[edk2-devel] [PATCH v1 0/2] Add support to disable VirtIo net at runtime

Ard Biesheuvel ardb at kernel.org
Thu Aug 4 09:58:17 UTC 2022 

On Thu, 4 Aug 2022 at 07:55, Laszlo Ersek <lersek at redhat.com> wrote:
>
> On 08/04/22 04:52, Yuan Yu wrote:
> > Currently networking can only be enabled/disabled at compile time. This
> > patch series will add support to disable VirtIo net at runtime even if
> > the functionality is built into binary at compile time.
> >
> > This will enable VMM to reduce attack surface without recompilation.
> >
> > The changes can be seen at:
> > https://github.com/yyu/edk2/tree/network_cfg_lib_v1
> >
> > Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
> > Cc: Jordan Justen <jordan.l.justen at intel.com>
> > Cc: Laszlo Ersek <lersek at redhat.com>
> > Cc: Anthony Perard <anthony.perard at citrix.com>
> > Cc: Julien Grall <julien at xen.org>
> >
> > Yuan Yu (2):
> >   OvmfPkg: Introduce NetworkCfgLib
> >   OvmfPkg: Use PcdNetworkSupport to enable/disable VirtIo net
> >
> >  OvmfPkg/OvmfPkg.dec                             |  3 ++
> >  OvmfPkg/OvmfPkgX64.dsc                          |  7 ++++-
> >  OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf | 29 ++++++++++++++++++
> >  OvmfPkg/VirtioNetDxe/VirtioNet.inf              |  3 ++
> >  OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c   | 32 ++++++++++++++++++++
> >  OvmfPkg/VirtioNetDxe/EntryPoint.c               | 10 ++++++
> >  6 files changed, 83 insertions(+), 1 deletion(-)
> >  create mode 100644 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.inf
> >  create mode 100644 OvmfPkg/Library/NetworkCfgLib/NetworkCfgLib.c
> >
>
> Well I've not been reviewing upstream edk2 patches for a while, but the
> virtio-net driver is still very close to my heart, so this patch kind of
> hits a nerve.
>

Welcome back old friend!

> I think I disagree with the idea and the implementation both.
>
> Minimally, the idea needs a much better elaboration -- what is the
> threat model? Do you want to protect the host from the guest, or the
> guest from the host? Or something else? How does controlling a single
> SNP driver via fw_cfg (which is also dictated by the host) help?
>

I have to confess that I was the one who suggested this approach to
Yuan internally, but mainly to get the discussion going, as I was
anticipating some pushback, just not from you :-)

'Reducing the attack surface' is probably not the most accurate
characterization of the purpose. We are simply looking for a way to
disable network boot from the vmm/host side without affecting
how/which network interfaces the guest exposes to the OS.

> Regarding the implementation: there is much more to networking in edk2
> than VirtioNetDxe. UEFI driver binaries (SNP drivers) built from iPXE
> can be passed in via the NICs' option ROMs. SNP drivers can be loaded
> from the UEFI system partition (for example, Intel's binary-only driver
> for QEMU's e1000* cards).
>
> If you can control this fw_cfg switch from the VMM side, you can also
> control the VMM enough to simply *not give* a virtio-net device to the
> guest. Then the driver (it being a UEFI driver following the UEFI driver
> model) will simply not have anything to bind.
>

Sure, but then the OS will lose networking as well. We just want to
remove the ability to network boot without impacting anything else
that relies on virtio-net

> Sorry I find this approach very wrong. If you really need it for your
> particular VMM, I kind of suggest not upstreaming this patch. I see it
> as a step backwards for the upstream project.
>

If there are better ways to achieve this, we're all ears, but I think
that having a PCD which could either be fixed at build and compiled
out completely, or be set via a NULL library resolution, or even be
wired to a menu option (using PcdsDynamicHii] is a rather low-impact
but flexible way to go about this.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92108): https://edk2.groups.io/g/devel/message/92108
Mute This Topic: https://groups.io/mt/92808627/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list