[oshug] Notes from OSHUG #57

Sevan Janiyan venture37 at geeklan.co.uk
Mon Apr 24 21:29:08 UTC 2017

I've written up the notes from last Thursday's workshop, give it a try
if you have a Pi handy.

You can use a Pi 3 if you have it hooked up to a HDMI monitor & keyboard.

I skipped on the instructions for the BeagleBone Black, email me off
list if you'd like to use such a device.

Sevan Janiyan

These notes cover
1) Cross compilation support (build.sh)
2) Tamper proofing / Tamper detection (Veriexec)

*Useful link*:

http://man.NetBSD.org - Man pages shipped with the OS available from a
web browser
http://www.netbsd.org/docs/guide/en/index.html - The NetBSD Guide
http://cvsweb.netbsd.org/bsdweb.cgi/src/?only_with_tag=MAIN - Web
interface to the OS source code

*Cross compilation support as standard*


*Windows 10*
Install Windows Subsystem for Linux
Windows 10 / Linux (Debian/Ubuntu)

*Mac OS X*
GCC or clang via Xcode  or command line tools
xcode-select --install

*Windows 8 & Prior*
Install Linux dependencies via Cygwin.
TODO: list dependencies

*Fetch the sources*:
download all source archives (.tgz files) from
(It is likely this url will become invalid as old builds are purged and
new ones are generated. Substitute 201704222230Z with the most recent
release available on http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD.

*Extract all fetched files*:
for file in *.tar.gz
tar -xzf $file

*Change into the extracted source directory*:
cd usr/src

*List supported architectures and variations we can cross compile for*:
./build.sh list-arch

Reduce the listing to the ARM evaluation board archs which devices such
as the Pi family are categorised under:
./build.sh list-arch | grep evbarm

MACHINE=evbarm          MACHINE_ARCH=arm        ALIAS=evboarm-el
MACHINE=evbarm          MACHINE_ARCH=armeb      ALIAS=evboarm-eb
MACHINE=evbarm          MACHINE_ARCH=earm       ALIAS=evbearm-el DEFAULT
MACHINE=evbarm          MACHINE_ARCH=earmeb     ALIAS=evbearm-eb
MACHINE=evbarm          MACHINE_ARCH=earmhf     ALIAS=evbearmhf-el
MACHINE=evbarm          MACHINE_ARCH=earmhfeb   ALIAS=evbearmhf-eb
MACHINE=evbarm          MACHINE_ARCH=earmv4     ALIAS=evbearmv4-el
MACHINE=evbarm          MACHINE_ARCH=earmv4eb   ALIAS=evbearmv4-eb
MACHINE=evbarm          MACHINE_ARCH=earmv5     ALIAS=evbearmv5-el
MACHINE=evbarm          MACHINE_ARCH=earmv5eb   ALIAS=evbearmv5-eb
MACHINE=evbarm          MACHINE_ARCH=earmv6     ALIAS=evbearmv6-el
MACHINE=evbarm          MACHINE_ARCH=earmv6hf   ALIAS=evbearmv6hf-el
MACHINE=evbarm          MACHINE_ARCH=earmv6eb   ALIAS=evbearmv6-eb
MACHINE=evbarm          MACHINE_ARCH=earmv6hfeb ALIAS=evbearmv6hf-eb
MACHINE=evbarm          MACHINE_ARCH=earmv7     ALIAS=evbearmv7-el
MACHINE=evbarm          MACHINE_ARCH=earmv7eb   ALIAS=evbearmv7-eb
MACHINE=evbarm          MACHINE_ARCH=earmv7hf   ALIAS=evbearmv7hf-el
MACHINE=evbarm          MACHINE_ARCH=earmv7hfeb ALIAS=evbearmv7hf-eb
MACHINE=evbarm64        MACHINE_ARCH=aarch64    ALIAS=evbarm64-el DEFAULT
MACHINE=evbarm64        MACHINE_ARCH=aarch64eb  ALIAS=evbarm64-eb

eb and el indicate the endianness (big or little)
hf refers to hardware floating point support.

