From owner-freebsd-usb@FreeBSD.ORG  Thu Oct  9 06:27:52 2014
Return-Path: <owner-freebsd-usb@FreeBSD.ORG>
Delivered-To: freebsd-usb@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 60C1DEE3;
 Thu,  9 Oct 2014 06:27:52 +0000 (UTC)
Received: from mail.turbocat.net (mail.turbocat.net
 [IPv6:2a01:4f8:d16:4514::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E0DB4B75;
 Thu,  9 Oct 2014 06:27:51 +0000 (UTC)
Received: from laptop015.home.selasky.org
 (cm-176.74.213.204.customer.telag.net [176.74.213.204])
 (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested)
 by mail.turbocat.net (Postfix) with ESMTPSA id 9D9F21FE022;
 Thu,  9 Oct 2014 08:27:48 +0200 (CEST)
Message-ID: <54362AE2.90501@selasky.org>
Date: Thu, 09 Oct 2014 08:27:46 +0200
From: Hans Petter Selasky <hps@selasky.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: "Julian H. Stacey" <jhs@berklix.com>, freebsd-security@freebsd.org, 
 Poul-Henning Kamp <phk@phk.freebsd.dk>, freebsd-usb@freebsd.org
Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob
 Lell
References: <201410082347.s98NkjW3025396@fire.js.berklix.net>
In-Reply-To: <201410082347.s98NkjW3025396@fire.js.berklix.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-usb@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: FreeBSD support for USB <freebsd-usb.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-usb>,
 <mailto:freebsd-usb-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-usb/>
List-Post: <mailto:freebsd-usb@freebsd.org>
List-Help: <mailto:freebsd-usb-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-usb>,
 <mailto:freebsd-usb-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 06:27:52 -0000

Hi Julian,

On 10/09/14 01:46, Julian H. Stacey wrote:
> Hi Hans etc
> "Julian H. Stacey" wrote:
>> Hans Petter Selasky wrote:
>>> Hi,
>>>
>>> Can you test the following kernel patch and give some feedback:
>>>
>>> https://svnweb.freebsd.org/changeset/base/272733
>
> I'm now on latest current with src & sys/ GENERIC
> /usr/src/.ctm_status	# src-cur 11645
>
> This time I downloaded your files properly
> (last time I was severely distracted & made a silly mistake)
>
>>> After the patch you will get something like:
>>> hw.usb.disable_enumeration: 0
>>> dev.uhub.0.disable_enumeration: 0
>>> dev.uhub.1.disable_enumeration: 0
>>> ...
>
> sysctl -a | grep  enumeration
>    hw.usb.disable_enumeration: 0
>    dev.uhub.0.disable_enumeration: 0
>    dev.uhub.1.disable_enumeration: 0
>    dev.uhub.2.disable_enumeration: 0
>    dev.uhub.3.disable_enumeration: 0
>    dev.uhub.4.disable_enumeration: 0
>
> sysctl -d hw.usb.disable_enumeration
>    hw.usb.disable_enumeration: Set to disable all USB device enumeration.
>
> sysctl -d dev.uhub.4.disable_enumeration
>    dev.uhub.4.disable_enumeration: Set to disable enumeration on this USB HUB.
>
> usbconfig
> ugen0.1: <EHCI root HUB Intel> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
> ugen1.1: <EHCI root HUB Intel> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
> ugen0.2: <product 0x0020 vendor 0x8087> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
> ugen1.2: <product 0x0020 vendor 0x8087> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
> ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH (480Mbps) pwr=OFF (500mA)
> ugen1.3: <Semi Tech PS2 Keyboard - PS2 Mouse Semi Tech> at usbus1, cfg=0 md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA)
> ugen1.4: <USB2.0 Hub vendor 0x05e3> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (100mA)
>

>
> Great ! Seems to work.
>
> (Though I need to read up on how major & minor of ugen relate to
> the digit in eg 4.disable_enumeration)
>
>
>>> which is also settable through /boot/loader.conf (tunable)
>
> Good,
> I hope/presume loader.conf gets run before any USB, cos I recall
> lecturer Karsten Nohl pointing out one could get BadUSB taking up
> residence in USB controller chips inside a PC, ie for a built in
> mouse or web cam, so one would need to turn off enumeration earlier
> than when first external USB approaches to connect.

Yes, if set by the loader.conf, you will only see the RootHUB after boot.

To get devices back after enabling enumeration again, you will need to 
reset the HUBs:

usbconfig -d X.1 reset

For example.

BTW: I've added some exceptions, that existing devices can be detached, 
suspend/resumed and reset while the enumeration is disabled.

https://svnweb.freebsd.org/changeset/base/272807

>
> I've reported back on BBC news form:
> 	Ref. your
> 	6 October 2014 Last updated at 15:29 GMT
> 	http://www.bbc.com/news/technology-29475566
>
> 	The www.FreeBSD.org project (a Unix OS similar to Linux)
> 	took just 2 days to develop & test a free solution.
> 	http://lists.freebsd.org/pipermail/freebsd-usb/2014-October/013304.html
>

Can you also test that patch?

Thank you!

--HPS