From owner-freebsd-usb@FreeBSD.ORG Wed Oct 22 01:29:57 2014 Return-Path: Delivered-To: freebsd-usb@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8A783F7E; Wed, 22 Oct 2014 01:29:57 +0000 (UTC) Received: from nschwqsrv03p.mx.bigpond.com (nschwqsrv03p.mx.bigpond.com [61.9.189.237]) by mx1.freebsd.org (Postfix) with ESMTP id EB405BAB; Wed, 22 Oct 2014 01:29:55 +0000 (UTC) Received: from nschwcmgw08p ([61.9.190.168]) by nschwmtas01p.mx.bigpond.com with ESMTP id <20141022011008.ZCJM17954.nschwmtas01p.mx.bigpond.com@nschwcmgw08p>; Wed, 22 Oct 2014 01:10:08 +0000 Received: from hermes.heuristicsystems.com.au ([58.173.108.194]) by nschwcmgw08p with BigPond Outbound id 61A61p01E4BhPve011A63J; Wed, 22 Oct 2014 01:10:08 +0000 X-Authority-Analysis: v=2.0 cv=F6HVh9dN c=1 sm=1 a=4+whva0L5pAyL5dznpY5+Q==:17 a=vTn13sFsEjEA:10 a=N659UExz7-8A:10 a=GHIR_BbyAAAA:8 a=ndaoGXS1AAAA:8 a=6I5d2MoRAAAA:8 a=ttuqpNlATSj9IwYbvhMA:9 a=pILNOxqGKmIA:10 a=HruYj_XPREAA:10 a=ll53tLZ-EV4A:10 a=SV7veod9ZcQA:10 a=4+whva0L5pAyL5dznpY5+Q==:117 Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id s9M19vm2078220 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 22 Oct 2014 12:10:03 +1100 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Message-ID: <544703E5.7000007@heuristicsystems.com.au> Date: Wed, 22 Oct 2014 12:09:57 +1100 From: Dewayne Geraghty User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Hans Petter Selasky Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell References: <201410082347.s98NkjW3025396@fire.js.berklix.net> <54362AE2.90501@selasky.org> <54369F43.9010806@selasky.org> In-Reply-To: <54369F43.9010806@selasky.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, freebsd-usb@freebsd.org X-BeenThere: freebsd-usb@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: FreeBSD support for USB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2014 01:29:57 -0000 On 10/10/2014 1:44 AM, Hans Petter Selasky wrote: > On 10/09/14 15:59, Oliver Pinter wrote: >> On 10/9/14, Hans Petter Selasky wrote: >>> Hi Julian, >>> >>> On 10/09/14 01:46, Julian H. Stacey wrote: >>>> Hi Hans etc >>>> "Julian H. Stacey" wrote: >>>>> Hans Petter Selasky wrote: >>>>>> Hi, >>>>>> >>>>>> Can you test the following kernel patch and give some feedback: >>>>>> >>>>>> https://svnweb.freebsd.org/changeset/base/272733 >>>> >>>> I'm now on latest current with src & sys/ GENERIC >>>> /usr/src/.ctm_status # src-cur 11645 >>>> >>>> This time I downloaded your files properly >>>> (last time I was severely distracted & made a silly mistake) >>>> >>>>>> After the patch you will get something like: >>>>>> hw.usb.disable_enumeration: 0 >>>>>> dev.uhub.0.disable_enumeration: 0 >>>>>> dev.uhub.1.disable_enumeration: 0 >>>>>> ... >>>> >>>> sysctl -a | grep enumeration >>>> hw.usb.disable_enumeration: 0 >>>> dev.uhub.0.disable_enumeration: 0 >>>> dev.uhub.1.disable_enumeration: 0 >>>> dev.uhub.2.disable_enumeration: 0 >>>> dev.uhub.3.disable_enumeration: 0 >>>> dev.uhub.4.disable_enumeration: 0 >>>> >>>> sysctl -d hw.usb.disable_enumeration >>>> hw.usb.disable_enumeration: Set to disable all USB device >>>> enumeration. >>>> >>>> sysctl -d dev.uhub.4.disable_enumeration >>>> dev.uhub.4.disable_enumeration: Set to disable enumeration on >>>> this USB >>>> HUB. >>>> >>>> usbconfig >>>> ugen0.1: at usbus0, cfg=0 md=HOST spd=HIGH >>>> (480Mbps) >>>> pwr=SAVE (0mA) >>>> ugen1.1: at usbus1, cfg=0 md=HOST spd=HIGH >>>> (480Mbps) >>>> pwr=SAVE (0mA) >>>> ugen0.2: at usbus0, cfg=0 md=HOST >>>> spd=HIGH >>>> (480Mbps) pwr=SAVE (0mA) >>>> ugen1.2: at usbus1, cfg=0 md=HOST >>>> spd=HIGH >>>> (480Mbps) pwr=SAVE (0mA) >>>> ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH >>>> (480Mbps) pwr=OFF (500mA) >>>> ugen1.3: at usbus1, >>>> cfg=0 >>>> md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA) >>>> ugen1.4: at usbus1, cfg=0 md=HOST spd=HIGH >>>> (480Mbps) pwr=SAVE (100mA) >>>> >>> >>>> >>>> Great ! Seems to work. >>>> >>>> (Though I need to read up on how major & minor of ugen relate to >>>> the digit in eg 4.disable_enumeration) >>>> >>>> >>>>>> which is also settable through /boot/loader.conf (tunable) >>>> >>>> Good, >>>> I hope/presume loader.conf gets run before any USB, cos I recall >>>> lecturer Karsten Nohl pointing out one could get BadUSB taking up >>>> residence in USB controller chips inside a PC, ie for a built in >>>> mouse or web cam, so one would need to turn off enumeration earlier >>>> than when first external USB approaches to connect. >>> >>> Yes, if set by the loader.conf, you will only see the RootHUB after >>> boot. >>> >>> To get devices back after enabling enumeration again, you will need to >>> reset the HUBs: >>> >>> usbconfig -d X.1 reset >>> >>> For example. >>> >>> BTW: I've added some exceptions, that existing devices can be detached, >>> suspend/resumed and reset while the enumeration is disabled. >> >> Can we somehow improve this change, to powering down the ports/hubs >> which has the enumeration disabled? >> > > Hi, > > I've added this as an orthogonal feature. Please test and report back: > > hw.usb.disable_enumeration: 0 > hw.usb.disable_port_power: 0 > > dev.uhub.0.disable_enumeration: 0 > dev.uhub.0.disable_port_power: 0 > > https://svnweb.freebsd.org/changeset/base/272822 > > Thank you! > > --HPS > > _______________________________________________ > freebsd-usb@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-usb > To unsubscribe, send any mail to "freebsd-usb-unsubscribe@freebsd.org" > Hans, Thank-you for these enhancements, as its good to have something in the armoury to try to address this issue. I applied the patch https://lists.freebsd.org/pipermail/svn-src-head/2014-October/063443.html to an updated 10.Stable overnight. Disabling enumeration works as described above except that, placing the following in loader.conf has no effect? --- tail of /boot/loader.conf --- # 20141022 Didn't work as expected #dev.uhub.0.disable_enumeration="1" #dev.uhub.1.disable_enumeration="1" #dev.uhub.2.disable_enumeration="1" #dev.uhub.3.disable_enumeration="1" #dev.uhub.4.disable_enumeration="1" # 20141022 Also didn't work hw.usb.disable_enumeration="1" --- end of /boot/loader.conf --- I confirmed the setting was correctly read by loader, by interrupting the boot and showing the variables. But immediately after booting, sysctl -a|grep enumer hw.usb.disable_enumeration: 0 dev.uhub.0.disable_enumeration: 0 dev.uhub.1.disable_enumeration: 0 dev.uhub.2.disable_enumeration: 0 dev.uhub.3.disable_enumeration: 0 dev.uhub.4.disable_enumeration: 0 Any ideas why loader.conf settings weren't applied? They are applied via /etc/sysctl.conf, but by that stage, any harm has been done. It was interesting doing "user testing" (ie dumb things). Having a mouse in hub-unit.endpoint=0.2 sysctl dev.uhub.0.disable_enumeration=1 usbconfig -d 0.2 power_off provides an opportunity to make a fresh cup of tea... ;) Regards, Dewayne. -- For the talkers: “The superior man acts before he speaks, and afterwards speaks according to his action.” For everyone else: “Life is really simple, but we insist on making it complicated.” From owner-freebsd-usb@FreeBSD.ORG Wed Oct 22 06:19:53 2014 Return-Path: Delivered-To: freebsd-usb@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5063AAAB; Wed, 22 Oct 2014 06:19:53 +0000 (UTC) Received: from mail.turbocat.net (mail.turbocat.net [IPv6:2a01:4f8:d16:4514::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 10B3BA54; Wed, 22 Oct 2014 06:19:52 +0000 (UTC) Received: from laptop015.home.selasky.org (cm-176.74.213.204.customer.telag.net [176.74.213.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id C07531FE023; Wed, 22 Oct 2014 08:19:49 +0200 (CEST) Message-ID: <54474C8B.5020000@selasky.org> Date: Wed, 22 Oct 2014 08:19:55 +0200 From: Hans Petter Selasky User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Dewayne Geraghty Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell References: <201410082347.s98NkjW3025396@fire.js.berklix.net> <54362AE2.90501@selasky.org> <54369F43.9010806@selasky.org> <544703E5.7000007@heuristicsystems.com.au> In-Reply-To: <544703E5.7000007@heuristicsystems.com.au> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-usb@freebsd.org X-BeenThere: freebsd-usb@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: FreeBSD support for USB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2014 06:19:53 -0000 On 10/22/14 03:09, Dewayne Geraghty wrote: > Hans, > Thank-you for these enhancements, as its good to have something in the > armoury to try to address this issue. > > I applied the patch > https://lists.freebsd.org/pipermail/svn-src-head/2014-October/063443.html to > an updated 10.Stable overnight. Disabling enumeration works as > described above except that, placing the following in loader.conf has no > effect? > --- tail of /boot/loader.conf --- > # 20141022 Didn't work as expected > #dev.uhub.0.disable_enumeration="1" > #dev.uhub.1.disable_enumeration="1" > #dev.uhub.2.disable_enumeration="1" > #dev.uhub.3.disable_enumeration="1" > #dev.uhub.4.disable_enumeration="1" > > # 20141022 Also didn't work > hw.usb.disable_enumeration="1" > --- end of /boot/loader.conf --- Hi, The /boot/loader.conf only works in -current, because in 10-stable SYSCTLs cannot be automatically loaded from TUNABLEs. You would need to add some TUNABLE() statements for that. --HPS