WebUSBWebGPUWebPCIEWebNVMEWebSATAWebATX12V
-
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.@manawyrm @littlefox @volpeon not sure I fully understand, doesn't that mean the browser page with the ISO "upload" needs to stay open and active for the whole duration of what you're doing with the bootable image?
-
@manawyrm @littlefox @volpeon not sure I fully understand, doesn't that mean the browser page with the ISO "upload" needs to stay open and active for the whole duration of what you're doing with the bootable image?
@funkylab @littlefox @volpeon Yes, that‘s right. It‘s being „streamed“ in real time from your browser, which also means that the speed is directly dependent on your latency to the server, because each sector read needs a command -> response interaction.
There wouldn‘t be any space anywhere for the BMC to store an entire ISO (not enough RAM or flash memory).
-
@funkylab @littlefox @volpeon Yes, that‘s right. It‘s being „streamed“ in real time from your browser, which also means that the speed is directly dependent on your latency to the server, because each sector read needs a command -> response interaction.
There wouldn‘t be any space anywhere for the BMC to store an entire ISO (not enough RAM or flash memory).
@manawyrm @littlefox @volpeon yeah I was wondering where images were stored, but assumed there must just be enough flash for that; I was wrong!
-
@manawyrm @littlefox @volpeon yeah I was wondering where images were stored, but assumed there must just be enough flash for that; I was wrong!
@funkylab @littlefox @volpeon some BMCs can also live stream images from HTTP, but that‘s an even more insane mechanism, where it generates HTTP requests on the fly for each sector (2048bytes) read from the CD.
Yes, one HTTP request per sector. It‘s a mini DDoS
-
@funkylab @littlefox @volpeon some BMCs can also live stream images from HTTP, but that‘s an even more insane mechanism, where it generates HTTP requests on the fly for each sector (2048bytes) read from the CD.
Yes, one HTTP request per sector. It‘s a mini DDoS
@manawyrm @littlefox @volpeon well uefi specifies boot via HTTP https://uefi.org/specs/UEFI/2.11/24_Network_Protocols_SNP_PXE_BIS.html#http-boot ; there's an entirely (nah, let's go with homeopathically) reasonable world where the BMC acts as HTTP server, using as much of its own RAM as read cache as possible,to minimize that latency penalty (physical CD-ROM drives also benefit from locality, because seeking across half a disk is probably slower than awaiting replies from residential V.90 modems)
-
@manawyrm @littlefox @volpeon well uefi specifies boot via HTTP https://uefi.org/specs/UEFI/2.11/24_Network_Protocols_SNP_PXE_BIS.html#http-boot ; there's an entirely (nah, let's go with homeopathically) reasonable world where the BMC acts as HTTP server, using as much of its own RAM as read cache as possible,to minimize that latency penalty (physical CD-ROM drives also benefit from locality, because seeking across half a disk is probably slower than awaiting replies from residential V.90 modems)
hahahahahaha, good joke
yeah, uefi http boot (and it’s support in practical devices) is mostly homeopathic. If you even dare think about things like IPv6 or modern webservers (something like nginx instead of a 17 year old Apache) it will just flat out refuse to work
the practical approach is to use the old PXE TFTP stuff to bootstrap something like iPXE and let it do HTTP from there.
-
hahahahahaha, good joke
yeah, uefi http boot (and it’s support in practical devices) is mostly homeopathic. If you even dare think about things like IPv6 or modern webservers (something like nginx instead of a 17 year old Apache) it will just flat out refuse to work
the practical approach is to use the old PXE TFTP stuff to bootstrap something like iPXE and let it do HTTP from there.
@manawyrm @littlefox @volpeon yeah aware that all HTTP boot projects take that route' was just hoping there was a reason for that part of the uefi spec
-
@funkylab @littlefox @volpeon Yes, that‘s right. It‘s being „streamed“ in real time from your browser, which also means that the speed is directly dependent on your latency to the server, because each sector read needs a command -> response interaction.
There wouldn‘t be any space anywhere for the BMC to store an entire ISO (not enough RAM or flash memory).
@manawyrm @funkylab @littlefox @volpeon Which works great when you choose the default "Verify the image and install" in some distributions
-
@manawyrm @littlefox @volpeon well uefi specifies boot via HTTP https://uefi.org/specs/UEFI/2.11/24_Network_Protocols_SNP_PXE_BIS.html#http-boot ; there's an entirely (nah, let's go with homeopathically) reasonable world where the BMC acts as HTTP server, using as much of its own RAM as read cache as possible,to minimize that latency penalty (physical CD-ROM drives also benefit from locality, because seeking across half a disk is probably slower than awaiting replies from residential V.90 modems)
@funkylab @manawyrm @littlefox @volpeon the supreme form of curl | sudo bash
-
@littlefox @volpeon
*sigh*
OK, you wanted it:AMI MegaRAC (the BMC web UI for servers) has this feature where they allow you to select a .iso image for a CD-ROM in the web console (next to the KVM/VNC viewer).
How did they implement the CD-ROM emulation?
They open a WebSockets connection to the BMC, emulate a SCSI CD-ROM drive in JavaScript (!) and send raw SCSI packets back&forth via WebSockets, which the BMC then forwards via internal USB to the host system.@manawyrm @littlefox @volpeon Astonishing, that’s beautiful
-
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
@manawyrm @littlefox @volpeon as a former dev implementing drivers for scsi devices, I am loving every aspect of this
-
@littlefox @volpeon less fortunate: they also fucked up the permissions checks on that websocket in a bunch of BMCs.
You can send arbitrary SCSI packets to the host system with this mechanism...
Both Linux and Windows really aren't hardened against evil block storage devices.Imagine the rest of the story.
@manawyrm @littlefox @volpeon Tell me the rest. I know SCSI only for all kind of storage (HDD, CD, Streamer) and Scanners.
-
@manawyrm @littlefox @volpeon Tell me the rest. I know SCSI only for all kind of storage (HDD, CD, Streamer) and Scanners.
@1000millimeter @manawyrm @volpeon sounds like it's rather easy to get buffer overflows and maybe even RCE via crafted malicious SCSI packets and while you usually have a hard time getting them onto an actual SCSI bus, via this websockets thing with broken authentication it's easy
-
@1000millimeter @manawyrm @volpeon sounds like it's rather easy to get buffer overflows and maybe even RCE via crafted malicious SCSI packets and while you usually have a hard time getting them onto an actual SCSI bus, via this websockets thing with broken authentication it's easy
-
@manawyrm @1000millimeter @volpeon I'm clever like a fox x3
-
S skorpy@chaos.social shared this topic
!