From mboxrd@z Thu Jan 1 00:00:00 1970 References: <20201216211125.19496-1-lersek@redhat.com> <20201216211125.19496-2-lersek@redhat.com> From: Ard Biesheuvel Message-ID: <57ec49d2-1540-f693-23ef-12a0cf217a81@arm.com> Date: Fri, 18 Dec 2020 18:42:43 +0100 MIME-Version: 1.0 In-Reply-To: <20201216211125.19496-2-lersek@redhat.com> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [Virtio-fs] [edk2 PATCH 01/48] OvmfPkg: introduce VirtioFsDxe List-Id: Development discussions about virtio-fs List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Laszlo Ersek , devel@edk2.groups.io, virtio-fs@redhat.com Cc: Jordan Justen , =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= On 12/16/20 10:10 PM, Laszlo Ersek wrote: > The purpose of the driver is to ease file exchange (file sharing) between > the guest firmware and the virtualization host. The driver is supposed to > interoperate with QEMU's "virtiofsd" (Virtio Filesystem Daemon). > > References: > - https://virtio-fs.gitlab.io/ > - https://libvirt.org/kbase/virtiofs.html > > VirtioFsDxe will bind virtio-fs devices, and produce > EFI_SIMPLE_FILE_SYSTEM_PROTOCOL instances on them. > > In the longer term, assuming QEMU will create "bootorder" fw_cfg file > entries for virtio-fs devices, booting guest OSes from host-side > directories should become possible (dependent on the matching > QemuBootOrderLib enhancement). > > Add the skeleton of the driver. Install EFI_DRIVER_BINDING_PROTOCOL with > stub member functions. Install EFI_COMPONENT_NAME2_PROTOCOL with final > member functions. This suffices for the DRIVERS command in the UEFI Shell > to list the driver with a human-readable name. > > The file permission model is described immediately in the INF file as a > comment block, for future reference. > > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Philippe Mathieu-Daudé > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3097 > Signed-off-by: Laszlo Ersek > --- > OvmfPkg/OvmfPkgIa32.dsc | 1 + > OvmfPkg/OvmfPkgIa32X64.dsc | 1 + > OvmfPkg/OvmfPkgX64.dsc | 1 + > OvmfPkg/OvmfPkgIa32.fdf | 1 + > OvmfPkg/OvmfPkgIa32X64.fdf | 1 + > OvmfPkg/OvmfPkgX64.fdf | 1 + > OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf | 92 ++++++++++++++++ > OvmfPkg/VirtioFsDxe/DriverBinding.c | 112 ++++++++++++++++++++ > 8 files changed, 210 insertions(+) > > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index 8eede796a8bd..4ff70674fb6e 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -807,16 +807,17 @@ [Components] > } > MdeModulePkg/Universal/PrintDxe/PrintDxe.inf > MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf > MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf > MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf > FatPkg/EnhancedFatDxe/Fat.inf > MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf > + OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf > MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf > MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf > OvmfPkg/SataControllerDxe/SataControllerDxe.inf > MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf > MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf > MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf > MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf > MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index f9f82a48f4b9..d40a59183c79 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -821,16 +821,17 @@ [Components.X64] > } > MdeModulePkg/Universal/PrintDxe/PrintDxe.inf > MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf > MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf > MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf > FatPkg/EnhancedFatDxe/Fat.inf > MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf > + OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf > MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf > MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf > OvmfPkg/SataControllerDxe/SataControllerDxe.inf > MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf > MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf > MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf > MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf > MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index e59ae05b73aa..ec7886235acf 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -817,16 +817,17 @@ [Components] > } > MdeModulePkg/Universal/PrintDxe/PrintDxe.inf > MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf > MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf > MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf > MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf > FatPkg/EnhancedFatDxe/Fat.inf > MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf > + OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf > MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf > MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf > OvmfPkg/SataControllerDxe/SataControllerDxe.inf > MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf > MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf > MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf > MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf > MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf > diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf > index c07b775d0a2d..f400c845b9c9 100644 > --- a/OvmfPkg/OvmfPkgIa32.fdf > +++ b/OvmfPkg/OvmfPkgIa32.fdf > @@ -285,16 +285,17 @@ [FV.DXEFV] > INF OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf > INF RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf > INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf > INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf > INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf > > INF FatPkg/EnhancedFatDxe/Fat.inf > INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf > +INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf > > !if $(TOOL_CHAIN_TAG) != "XCODE5" > INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf > INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf > INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf > !endif > INF ShellPkg/Application/Shell/Shell.inf > > diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf > index 9adf1525c135..d055552fd09f 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.fdf > +++ b/OvmfPkg/OvmfPkgIa32X64.fdf > @@ -286,16 +286,17 @@ [FV.DXEFV] > INF OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf > INF RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf > INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf > INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf > INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf > > INF FatPkg/EnhancedFatDxe/Fat.inf > INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf > +INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf > > !if $(TOOL_CHAIN_TAG) != "XCODE5" > INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf > INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf > INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf > !endif > INF ShellPkg/Application/Shell/Shell.inf > > diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf > index 17ba9e177ac3..1a2ef5bf2ae3 100644 > --- a/OvmfPkg/OvmfPkgX64.fdf > +++ b/OvmfPkg/OvmfPkgX64.fdf > @@ -295,16 +295,17 @@ [FV.DXEFV] > INF OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf > INF RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf > INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf > INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf > INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf > > INF FatPkg/EnhancedFatDxe/Fat.inf > INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf > +INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf > > !if $(TOOL_CHAIN_TAG) != "XCODE5" > INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf > INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf > INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf > !endif > INF ShellPkg/Application/Shell/Shell.inf > > diff --git a/OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf b/OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf > new file mode 100644 > index 000000000000..69cb44bc7c96 > --- /dev/null > +++ b/OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf > @@ -0,0 +1,92 @@ > +## @file > +# Provide EFI_SIMPLE_FILE_SYSTEM_PROTOCOL instances on virtio-fs devices. > +# > +# Copyright (C) 2020, Red Hat, Inc. > +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +# > +# Permission Model of this driver: > +# > +# Regardless of the UID and GID values this driver send in the FUSE request > +# header, the daemon (that is, the Virtio Filesystem device) always acts with > +# root privileges on the host side. The only time the daemon considers said UID > +# and GID fields is when creating a new file or directory. Thus, the guest > +# driver cannot rely on the host for enforcing any file mode permissions, > +# regardless of the "personality" that the guest driver poses as, because > +# "root" on the host side ignores all file mode bits. > +# > +# Therefore the guest driver has to do its own permission checking, and use the > +# host-side file mode bits only as a kind of "metadata storage" or "reminder" > +# -- hopefully in a way that makes some sense on the host side too. > +# Can you please explain why this is safe? Or should virtio-fs only be used with guests that can be trusted with root privileges on the host? -- Ard. > +# The complete mapping between the EFI_FILE_PROTOCOL and the host-side file > +# mode bits is described below. > +# > +# - The guest driver poses as UID 0, GID 0, PID 1. > +# > +# - If and only if all "w" bits are missing from a file on the host side, then > +# the file or directory is reported as EFI_FILE_READ_ONLY in the guest. When > +# setting EFI_FILE_READ_ONLY in the guest, all "w" bits (0222) are cleared on > +# the host; when clearing EFI_FILE_READ_ONLY in the guest, all "w" bits are > +# set on the host. Viewed from the host side, this sort of reflects that an > +# EFI_FILE_READ_ONLY file should not be written by anyone. > +# > +# - The attributes EFI_FILE_HIDDEN, EFI_FILE_SYSTEM, EFI_FILE_RESERVED, and > +# EFI_FILE_ARCHIVE are never reported in the guest, and they are silently > +# ignored when a SetInfo() call or a file-creating Open() call requests them. > +# > +# - On the host, files are created with 0666 file mode bits, directories are > +# created