From owner-freebsd-security@FreeBSD.ORG Thu Oct 9 14:07:17 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B03456AA; Thu, 9 Oct 2014 14:07:17 +0000 (UTC) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 52E561BA; Thu, 9 Oct 2014 14:07:16 +0000 (UTC) Received: from mart.js.berklix.net (pD9FBE981.dip0.t-ipconnect.de [217.251.233.129]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id s99E413d004036; Thu, 9 Oct 2014 14:04:02 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id s99E6wrL001585; Thu, 9 Oct 2014 16:06:58 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id s99E6MpE089417; Thu, 9 Oct 2014 16:06:34 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201410091406.s99E6MpE089417@fire.js.berklix.net> To: Oliver Pinter Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Thu, 09 Oct 2014 15:59:28 +0200." Date: Thu, 09 Oct 2014 16:06:21 +0200 Cc: Hans Petter Selasky , freebsd-security@freebsd.org, Poul-Henning Kamp , freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2014 14:07:17 -0000 Hi, Reference: > From: Oliver Pinter > Date: Thu, 9 Oct 2014 15:59:28 +0200 Oliver Pinter wrote: > On 10/9/14, Hans Petter Selasky wrote: > > Hi Julian, > > > > On 10/09/14 01:46, Julian H. Stacey wrote: > >> Hi Hans etc > >> "Julian H. Stacey" wrote: > >>> Hans Petter Selasky wrote: > >>>> Hi, > >>>> > >>>> Can you test the following kernel patch and give some feedback: > >>>> > >>>> https://svnweb.freebsd.org/changeset/base/272733 > >> > >> I'm now on latest current with src & sys/ GENERIC > >> /usr/src/.ctm_status # src-cur 11645 > >> > >> This time I downloaded your files properly > >> (last time I was severely distracted & made a silly mistake) > >> > >>>> After the patch you will get something like: > >>>> hw.usb.disable_enumeration: 0 > >>>> dev.uhub.0.disable_enumeration: 0 > >>>> dev.uhub.1.disable_enumeration: 0 > >>>> ... > >> > >> sysctl -a | grep enumeration > >> hw.usb.disable_enumeration: 0 > >> dev.uhub.0.disable_enumeration: 0 > >> dev.uhub.1.disable_enumeration: 0 > >> dev.uhub.2.disable_enumeration: 0 > >> dev.uhub.3.disable_enumeration: 0 > >> dev.uhub.4.disable_enumeration: 0 > >> > >> sysctl -d hw.usb.disable_enumeration > >> hw.usb.disable_enumeration: Set to disable all USB device enumeration. > >> > >> sysctl -d dev.uhub.4.disable_enumeration > >> dev.uhub.4.disable_enumeration: Set to disable enumeration on this USB > >> HUB. > >> > >> usbconfig > >> ugen0.1: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) > >> pwr=SAVE (0mA) > >> ugen1.1: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) > >> pwr=SAVE (0mA) > >> ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH > >> (480Mbps) pwr=SAVE (0mA) > >> ugen1.2: at usbus1, cfg=0 md=HOST spd=HIGH > >> (480Mbps) pwr=SAVE (0mA) > >> ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH > >> (480Mbps) pwr=OFF (500mA) > >> ugen1.3: at usbus1, cfg=0 > >> md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA) > >> ugen1.4: at usbus1, cfg=0 md=HOST spd=HIGH > >> (480Mbps) pwr=SAVE (100mA) > >> > > > >> > >> Great ! Seems to work. > >> > >> (Though I need to read up on how major & minor of ugen relate to > >> the digit in eg 4.disable_enumeration) > >> > >> > >>>> which is also settable through /boot/loader.conf (tunable) > >> > >> Good, > >> I hope/presume loader.conf gets run before any USB, cos I recall > >> lecturer Karsten Nohl pointing out one could get BadUSB taking up > >> residence in USB controller chips inside a PC, ie for a built in > >> mouse or web cam, so one would need to turn off enumeration earlier > >> than when first external USB approaches to connect. > > > > Yes, if set by the loader.conf, you will only see the RootHUB after boot. > > > > To get devices back after enabling enumeration again, you will need to > > reset the HUBs: > > > > usbconfig -d X.1 reset > > > > For example. > > > > BTW: I've added some exceptions, that existing devices can be detached, > > suspend/resumed and reset while the enumeration is disabled. > > Can we somehow improve this change, to powering down the ports/hubs > which has the enumeration disabled? It's usefull to have the port remain powered up for when someone says "Can I charge my smart phone on your PC/ laptop ?" Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Interleave reply paragraphs like a play script. Send plain text, not quoted-printable, HTML, base64, or multipart/alternative.