May 3, 2009

Secrets of the e1000

Updated: May 23, 2009
Note that as of vSphere - ESX 4.0, when using the new virtual machine wizard, if you select a custom configuration, and virtual machine version 7, the e1000 is now presented as a virtual adapter option for a Windows Guest (along with Flexible, VMXNET 2 and VMXNET 3. Sweet!). The operating system swap around and .vmx file editing hacks detailed below should no longer be necessary if you want to use the e1000 in a VM. For details on the available virtual NIC options, see this KB article.

There is still no equivalent to vlance.noOprom = "true" or vmxnet.noOprom = "true" for the e1000 to directly disable the PXE option ROM. However the solution described below also works with vSphere.

If you haven't used the e1000 virtual NIC before, it's a virtual implementation of the ubiquitous Intel PRO/1000 Ethernet adapter. According to this VMware KB article, the performance of the e1000 device lies somewhere in between the vlance and vmxnet devices, making it the perfect choice for a virtual machine that doesn't have VMware tools installed, and is therefore unable to utilize the advanced vmxnet virtual NIC.

Pesky pixies
I've been thinking all along that the e1000 virtual NIC lacks the option ROM necessary for PXE booting, and so have never bothered to disable it. While doing some testing on the Vyatta virtual machine I set up for the Protect the Service Console Network With a Virtual Firewall project, I noticed the familiar network boot screen after forgetting to connect the Vyatta installation CD for the initial boot.

If you read my post on Hardening the VMX File, you'll remember I discussed a potential exploit using PXE. Since I thought the e1000 was option ROM free, I failed to discuss disabling it if you have no use for PXE in your environment.

I can make at least one excuse for this oversight: there actually is no .vmx directive to disable the option ROM in the e1000. The option ROMs in the vlance and vmxnet adapters can be disabled with one of these directives, vlance.noOprom = "true" or vmxnet.noOprom = "true", but there is no equivalent command for the e1000.

There is an easy workaround for the lack of a disabling command, however. We can set the memory size that the BIOS makes available to the option ROM to zero, effectively preventing it from loading with this .vmx directive:

ethernet0.opromsize = "0"

You'll need to add this directive for each e1000 adapter, ethernet1.opromsize = "0" for example, if you have two of them in a virtual machine. I've gone back to the Hardening the VMX File post and added this as an additional recommended directive if you are using e1000 adapters.

Not so secret
In an attempt to understand how I never noticed that PXE boot was available with the e1000, I searched through the release notes for each update version of ESX 3.5 on the VMware downloads page. I was able to confirm that I am actually crazy, and PXE boot has always been available with the e1000. I also discovered that the e1000 is the default when creating virtual machines with some specific operating systems. As of Update 4, selecting one of the Linux 64-bit options, Netware, Solaris, or the Other (64-bit) guest operating system will cause the New Virtual Machine Wizard to present the e1000 as the default network adapter option. So if you don't feel like manually adding an e1000 adapter by editing the .vmx file for a virtual machine, you could initially set it up as one of those guest operating systems and then change it back after the VM is created.

If you don't mind editing a .vmx file, just add this directive, changing the device name to the specific adapter you wish to change:

ethernet0.virtualDev = "e1000"

1 comment:

  1. This comment has been removed by a blog administrator.