Network Boot from Bell Labs

Transcript

1. Network Boot from Bell Labs June 6, 2020 Kernel/VM Online

   Part 1 @retrage

2. Network Boot

3. What’s Network Boot? • Downloads OS image from remote server

   and boots OS • BIOS has network stack to make it possible • Existing network boots: • PXE Boot • HTTP Boot Se e Se e A Ne o k S ack Clien Clien A BIOS Ne o k S ack

4. PXE Boot • Widely used, industry standard • Legacy BIOS/UEFI

   • iPXE • Transferring using TFTP • Requires dedicated server Existing Network Boots

5. HTTP Boot • Supported from UEFI 2.5 (2015) • Transferring

   using HTTP • No dedicated server required • Modern features • DNS support • TLS support (HTTPS Boot) • @tnishinaga’s blog post[1] Existing Network Boots EFI_HTTP_PROTOCOL + Ge ModeDa a(): EFI_HTTP_GET_MODE_DATA + Con g e(): EFI_HTTP_CONFIGURE + Re e (): EFI_HTTP_REQUEST + Cancel(): EFI_HTTP_CANCEL + Re on e(): EFI_HTTP_RESPONSE + Poll(): EFI_HTTP_POLL

6. Unified Extensible Firmware Interface

7. UEFI is Extensible • UEFI is modular design • Module

   is called Protocol • UEFI loads protocols • EFI_BOOT_SERVICES has protocol installer functions P c P c P c UEFI D e EFI_BOOT_SERVICES.I a P c I e face() + Ha d e: EFI_HANDLE* + P c : EFI_GUID* + I e faceT e: EFI_INTERFACE_TYPE + I e face: VOID*

8. Simple File System Protocol • Provides a file system independent

   file operation interface • However, UEFI supports FAT only by default UEFI Protocol Example EFI_SIMPLE_FILE_SYSTEM_PROTOCOL.O e V e() + T : EFI_SIMPLE_FILE_SYSTEM_PROTOCOL* + R : EFI_FILE_PROTOCOL** 1 EFI_FILE_PROTOCOL + O e (): EFI_FILE_OPEN + C e(): EFI_FILE_CLOSE + De e e(): EFI_FILE_DELETE + Read(): EFI_FILE_READ + W e(): EFI_FILE_WRITE + Ge P (): EFI_FILE_GET_POSITION + Se P (): EFI_FILE_SET_POSITION + Ge I (): EFI_FILE_GET_INFO + Ge I (): EFI_FILE_SET_INFO + F (): EFI_FILE_FLUSH + O e E (): EFI_FILE_OPEN_EX + ReadE (): EFI_FILE_READ_EX + W eE (): EFI_FILE_WRITE_EX + F E (): EFI_FILE_FLUSH_EX

9. Is there any use case for Simple File System Protocol?

10. Rootkits: Ultimately Practical Use case Strong Evidence of UEFI Flexibility

    • UEFI rootkit is a malware targets UEFI • Deploys another malware (Kernel Rootkits, Agents) • Hacking Team’s rkloader[2] and LoJax[3] • NTFS-3G was ported to UEFI to implant kernel rootkit against Windows

11. If a network transparent file system exists, it can be

    used for more flexible network boot.

12. “Here’s Glenda.”

13. Plan 9 File Protocol (9P) • Plan 9 from Bell

    Labs[7] • “Everything is a file.” • 9P provides file system operation interface for local/ remote processes[8] Ser er T alk R alk T ersion R ersion Ta ach Ra ach Topen Ropen Tread Rread

14. OK. But is 9P still used?

15. 9P Use cases Linux • v9fs: 9P fs client[4]

16. 9P Use cases Linux • v9fs: 9P fs client[4] VirtIO

    • virtio-9p: 9P server[5] • For sharing host files

17. 9P Use cases Linux • v9fs: 9P fs client[4] VirtIO

    • virtio-9p: 9P server[5] • For sharing host files Windows • WSL2: 9P fs client[6] • For sharing Linux files

18. GLENDA: ALL YOUR FS ARE BELONG TO US.

19. 9pfsPkg: 9P Client for UEFI Network Transparent File System •

    Provides Simple File System Protocol interface • Advantages: • Can operate a remote 9P file system like a local file system • Can use existing UEFI tools without any modification • No dedicated server required • Source code available at: https://github.com/yabits/9pfsPkg

20. 9P Boot Overview • UEFI loads 9pfsPkg UEFI driver and

    registers 9P FS volume • 9pfsPkg communicates with 9P server using UEFI network stack • 9P server operates files in exported directory (e.g. /tmp/9) UEFI 9 f P V e C e Se e 9P Se e Ne S ac / /9 F e S e

21. Booting from Remote Like a Boss Only a Local File

    System (FS0:) Exists

22. Booting from Remote Like a Boss Load 9pfsPkg UEFI Driver

    (9pfs.efi)

23. Booting from Remote Like a Boss New 9P File System

    (FS1:) Appeared with Strange Device Path

24. Booting from Remote Like a Boss Boot GRUB as If

    Local Disk

25. 9pfsPkg Application

26. Proxy Boot: Booting from Cloud Storage Booting from Google Cloud

    Platform Storage • Mount GCP Storage (GCS) using gcsfuse[9] on the server • Set the GCS mount directory (e.g. /mnt/gcs) as 9P exported directory • From UEFI, GCS is mounted indirectly as if local disk  8QWLWOHG'LDJUDPGUDZLR *&3 6WRUDJH 8(), SIV3NJ 9ROXPH 36HUYHU 1HWZRUN6WDFN )86( JFVIXVH PQWJFV &OLHQW 6HUYHU

27. Proxy Boot: Booting from GCS Upload Boot Image to GCS

    Bucket

28. Proxy Boot: Booting from GCS Mount GCS Bucket using gcsfuse

29. Proxy Boot: Booting from GCS Boot BitVisor from CGS Bucket

    via 9P Server

30. Summary • Existing network-aware boots are less flexible • UEFI

    can handle non-FAT file system using external UEFI drivers • 9P is useful for file sharing • 9pfsPkg is a 9P client for UEFI with Simple File System Protocol interface • Provides network transparent file system boot (9P Boot) • Can boot from cloud storage without any effort (Proxy Boot) • Call for 9pfsPkg Applications: Any Idea?

31. References • [0] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf • [1] https://tnishinaga.hatenablog.com/entry/2017/12/22/221956 • [2] https://github.com/hackedteam/vector-edk

    • [3] https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf • [4] https://www.kernel.org/doc/Documentation/filesystems/9p.txt • [5] https://www.linux-kvm.org/page/9p_virtio • [6] https://youtu.be/63wVlI9B3Ac?t=481 • [7] https://9p.io/plan9/ • [8] http://man.cat-v.org/plan_9/5/ • [9] https://github.com/GoogleCloudPlatform/gcsfuse

32. 9pfsPkg Details • 9P.2000L (9P Linux extension) compliant • Read-only

    file system • TCP/IPv4 support • Static IP only • Configurable via UEFI variables • Authentication not implemented yet • Known Issue: ExitBootServices() hangs