[PATCH v1 0/2] Add support to disable VirtIo net at runtime

[PATCH v1 0/2] Add support to disable VirtIo net at runtime

[Yuan Yu]

Currently networking can only be enabled/disabled at compile time. This
patch series will add support to disable VirtIo net at runtime even if
the functionality is built into binary at compile time.

This will enable VMM to reduce attack surface without recompilation.

The changes can be seen at:
https://github.com/yyu/edk2/tree/network_cfg_lib_v1

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien@xen.org>

Yuan Yu (2):
  OvmfPkg: Introduce NetworkCfgLib
  OvmfPkg: Use PcdNetworkSupport to enable/disable VirtIo net

 OvmfPkg/OvmfPkg.dec                             |  3 ++
 OvmfPkg/OvmfPkgX64.dsc                          |  7 ++++-
 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf | 29 ++++++++++++++++++
 OvmfPkg/VirtioNetDxe/VirtioNet.inf              |  3 ++
 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c   | 32 ++++++++++++++++++++
 OvmfPkg/VirtioNetDxe/EntryPoint.c               | 10 ++++++
 6 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf
 create mode 100644 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c

-- 
2.37.1.559.g78731f0fdb-goog

[PATCH v1 1/2] OvmfPkg: Introduce NetworkCfgLib

[Yuan Yu]

Introduce NetworkCfgLib which will set PcdNetworkSupport based on
"etc/networking" qemu file.

If "etc/networking" (type bool) is TRUE, then PcdNetworkSupport will be
TRUE and vice versa.

In the following patch, PcdNetworkSupport will be used to enable/disable
VirtIo net driver so that VMM will have control over networking
functionality in runtime.

The default value of PcdNetworkSupport is TRUE, which means if network
support is turned on at compile time and VMM doesn't do anything, the
VirtIo driver will be enabled. This is to make it consistent with the
behavior before this patch.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien@xen.org>

Signed-off-by: Yuan Yu <yuanyu@google.com>
---
 OvmfPkg/OvmfPkg.dec                             |  3 ++
 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf | 29 ++++++++++++++++++
 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c   | 32 ++++++++++++++++++++
 3 files changed, 64 insertions(+)

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 5af76a540529..5dced0568f6c 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -451,6 +451,9 @@ [PcdsDynamic, PcdsDynamicEx]
   ## This PCD records LASA field in CC EVENTLOG ACPI table.
   gUefiOvmfPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x67
 
+  ## This PCD controls if network support should be turned on at runtime.
+  gUefiOvmfPkgTokenSpaceGuid.PcdNetworkSupport|TRUE|BOOLEAN|0x72
+
 [PcdsFeatureFlag]
   gUefiOvmfPkgTokenSpaceGuid.PcdQemuBootOrderPciTranslation|TRUE|BOOLEAN|0x1c
   gUefiOvmfPkgTokenSpaceGuid.PcdQemuBootOrderMmioTranslation|FALSE|BOOLEAN|0x1d
diff --git a/OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf b/OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf
new file mode 100644
index 000000000000..44be171ccc7a
--- /dev/null
+++ b/OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf
@@ -0,0 +1,29 @@
+## @file
+# Configure some PCDs dynamically
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+  INF_VERSION                    = 1.27
+  BASE_NAME                      = NetworkCfgLib
+  FILE_GUID                      = c81bfcf9-7dce-44f7-a9cb-be607f481a86
+  MODULE_TYPE                    = BASE
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = NULL
+  CONSTRUCTOR                    = SetNetworkingSupportPcds
+
+[Sources]
+  NetworkCfgLib.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  OvmfPkg/OvmfPkg.dec
+
+[LibraryClasses]
+  PcdLib
+  DebugLib
+  QemuFwCfgSimpleParserLib
+
+[Pcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdNetworkSupport       ## SOMETIMES_PRODUCES
diff --git a/OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c b/OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c
new file mode 100644
index 000000000000..e77198dbd4e4
--- /dev/null
+++ b/OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c
@@ -0,0 +1,32 @@
+#include <Library/PcdLib.h>
+#include <Library/DebugLib.h>
+#include <Library/QemuFwCfgSimpleParserLib.h>
+
+RETURN_STATUS
+EFIAPI
+SetNetworkingSupportPcds (
+ VOID
+ )
+{
+  BOOLEAN       FwCfgBool;
+  RETURN_STATUS Status;
+
+  DEBUG ((DEBUG_INFO, "[network] %a\n", __FUNCTION__));
+
+  Status = QemuFwCfgParseBool ("etc/networking", &FwCfgBool);
+  if (RETURN_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO,
+           "[network] QemuFwCfgParseBool('etc/networking') failed, will return "
+           "SUCCESS and continue without overriding PcdNetworkSupport.\n"));
+    return RETURN_SUCCESS;
+  }
+  DEBUG ((DEBUG_INFO, "[network] etc/networking = %d\n", FwCfgBool));
+
+  Status = PcdSetBoolS (PcdNetworkSupport, FwCfgBool);
+  if (RETURN_ERROR (Status)) {
+    return Status;
+  }
+  DEBUG ((DEBUG_INFO, "[network] PcdNetworkSupport was set to %d\n", FwCfgBool));
+
+  return RETURN_SUCCESS;
+}
-- 
2.37.1.559.g78731f0fdb-goog

