From owner-svn-src-all@freebsd.org Fri Nov 30 22:01:08 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EAC6911518F8; Fri, 30 Nov 2018 22:01:07 +0000 (UTC) (envelope-from brde@optusnet.com.au) Received: from mail105.syd.optusnet.com.au (mail105.syd.optusnet.com.au [211.29.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id 251C079EA4; Fri, 30 Nov 2018 22:01:05 +0000 (UTC) (envelope-from brde@optusnet.com.au) Received: from [192.168.0.102] (c110-21-101-228.carlnfd1.nsw.optusnet.com.au [110.21.101.228]) by mail105.syd.optusnet.com.au (Postfix) with ESMTPS id D66BD104FCA1; Sat, 1 Dec 2018 09:00:56 +1100 (AEDT) Date: Sat, 1 Dec 2018 09:00:55 +1100 (EST) From: Bruce Evans X-X-Sender: bde@besplex.bde.org To: Edward Tomasz Napierala cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r341338 - head/share/man/man4 In-Reply-To: <201811301144.wAUBiGj6030552@repo.freebsd.org> Message-ID: <20181201071457.N4011@besplex.bde.org> References: <201811301144.wAUBiGj6030552@repo.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.2 cv=DZtnkrlW c=1 sm=1 tr=0 a=PalzARQSbocsUSjMRkwAPg==:117 a=PalzARQSbocsUSjMRkwAPg==:17 a=kj9zAlcOel0A:10 a=MnhWq3ogupY_1e35NF4A:9 a=CjuIK1q_8ugA:10 X-Rspamd-Queue-Id: 251C079EA4 X-Spamd-Result: default: False [-4.95 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:211.29.132.0/23]; MIME_GOOD(-0.10)[text/plain]; FREEMAIL_FROM(0.00)[optusnet.com.au]; DMARC_NA(0.00)[optusnet.com.au]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-1.70)[ipnet: 211.28.0.0/14(-4.69), asn: 4804(-3.75), country: AU(-0.04)]; MX_GOOD(-0.01)[cached: extmail.optusnet.com.au]; NEURAL_HAM_SHORT(-0.95)[-0.945,0]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[optusnet.com.au]; ASN(0.00)[asn:4804, ipnet:211.28.0.0/14, country:AU]; RCVD_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_LOW(-0.10)[249.132.29.211.list.dnswl.org : 127.0.5.1] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2018 22:01:08 -0000 On Fri, 30 Nov 2018, Edward Tomasz Napierala wrote: > Log: > Say in plain text what the 'debug' keymap action usually is. > > MFC after: 2 weeks > Sponsored by: DARPA, AFRL > > Modified: > head/share/man/man4/ddb.4 > > Modified: head/share/man/man4/ddb.4 > ============================================================================== > --- head/share/man/man4/ddb.4 Fri Nov 30 11:42:19 2018 (r341337) > +++ head/share/man/man4/ddb.4 Fri Nov 30 11:44:16 2018 (r341338) > @@ -108,7 +108,7 @@ If linked into the running kernel, > it can be invoked locally with the > .Ql debug > .Xr keymap 5 > -action, or by setting setting the > +action, usually mapped to Ctrl+Alt+Esc, or by setting setting the > .Dv debug.kdb.enter > sysctl to 1. > The debugger is also invoked on kernel Actually, it is usually mapped to Ctl-PrintScreen. Ctl-Alt-Esc is a harder to type alternative for this. There is 1 more alias in syscons us.iso.kbd and 4 more aliases in syscons us.iso.acc.kbd. vt complicates things. It removes ".iso" from the file names and changes 1 unrelated entry in us.iso.kbd. It changes many unrelated entries in us.iso.acc.kbd, but all changes seem to be to replace decimal constants by hex constants and mangle the formatting. There are many undocumented complications for enabling these keys. Some are: - the config option BREAK_TO_DEBUGGER for enabling entry to kdb on serial line breaks is conflated with entering kdb with a breakpoint instruction and used to initialize the similarly conflated sysctl variable kdb_break_to_debugger. Entering kdb on a serial line break is usually unwanted since it gives kdb entries when you unplug the cable or turn the other end off. So if you have a serial console, this option should rarely be used the sysctl variabled should rarely be enabled. ddb.4 documents BREAK_TO_DEBUGGER and clearly says that it is (only) for serial lines and gives slightly different reasons for not using it, and documents kdb.break_to_debugger, but doesn't know about about the conflation or the kdb sysctls or the following complications. - the sysctl variable controls entry to kdb using kdb_break() from all console drivers, so it should have to be enabled for the keys documented above to work, but it should be disabled for serial consoles. This is complicated by the conflation. The "break" in kdb_break() means more like "break in to" than either "serial line break" or "breakpoint instruction". sio and uart use this function for serial line breaks. syscons uses this for the keys documented above. But vt doesn't use this. - the sysctl variable gives a layer of security for the keys documented above. syscons gives 4 more layers of security. That's 4 too many layers. sio and uart don't add any layers. vt doesn't use this layer, and adds its own layers. Details of the layers for syscons: - kdb entry keys can be disabled by omitting them from the keymap - IIRC, loading of keymaps is not privileged, so you will need some restrictions on accesses to syscons devices to secure the previous layer - config option SC_DISABLE_KDBKEY - sysctl variable enable_kdbkey which defaults to the inverse of the config option, or enabled if the config option is not set. Details of the layers for vt: - 2 layers for the keymap as for syscons - sysctl variable vt_kbd_debug. The sysctl name has the vt_ prefix separate. kbd_debug corresponds to the sysctl name enable_kdbkey. Both names are bad: - they are different (after removing the prefix) - no sc_ prefix in variable name for syscons - "kdb" for syscons looks like "kbd" which is a bad abbreviation for "keyboard" (should be "kb") - "kbd" for vt. This might actually mean "keyboard". Then "debug" is a verbose spelling of the "d" in "kdb", and "kdb" is not mentioned. The vt method is better, and I plan to change sysctl to use the same method as a first step in fixing the conflation. The security restrictions should be per-device since you might have some secure consoles and some insecure consoles. The separate security layers already give this for syscons and vt, but it is more needed for multiple serial consoles. Everything except the kdb sysctl defaults to enabled, so it is easy to enable entry to kdb via the keys documented above. Disabling all entries to kdb via keys involves understanding smaller mazes of security-related options and sysctls: - ALT_BREAK_TO_DEBUGGER option and kdb_alt_break_to_debugger sysctl. This was originally only an alternative to serial line BREAK_TO_DEBUGGER. Its conflation with serial line breaks was smaller, but it now allows panics and reboots so it is even more misnamed than BREAK_TO_DEBUGGER. Separate security flags are needed for the different features in it. ddb.5 documents all this. - in syscons, the enable_kdbkey sysctl is used for allowing the ALT_BREAK_TO_DEBUGGER sequences too. - in vt, there are no extra controls on ALT_BREAK_TO_DEBUGGER sequences. This is the same as for sio and uart. Bruce