with 0777 file mode bits. > +# > +# - In the guest, the EFI_FILE_READ_ONLY attribute only controls the permitted > +# open mode. In particular, on directories, the EFI_FILE_READ_ONLY attribute > +# does not prevent the creation or deletion of entries inside the directory; > +# EFI_FILE_READ_ONLY only prevents the renaming, deleting, flushing (syncing) > +# and touching of the directory itself (with "touching" meaning updating the > +# timestamps). The fact that EFI_FILE_READ_ONLY being set on a directory is > +# irrelevant in the guest with regard to entry creation/deletion, is > +# well-mirrored by the fact that virtiofsd -- which runs as root, regardless > +# of guest driver personality -- ignores the absence of "w" permissions on a > +# host-side directory, when creating or removing entries in it. > +# > +# - When an EFI_FILE_PROTOCOL is opened read-only, then the Delete(), Write() > +# and Flush() member functions are disabled for it. Additionally, SetInfo() > +# is restricted to flipping the EFI_FILE_READ_ONLY bit (which takes effect at > +# the next Open()). > +# > +# - As a consequence of the above, for deleting a directory, it must be > +# presented in the guest as openable for writing. > +# > +# - We diverge from the UEFI spec, and permit Flush() on a directory that has > +# been opened read-write; otherwise the only way to invoke FUSE_FSYNCDIR on a > +# directory would be to Close() it. > +# > +# - OpenVolume() opens the root directory for read-only access. The Open() > +# member function may open it for read-write access. While the root directory > +# cannot be renamed or deleted, opening it for read-write access is useful > +# for calling Flush(), according to the previous paragraph, or for updating > +# the root directory's timestamps with SetInfo(). > +## > + > +[Defines] > + INF_VERSION = 1.29 > + BASE_NAME = VirtioFsDxe > + FILE_GUID = 7BD9DDF7-8B83-488E-AEC9-24C78610289C > + MODULE_TYPE = UEFI_DRIVER > + ENTRY_POINT = VirtioFsEntryPoint > + > +[Packages] > + MdePkg/MdePkg.dec > + > +[Sources] > + DriverBinding.c > + > +[LibraryClasses] > + BaseLib > + UefiBootServicesTableLib > + UefiDriverEntryPoint > + > +[Protocols] > + gEfiComponentName2ProtocolGuid ## PRODUCES > + gEfiDriverBindingProtocolGuid ## PRODUCES > diff --git a/OvmfPkg/VirtioFsDxe/DriverBinding.c b/OvmfPkg/VirtioFsDxe/DriverBinding.c > new file mode 100644 > index 000000000000..ac0a6330f01b > --- /dev/null > +++ b/OvmfPkg/VirtioFsDxe/DriverBinding.c > @@ -0,0 +1,112 @@ > +/** @file > + Provide EFI_SIMPLE_FILE_SYSTEM_PROTOCOL instances on virtio-fs devices. > + > + Copyright (C) 2020, Red Hat, Inc. > + > + SPDX-License-Identifier: BSD-2-Clause-Patent > +**/ > + > +#include // AsciiStrCmp() > +#include // gBS > +#include // EFI_COMPONENT_NAME2_PROTOCOL > +#include // EFI_DRIVER_BINDING_PROTOCOL > + > +// > +// UEFI Driver Model protocol instances. > +// > +STATIC EFI_DRIVER_BINDING_PROTOCOL mDriverBinding; > +STATIC EFI_COMPONENT_NAME2_PROTOCOL mComponentName2; > + > +// > +// UEFI Driver Model protocol member functions. > +// > +EFI_STATUS > +EFIAPI > +VirtioFsBindingSupported ( > + IN EFI_DRIVER_BINDING_PROTOCOL *This, > + IN EFI_HANDLE ControllerHandle, > + IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL > + ) > +{ > + return EFI_UNSUPPORTED; > +} > + > +EFI_STATUS > +EFIAPI > +VirtioFsBindingStart ( > + IN EFI_DRIVER_BINDING_PROTOCOL *This, > + IN EFI_HANDLE ControllerHandle, > + IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL > + ) > +{ > + return EFI_DEVICE_ERROR; > +} > + > +EFI_STATUS > +EFIAPI > +VirtioFsBindingStop ( > + IN EFI_DRIVER_BINDING_PROTOCOL *This, > + IN EFI_HANDLE ControllerHandle, > + IN UINTN NumberOfChildren, > + IN EFI_HANDLE *ChildHandleBuffer OPTIONAL > + ) > +{ > + return EFI_DEVICE_ERROR; > +} > + > +EFI_STATUS > +EFIAPI > +VirtioFsGetDriverName ( > + IN EFI_COMPONENT_NAME2_PROTOCOL *This, > + IN CHAR8 *Language, > + OUT CHAR16 **DriverName > + ) > +{ > + if (AsciiStrCmp (Language, "en") != 0) { > + return EFI_UNSUPPORTED; > + } > + *DriverName = L"Virtio Filesystem Driver"; > + return EFI_SUCCESS; > +} > + > +EFI_STATUS > +EFIAPI > +VirtioFsGetControllerName ( > + IN EFI_COMPONENT_NAME2_PROTOCOL *This, > + IN EFI_HANDLE ControllerHandle, > + IN EFI_HANDLE ChildHandle OPTIONAL, > + IN CHAR8 *Language, > + OUT CHAR16 **ControllerName > + ) > +{ > + return EFI_UNSUPPORTED; > +} > + > +// > +// Entry point of this driver. > +// > +EFI_STATUS > +EFIAPI > +VirtioFsEntryPoint ( > + IN EFI_HANDLE ImageHandle, > + IN EFI_SYSTEM_TABLE *SystemTable > + ) > +{ > + EFI_STATUS Status; > + > + mDriverBinding.Supported = VirtioFsBindingSupported; > + mDriverBinding.Start = VirtioFsBindingStart; > + mDriverBinding.Stop = VirtioFsBindingStop; > + mDriverBinding.Version = 0x10; > + mDriverBinding.ImageHandle = ImageHandle; > + mDriverBinding.DriverBindingHandle = ImageHandle; > + > + mComponentName2.GetDriverName = VirtioFsGetDriverName; > + mComponentName2.GetControllerName = VirtioFsGetControllerName; > + mComponentName2.SupportedLanguages = "en"; > + > + Status = gBS->InstallMultipleProtocolInterfaces (&ImageHandle, > + &gEfiDriverBindingProtocolGuid, &mDriverBinding, > + &gEfiComponentName2ProtocolGuid, &mComponentName2, NULL); > + return Status; > +} >