[PATCH v1 2/2] OvmfPkg: Use PcdNetworkSupport to enable/disable VirtIo net

[Yuan Yu]

Enable/Disable VirtIo net based on the value of PcdNetworkSupport which
is controlled in NetworkCfgLib, which sets the PCD based on
"etc/networking" qemu file.

With this change, VMM can disable networking even if it is enabled at
compile time. This will allow to reduce attack surface by simply
providing an "etc/networking" value without having to recompile EDK2
completely.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien@xen.org>

Signed-off-by: Yuan Yu <yuanyu@google.com>
---
 OvmfPkg/OvmfPkgX64.dsc             |  7 ++++++-
 OvmfPkg/VirtioNetDxe/VirtioNet.inf |  3 +++
 OvmfPkg/VirtioNetDxe/EntryPoint.c  | 10 ++++++++++
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 6e68f60dc90f..63cce9f65a95 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -686,6 +686,8 @@ [PcdsDynamicDefault]
   gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
 !endif
 
+  gUefiOvmfPkgTokenSpaceGuid.PcdNetworkSupport|TRUE
+
 [PcdsDynamicHii]
 !include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
 
@@ -953,7 +955,10 @@ [Components]
       NULL|OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf
   }
 !endif
-  OvmfPkg/VirtioNetDxe/VirtioNet.inf
+  OvmfPkg/VirtioNetDxe/VirtioNet.inf {
+    <LibraryClasses>
+      NULL|OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf
+  }
 
   #
   # Usb Support
diff --git a/OvmfPkg/VirtioNetDxe/VirtioNet.inf b/OvmfPkg/VirtioNetDxe/VirtioNet.inf
index ada84ed5543b..37bcf13b7863 100644
--- a/OvmfPkg/VirtioNetDxe/VirtioNet.inf
+++ b/OvmfPkg/VirtioNetDxe/VirtioNet.inf
@@ -54,3 +54,6 @@ [Protocols]
   gEfiSimpleNetworkProtocolGuid  ## BY_START
   gEfiDevicePathProtocolGuid     ## BY_START
   gVirtioDeviceProtocolGuid      ## TO_START
+
+[Pcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdNetworkSupport       ## CONSUMES
diff --git a/OvmfPkg/VirtioNetDxe/EntryPoint.c b/OvmfPkg/VirtioNetDxe/EntryPoint.c
index c3f41dab57bd..9bf220b9ade5 100644
--- a/OvmfPkg/VirtioNetDxe/EntryPoint.c
+++ b/OvmfPkg/VirtioNetDxe/EntryPoint.c
@@ -9,6 +9,8 @@
 
