| 1 | NetWatch! |
| 2 | |
| 3 | This is NetWatch, a system for remote system-management-mode-based |
| 4 | control of a machine without support from or awareness by the OS. It works by |
| 5 | taking over a second network card to provide a standard VNC server, such that |
| 6 | a machine elsewhere on the network can see the text or graphics console of the |
| 7 | machine and inject keystrokes as needed. |
| 8 | |
| 9 | System management mode, introduced with the 386SL, essentially allows |
| 10 | system driver code to run outside of OS control, caused by a special interrupt |
| 11 | pin on the CPU. This was originally intended for applications such as laptop |
| 12 | fan control; it is also the mechansim by which USB legacy keyboard emulation |
| 13 | occurs. When a system management interrupt occurs, the northbridge remaps |
| 14 | portions of memory to expose previously-hidden code, and asserts an SMI# signal, |
| 15 | causing the CPU to save all its state into system management RAM and vector to |
| 16 | a magic entry point. |
| 17 | |
| 18 | This is somewhat slow, and so there is a moderate performance impact |
| 19 | caused by running NetWatch, more significant when a VNC session is open. |
| 20 | Because NetWatch is invisible to the OS, its CPU usage is difficult to monitor; |
| 21 | we do so by comparing the MD5 throughput of the system with NetWatch |
| 22 | running versus without. The only way that the OS could detect this performance |
| 23 | drain is by spinning tightly and watching for a sudden jump in the CPU's time |
| 24 | stamp counters. |
| 25 | |
| 26 | Although it would be possible to start up NetWatch after an OS kernel |
| 27 | has already loaded, it is easier and more useful to load it from GRUB before |
| 28 | the OS boots, such that even the bootloader itself can be controlled over the |
| 29 | network. We do this by providing a stub loader (grubload/) which can be invoked |
| 30 | from GRUB, and takes care of loading the main NetWatch ELF image. Once this is |
| 31 | done and NetWatch is up and running, the loader returns to real mode and |
| 32 | reinvokes GRUB via the BIOS. |
| 33 | |
| 34 | Our current development platform, the Intel ICH2, does not allow SMM |
| 35 | traps on arbitrary PCI accesses. This makes stealing the network card from the |
| 36 | OS somewhat difficult, since there is nothing SMM code can do to cleanly block |
| 37 | access. NetWatch simply chooses its desired network card, and then repeatedly |
| 38 | clobbers the PCI base address registers. Although Linux resets the BARs to sane |
| 39 | values when it probes the PCI bus, by the time it attempts to actually load |
| 40 | the network driver, the card will no longer be accessible; fortunately, the |
| 41 | driver quickly gives up, and Linux no longer attempts to access the card. |
| 42 | |
| 43 | The northbridge can be configured to invoke a system management |
| 44 | interrupt every 64 milliseconds, and so the bulk of NetWatch's work is done |
| 45 | from this interrupt: checking the network card for incoming packets, invoking |
| 46 | lwIP, and sending any response packets necessary. SMM entry also occurs when |
| 47 | when the OS reads from the keyboard I/O ports, to inject scan codes as needed. |
| 48 | |
| 49 | Much of NetWatch is very hardware-dependent, and although we've tried |
| 50 | to maintain clean interface separation to allow for easy porting, the current |
| 51 | implementation requires: |
| 52 | |
| 53 | - Intel ICH2 system chipset |
| 54 | - 3C509 Ethernet card to be used by NetWatch, plus another card of |
| 55 | any type for the OS |
| 56 | - BIOS which does not set the D_LCK bit. Any system old enough to be |
| 57 | based on the ICH2 is very likely to have a suitable BIOS. |
| 58 | |
| 59 | Current open issues are listed in the TODO file. See GUIDE for an |
| 60 | overview of which source files do what. |