For the Pi, we'll target the ARMv6 with hardware floating point support
in little endian mode as the lowest common denominator:

*Build the cross compile toolchain*:
To build the tools without requiring elevated privileges (root) the -U
flag specifies unprivileged
To save us have to specify the MACHINE/MACHINE_ARCH combination which
would be done using -m/-a, we specify the ALIAS listed above to -m
To speed up the build process we increase the number of parallel jobs
the build we execute. This number should match the number of available
cores & not exceed it.
./build.sh -U -m evbearmv6hf-el -j2 tools

*Build a new kernel for the Pi or Pi2*:
./build.sh -U -m evbearmv6hf-el -j2 kernel=RPI
./build.sh -U -m evbearmv6hf-el -j2 kernel=RPI2

*To build a complete operating system including images*:
**WARNING** Depending on the system it may take a little time
./build.sh -U -m evbearmv6hf-el -j2 release

When the build is finished, a report is printed out which contains
details of where the generated files are located (this will be relative
to your system) & the time it took to build.
===> Summary of results:
         build.sh command:    ./build.sh -U -m evbearmv6hf-el -j2 kernel=RPI
         build.sh started:    Mon Apr 24 17:19:18 BST 2017
         NetBSD version:      7.99.70
         MACHINE:             evbarm
         MACHINE_ARCH:        earmv6hf
         Build platform:      NetBSD 7.99.70 i386
         HOST_SH:             /bin/sh
         MAKECONF file:       /etc/mk.conf
         TOOLDIR path:        /usr/src/obj/tooldir.NetBSD-7.99.70-i386
         DESTDIR path:        /usr/src/obj/destdir.evbarm
         RELEASEDIR path:     /usr/src/obj/releasedir
         Updated makewrapper:
         Building kernel without building new tools
         Building kernel:     RPI
         Build directory:     /usr/src/sys/arch/evbarm/compile/obj/RPI
         Kernels built from RPI:
         build.sh ended:      Mon Apr 24 17:27:42 BST 2017
===> .

*Writing Pi image to SD card*:
Either you ran build.sh with the release target or you fetched a
pre-built image from nycdn.NetBSD.org for your Pi, such as:
(It is likely this url will become invalid as old builds are purged and
new ones are generated. Substitute 201704222230Z with the most recent
release available on http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD.

*Uncompress image*:
gunzip rpi.img.gz

Use the flash instructions relevant to the operating system the SD card
will be written on
Section 3.3 for Windows
Section 3.4 for Mac OS X
Section 3.5 for Linux
Where the documentation refers to Raspbian images, substitute the NetBSD
rpi.img you have.

*Preparing to boot*:
For the Pi 3, serial console access is not currently available in
NetBSD. The system should work with an HDMI display & USB keyboard
however. There is nothing further to do for you in this section.
For the Pi & Pi 2, connect your USB to TTL adapter to the GND, TXD & RXD
The location of the pins are the same on the Pi & Pi2, see

You'll need to run a terminal emulator set at 115200 BAUD.
Use the cu utility on Linux & OS X.

*On Windows*:
Use Terraterm http://ttssh2.osdn.jp
Set baud rate to 115200
Choose com port associated with your USB adapter.

*On Debian & derivatives* (Ubuntu):
you need to install the uucp package to obtain the cu utility.
The ownership of the device file for the USB adapter need to be changed
otherwise you will receive "line in use" error.
chown uucp:uucp /dev/ttyUSB0

*On OS X*:
Depending on the USB to TTL adapter, the device node in /dev will have a
different name
ls /dev/tty.*
to see some of the serial devices detected.
Such as /dev/tty.SLAB_USBtoUART or /dev/tty.usbserial-RANDOMCHARACTERS
eg /dev/tty.usbserial-AM01Z4V3

*Running cu*:
Replace /dev/ttyUSB0 with the device node relevant to your system.
sudo cu -l /dev/ttyUSB0 -s 115200

*Exiting cu*:
press ~.

*Enable serial console on Pi* (not for Pi3):
The rpi.img is split into a DOS partition (containing firmware & NetBSD
kernel) and NetBSD UFS partition (containing NetBSD operating system).
On the DOS partition there is file called cmdline.txt
The first line reads
root=ld0a console=fb
Delete the console=fb so that it reads
Save & exit text editor

*Booting Pi*:
Insert SD card into Pi
Apply power
Login as root (no password)

*Tamper proofing / Tamper detection* (Veriexec)

*A device node is needed for veriexec to function, it is currently not
created automatically*:
cd /dev
sh MAKEDEV veriexec

*Make a duplicate copy of the ls utility*:
cp /bin/ls /bin/ls-2

*Set the veriexec mode to be IDS (Intrusion Detection System) when it runs*:
echo veriexec_strict=1 >> /etc/rc.conf

*Generate a has of all executables in search patch*:

*Verify the hashes on for ls & ls-2 are listed*:
grep ls /etc/signatures

*Enable veriexec temporarily*: (ignore any errors related to
/etc/rc.d/veriexec onestart

*Confirm you are able to read /bin/ls-2*:
cksum -a SHA256 /bin/ls-2

*Clobber /bin/ls-2*:
echo 1 > /bin/ls-2

*Try to re-read /bin/ls-2 (it should fail with an error)*:
cksum -a SHA256 /bin/ls-2

More information about the oshug mailing list