 **/
 
+#include <PiDxe.h>
+
 #include <Library/UefiLib.h>
 
 #include "VirtioNet.h"
@@ -32,6 +34,14 @@ VirtioNetEntryPoint (
   IN EFI_SYSTEM_TABLE  *SystemTable
   )
 {
+  if (PcdGetBool (PcdNetworkSupport)) {
+    DEBUG ((DEBUG_INFO, "[network] %a - Networking enabled.\n", __FUNCTION__));
+  } else {
+    DEBUG ((DEBUG_INFO, "[network] %a - Networking disabled.\n", __FUNCTION__));
+
+    return EFI_REQUEST_UNLOAD_IMAGE;
+  }
+
   return EfiLibInstallDriverBindingComponentName2 (
            ImageHandle,
            SystemTable,
-- 
2.37.1.559.g78731f0fdb-goog

Re: [PATCH v1 0/2] Add support to disable VirtIo net at runtime

[Laszlo Ersek]

On 08/04/22 04:52, Yuan Yu wrote:
> Currently networking can only be enabled/disabled at compile time. This
> patch series will add support to disable VirtIo net at runtime even if
> the functionality is built into binary at compile time.
> 
> This will enable VMM to reduce attack surface without recompilation.
> 
> The changes can be seen at:
> https://github.com/yyu/edk2/tree/network_cfg_lib_v1
> 
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Julien Grall <julien@xen.org>
> 
> Yuan Yu (2):
>   OvmfPkg: Introduce NetworkCfgLib
>   OvmfPkg: Use PcdNetworkSupport to enable/disable VirtIo net
> 
>  OvmfPkg/OvmfPkg.dec                             |  3 ++
>  OvmfPkg/OvmfPkgX64.dsc                          |  7 ++++-
>  OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf | 29 ++++++++++++++++++
>  OvmfPkg/VirtioNetDxe/VirtioNet.inf              |  3 ++
>  OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c   | 32 ++++++++++++++++++++
>  OvmfPkg/VirtioNetDxe/EntryPoint.c               | 10 ++++++
>  6 files changed, 83 insertions(+), 1 deletion(-)
>  create mode 100644 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf
>  create mode 100644 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c
> 

Well I've not been reviewing upstream edk2 patches for a while, but the
virtio-net driver is still very close to my heart, so this patch kind of
hits a nerve.

I think I disagree with the idea and the implementation both.

Minimally, the idea needs a much better elaboration -- what is the
threat model? Do you want to protect the host from the guest, or the
guest from the host? Or something else? How does controlling a single
SNP driver via fw_cfg (which is also dictated by the host) help?

Regarding the implementation: there is much more to networking in edk2
than VirtioNetDxe. UEFI driver binaries (SNP drivers) built from iPXE
can be passed in via the NICs' option ROMs. SNP drivers can be loaded
from the UEFI system partition (for example, Intel's binary-only driver
for QEMU's e1000* cards).

If you can control this fw_cfg switch from the VMM side, you can also
control the VMM enough to simply *not give* a virtio-net device to the
guest. Then the driver (it being a UEFI driver following the UEFI driver
model) will simply not have anything to bind.

Sorry I find this approach very wrong. If you really need it for your
particular VMM, I kind of suggest not upstreaming this patch. I see it
as a step backwards for the upstream project.

Anyway: I emphasize I'm no longer a reviewer for OvmfPkg, and it's quite
exceptional that I'm reacting at all to being CC'd on this.

Laszlo

Re: [edk2-devel] [PATCH v1 0/2] Add support to disable VirtIo net at runtime

[Ard Biesheuvel]

