EFI_HTTP_REQUEST + Cancel(): EFI_HTTP_CANCEL + Re on e(): EFI_HTTP_RESPONSE + Poll(): EFI_HTTP_POLL
  6. Unified Extensible Firmware Interface

  7. UEFI is Extensible • UEFI is modular design • Module

    is called Protocol • UEFI loads protocols • EFI_BOOT_SERVICES has protocol installer functions P c P c P c UEFI D e EFI_BOOT_SERVICES.I a P c I e face() + Ha d e: EFI_HANDLE* + P c : EFI_GUID* + I e faceT e: EFI_INTERFACE_TYPE + I e face: VOID*
  8. Simple File System Protocol • Provides a file system independent

    file operation interface • However, UEFI supports FAT only by default UEFI Protocol Example EFI_SIMPLE_FILE_SYSTEM_PROTOCOL.O e V e() + T : EFI_SIMPLE_FILE_SYSTEM_PROTOCOL* + R : EFI_FILE_PROTOCOL** 1 EFI_FILE_PROTOCOL + O e (): EFI_FILE_OPEN + C e(): EFI_FILE_CLOSE + De e e(): EFI_FILE_DELETE + Read(): EFI_FILE_READ + W e(): EFI_FILE_WRITE + Ge P (): EFI_FILE_GET_POSITION + Se P (): EFI_FILE_SET_POSITION + Ge I (): EFI_FILE_GET_INFO + Ge I (): EFI_FILE_SET_INFO + F (): EFI_FILE_FLUSH + O e E (): EFI_FILE_OPEN_EX + ReadE (): EFI_FILE_READ_EX + W eE (): EFI_FILE_WRITE_EX + F E (): EFI_FILE_FLUSH_EX
  9. Is there any use case for Simple File System Protocol?

  10. Rootkits: Ultimately Practical Use case Strong Evidence of UEFI Flexibility

    • UEFI rootkit is a malware targets UEFI • Deploys another malware (Kernel Rootkits, Agents) • Hacking Team’s rkloader[2] and LoJax[3] • NTFS-3G was ported to UEFI to implant kernel rootkit against Windows
  11. If a network transparent file system exists, it can be

    used for more flexible network boot.
  12. “Here’s Glenda.”

  13. Plan 9 File Protocol (9P) • Plan 9 from Bell

    Labs[7] • “Everything is a file.” • 9P provides file system operation interface for local/ remote processes[8] Ser er T alk R alk T ersion R ersion Ta ach Ra ach Topen Ropen Tread Rread
  14. OK. But is 9P still used?

  15. 9P Use cases Linux • v9fs: 9P fs client[4]

  16. 9P Use cases Linux • v9fs: 9P fs client[4] VirtIO

    • virtio-9p: 9P server[5] • For sharing host files
  17. 9P Use cases Linux • v9fs: 9P fs client[4] VirtIO

    • virtio-9p: 9P server[5] • For sharing host files Windows • WSL2: 9P fs client[6] • For sharing Linux files
  18. GLENDA: ALL YOUR FS ARE BELONG TO US.

  19. 9pfsPkg: 9P Client for UEFI Network Transparent File System •

    Provides Simple File System Protocol interface • Advantages: • Can operate a remote 9P file system like a local file system • Can use existing UEFI tools without any modification • No dedicated server required • Source code available at: https://github.com/yabits/9pfsPkg
  20. 9P Boot Overview • UEFI loads 9pfsPkg UEFI driver and

    registers 9P FS volume • 9pfsPkg communicates with 9P server using UEFI network stack • 9P server operates files in exported directory (e.g. /tmp/9) UEFI 9 f P V e C e Se e 9P Se e Ne S ac / /9 F e S e
  21. Booting from Remote Like a Boss Only a Local File

    System (FS0:) Exists
  22. Booting from Remote Like a Boss Load 9pfsPkg UEFI Driver

    (9pfs.efi)
  23. Booting from Remote Like a Boss New 9P File System

    (FS1:) Appeared with Strange Device Path
  24. Booting from Remote Like a Boss Boot GRUB as If

    Local Disk
  25. 9pfsPkg Application

  26. Proxy Boot: Booting from Cloud Storage Booting from Google Cloud

    Platform Storage • Mount GCP Storage (GCS) using gcsfuse[9] on the server • Set the GCS mount directory (e.g. /mnt/gcs) as 9P exported directory • From UEFI, GCS is mounted indirectly as if local disk  8QWLWOHG'LDJUDPGUDZLR *&3 6WRUDJH 8(), SIV3NJ 9ROXPH 36HUYHU 1HWZRUN6WDFN )86( JFVIXVH PQWJFV &OLHQW 6HUYHU
  27. Proxy Boot: Booting from GCS Upload Boot Image to GCS

    Bucket
  28. Proxy Boot: Booting from GCS Mount GCS Bucket using gcsfuse

  29. Proxy Boot: Booting from GCS Boot BitVisor from CGS Bucket

    via 9P Server
  30. Summary • Existing network-aware boots are less flexible • UEFI

    can handle non-FAT file system using external UEFI drivers • 9P is useful for file sharing • 9pfsPkg is a 9P client for UEFI with Simple File System Protocol interface • Provides network transparent file system boot (9P Boot) • Can boot from cloud storage without any effort (Proxy Boot) • Call for 9pfsPkg Applications: Any Idea?
  31. References • [0] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf • [1] https://tnishinaga.hatenablog.com/entry/2017/12/22/221956 • [2] https://github.com/hackedteam/vector-edk

    • [3] https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf • [4] https://www.kernel.org/doc/Documentation/filesystems/9p.txt • [5] https://www.linux-kvm.org/page/9p_virtio • [6] https://youtu.be/63wVlI9B3Ac?t=481 • [7] https://9p.io/plan9/ • [8] http://man.cat-v.org/plan_9/5/ • [9] https://github.com/GoogleCloudPlatform/gcsfuse
  32. 9pfsPkg Details • 9P.2000L (9P Linux extension) compliant • Read-only

    file system • TCP/IPv4 support • Static IP only • Configurable via UEFI variables • Authentication not implemented yet • Known Issue: ExitBootServices() hangs