On Thu, 4 Aug 2022 at 07:55, Laszlo Ersek <lersek@redhat.com> wrote:
>
> On 08/04/22 04:52, Yuan Yu wrote:
> > Currently networking can only be enabled/disabled at compile time. This
> > patch series will add support to disable VirtIo net at runtime even if
> > the functionality is built into binary at compile time.
> >
> > This will enable VMM to reduce attack surface without recompilation.
> >
> > The changes can be seen at:
> > https://github.com/yyu/edk2/tree/network_cfg_lib_v1
> >
> > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Cc: Anthony Perard <anthony.perard@citrix.com>
> > Cc: Julien Grall <julien@xen.org>
> >
> > Yuan Yu (2):
> >   OvmfPkg: Introduce NetworkCfgLib
> >   OvmfPkg: Use PcdNetworkSupport to enable/disable VirtIo net
> >
> >  OvmfPkg/OvmfPkg.dec                             |  3 ++
> >  OvmfPkg/OvmfPkgX64.dsc                          |  7 ++++-
> >  OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf | 29 ++++++++++++++++++
> >  OvmfPkg/VirtioNetDxe/VirtioNet.inf              |  3 ++
> >  OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c   | 32 ++++++++++++++++++++
> >  OvmfPkg/VirtioNetDxe/EntryPoint.c               | 10 ++++++
> >  6 files changed, 83 insertions(+), 1 deletion(-)
> >  create mode 100644 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf
> >  create mode 100644 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c
> >
>
> Well I've not been reviewing upstream edk2 patches for a while, but the
> virtio-net driver is still very close to my heart, so this patch kind of
> hits a nerve.
>

Welcome back old friend!

> I think I disagree with the idea and the implementation both.
>
> Minimally, the idea needs a much better elaboration -- what is the
> threat model? Do you want to protect the host from the guest, or the
> guest from the host? Or something else? How does controlling a single
> SNP driver via fw_cfg (which is also dictated by the host) help?
>

I have to confess that I was the one who suggested this approach to
Yuan internally, but mainly to get the discussion going, as I was
anticipating some pushback, just not from you :-)

'Reducing the attack surface' is probably not the most accurate
characterization of the purpose. We are simply looking for a way to
disable network boot from the vmm/host side without affecting
how/which network interfaces the guest exposes to the OS.

> Regarding the implementation: there is much more to networking in edk2
> than VirtioNetDxe. UEFI driver binaries (SNP drivers) built from iPXE
> can be passed in via the NICs' option ROMs. SNP drivers can be loaded
> from the UEFI system partition (for example, Intel's binary-only driver
> for QEMU's e1000* cards).
>
> If you can control this fw_cfg switch from the VMM side, you can also
> control the VMM enough to simply *not give* a virtio-net device to the
> guest. Then the driver (it being a UEFI driver following the UEFI driver
> model) will simply not have anything to bind.
>

Sure, but then the OS will lose networking as well. We just want to
remove the ability to network boot without impacting anything else
that relies on virtio-net

> Sorry I find this approach very wrong. If you really need it for your
> particular VMM, I kind of suggest not upstreaming this patch. I see it
> as a step backwards for the upstream project.
>

If there are better ways to achieve this, we're all ears, but I think
that having a PCD which could either be fixed at build and compiled
out completely, or be set via a NULL library resolution, or even be
wired to a menu option (using PcdsDynamicHii] is a rather low-impact
but flexible way to go about this.

Re: [edk2-devel] [PATCH v1 0/2] Add support to disable VirtIo net at runtime

[Laszlo Ersek]

On 08/04/22 11:58, Ard Biesheuvel wrote:
> On Thu, 4 Aug 2022 at 07:55, Laszlo Ersek <lersek@redhat.com> wrote:
>>
>> On 08/04/22 04:52, Yuan Yu wrote:
>>> Currently networking can only be enabled/disabled at compile time. This
>>> patch series will add support to disable VirtIo net at runtime even if
>>> the functionality is built into binary at compile time.
>>>
>>> This will enable VMM to reduce attack surface without recompilation.
>>>
>>> The changes can be seen at:
>>> https://github.com/yyu/edk2/tree/network_cfg_lib_v1
>>>
>>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
>>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>> Cc: Anthony Perard <anthony.perard@citrix.com>
>>> Cc: Julien Grall <julien@xen.org>
>>>
>>> Yuan Yu (2):
>>>   OvmfPkg: Introduce NetworkCfgLib
>>>   OvmfPkg: Use PcdNetworkSupport to enable/disable VirtIo net
>>>
>>>  OvmfPkg/OvmfPkg.dec                             |  3 ++
>>>  OvmfPkg/OvmfPkgX64.dsc                          |  7 ++++-
>>>  OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf | 29 ++++++++++++++++++
>>>  OvmfPkg/VirtioNetDxe/VirtioNet.inf              |  3 ++
>>>  OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c   | 32 ++++++++++++++++++++
>>>  OvmfPkg/VirtioNetDxe/EntryPoint.c               | 10 ++++++
>>>  6 files changed, 83 insertions(+), 1 deletion(-)
>>>  create mode 100644 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf
>>>  create mode 100644 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c
>>>
>>
>> Well I've not been reviewing upstream edk2 patches for a while, but the
>> virtio-net driver is still very close to my heart, so this patch kind of
>> hits a nerve.
>>
> 
> Welcome back old friend!
> 
>> I think I disagree with the idea and the implementation both.
>>
>> Minimally, the idea needs a much better elaboration -- what is the
>> threat model? Do you want to protect the host from the guest, or the
>> guest from the host? Or something else? How does controlling a single
>> SNP driver via fw_cfg (which is also dictated by the host) help?
>>
> 
> I have to confess that I was the one who suggested this approach to
> Yuan internally, but mainly to get the discussion going, as I was
> anticipating some pushback, just not from you :-)

Heh, sorry about that :)

> 
> 'Reducing the attack surface' is probably not the most accurate
> characterization of the purpose. We are simply looking for a way to
> disable network boot from the vmm/host side without affecting
> how/which network interfaces the guest exposes to the OS.
> 
>> Regarding the implementation: there is much more to networking in edk2
>> than VirtioNetDxe. UEFI driver binaries (SNP drivers) built from iPXE
>> can be passed in via the NICs' option ROMs. SNP drivers can be loaded
>> from the UEFI system partition (for example, Intel's binary-only driver
>> for QEMU's e1000* cards).
>>
>> If you can control this fw_cfg switch from the VMM side, you can also
>> control the VMM enough to simply *not give* a virtio-net device to the
>> guest. Then the driver (it being a UEFI driver following the UEFI driver
>> model) will simply not have anything to bind.
>>
> 
> Sure, but then the OS will lose networking as well. We just want to
> remove the ability to network boot without impacting anything else
> that relies on virtio-net
> 
>> Sorry I find this approach very wrong. If you really need it for your
>> particular VMM, I kind of suggest not upstreaming this patch. I see it
>> as a step backwards for the upstream project.
>>
> 
> If there are better ways to achieve this, we're all ears, but I think
> that having a PCD which could either be fixed at build and compiled
> out completely, or be set via a NULL library resolution, or even be
> wired to a menu option (using PcdsDynamicHii] is a rather low-impact
> but flexible way to go about this.

How about using PCDs, but at a higher level in the edk2 network stack
(regardless of the SNP driver(s) used)?

Not that I'm a huge fan of them, but we already have PcdIPv4PXESupport
and PcdIPv6PXESupport, and they can be set for OVMF and ArmVirtQemu via
fw_cfg. If both PCDs are "PXE_DISABLED" (0), then
PxeBcDriverEntryPoint() [NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c] exits
early. See:

- https://bugzilla.tianocore.org/show_bug.cgi?id=1695
- https://bugzilla.tianocore.org/show_bug.cgi?id=2681

So that's at least "prior art".

If similar PCDs could be introduced for other kinds of network boot (I
think there's only HTTP(S)v[46] to speak of [*]), i.e. in
"NetworkPkg.dec", then I guess setting those from fw_cfg in ArmVirtQemu
and OVMF could be fine. I assume HttpBootDxe would be the driver to
short-circuit.

[*] Hmm, maybe not just that. Do we consider booting off an iSCSI device
"network boot"? Perhaps where you want to "cut the stack" is
Ip4Dxe/Ip6Dxe. Prior art with PXE does suggest PCDs for the higher-level
network boot drivers.

Laszlo