Hello, I've written up the notes from last Thursday's workshop, give it a try if you have a Pi handy.
You can use a Pi 3 if you have it hooked up to a HDMI monitor & keyboard.
I skipped on the instructions for the BeagleBone Black, email me off list if you'd like to use such a device.
Sevan Janiyan
These notes cover 1) Cross compilation support (build.sh) 2) Tamper proofing / Tamper detection (Veriexec)
*Useful link*:
http://man.NetBSD.org - Man pages shipped with the OS available from a web browser http://www.netbsd.org/docs/guide/en/index.html - The NetBSD Guide http://cvsweb.netbsd.org/bsdweb.cgi/src/?only_with_tag=MAIN - Web interface to the OS source code
*Cross compilation support as standard*
*Requirements*:
*Windows 10* Install Windows Subsystem for Linux https://msdn.microsoft.com/en-us/commandline/wsl/about https://msdn.microsoft.com/en-us/commandline/wsl/about Windows 10 / Linux (Debian/Ubuntu) build-essential zlib1g-dev flex libc6-dev-i386
*Mac OS X* GCC or clang via Xcode or command line tools xcode-select --install
*Windows 8 & Prior* Install Linux dependencies via Cygwin. TODO: list dependencies
*Fetch the sources*: download all source archives (.tgz files) from http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/201704222230Z/source/sets/ (It is likely this url will become invalid as old builds are purged and new ones are generated. Substitute 201704222230Z with the most recent release available on http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD.
*Extract all fetched files*: for file in *.tar.gz do tar -xzf $file done
*Change into the extracted source directory*: cd usr/src
*List supported architectures and variations we can cross compile for*: ./build.sh list-arch
Reduce the listing to the ARM evaluation board archs which devices such as the Pi family are categorised under: ./build.sh list-arch | grep evbarm
MACHINE=evbarm MACHINE_ARCH=arm ALIAS=evboarm-el MACHINE=evbarm MACHINE_ARCH=armeb ALIAS=evboarm-eb MACHINE=evbarm MACHINE_ARCH=earm ALIAS=evbearm-el DEFAULT MACHINE=evbarm MACHINE_ARCH=earmeb ALIAS=evbearm-eb MACHINE=evbarm MACHINE_ARCH=earmhf ALIAS=evbearmhf-el MACHINE=evbarm MACHINE_ARCH=earmhfeb ALIAS=evbearmhf-eb MACHINE=evbarm MACHINE_ARCH=earmv4 ALIAS=evbearmv4-el MACHINE=evbarm MACHINE_ARCH=earmv4eb ALIAS=evbearmv4-eb MACHINE=evbarm MACHINE_ARCH=earmv5 ALIAS=evbearmv5-el MACHINE=evbarm MACHINE_ARCH=earmv5eb ALIAS=evbearmv5-eb MACHINE=evbarm MACHINE_ARCH=earmv6 ALIAS=evbearmv6-el MACHINE=evbarm MACHINE_ARCH=earmv6hf ALIAS=evbearmv6hf-el MACHINE=evbarm MACHINE_ARCH=earmv6eb ALIAS=evbearmv6-eb MACHINE=evbarm MACHINE_ARCH=earmv6hfeb ALIAS=evbearmv6hf-eb MACHINE=evbarm MACHINE_ARCH=earmv7 ALIAS=evbearmv7-el MACHINE=evbarm MACHINE_ARCH=earmv7eb ALIAS=evbearmv7-eb MACHINE=evbarm MACHINE_ARCH=earmv7hf ALIAS=evbearmv7hf-el MACHINE=evbarm MACHINE_ARCH=earmv7hfeb ALIAS=evbearmv7hf-eb MACHINE=evbarm64 MACHINE_ARCH=aarch64 ALIAS=evbarm64-el DEFAULT MACHINE=evbarm64 MACHINE_ARCH=aarch64eb ALIAS=evbarm64-eb
eb and el indicate the endianness (big or little) hf refers to hardware floating point support.
For the Pi, we'll target the ARMv6 with hardware floating point support in little endian mode as the lowest common denominator: evbearmv6hf-el
*Build the cross compile toolchain*: To build the tools without requiring elevated privileges (root) the -U flag specifies unprivileged To save us have to specify the MACHINE/MACHINE_ARCH combination which would be done using -m/-a, we specify the ALIAS listed above to -m To speed up the build process we increase the number of parallel jobs the build we execute. This number should match the number of available cores & not exceed it. ./build.sh -U -m evbearmv6hf-el -j2 tools
*Build a new kernel for the Pi or Pi2*: ./build.sh -U -m evbearmv6hf-el -j2 kernel=RPI or ./build.sh -U -m evbearmv6hf-el -j2 kernel=RPI2
*To build a complete operating system including images*: **WARNING** Depending on the system it may take a little time ./build.sh -U -m evbearmv6hf-el -j2 release
When the build is finished, a report is printed out which contains details of where the generated files are located (this will be relative to your system) & the time it took to build. ===> Summary of results: build.sh command: ./build.sh -U -m evbearmv6hf-el -j2 kernel=RPI build.sh started: Mon Apr 24 17:19:18 BST 2017 NetBSD version: 7.99.70 MACHINE: evbarm MACHINE_ARCH: earmv6hf Build platform: NetBSD 7.99.70 i386 HOST_SH: /bin/sh MAKECONF file: /etc/mk.conf TOOLDIR path: /usr/src/obj/tooldir.NetBSD-7.99.70-i386 DESTDIR path: /usr/src/obj/destdir.evbarm RELEASEDIR path: /usr/src/obj/releasedir Updated makewrapper: /usr/src/obj/tooldir.NetBSD-7.99.70-i386/bin/nbmake-evbearmv6hf-el Building kernel without building new tools Building kernel: RPI Build directory: /usr/src/sys/arch/evbarm/compile/obj/RPI Kernels built from RPI: /usr/src/sys/arch/evbarm/compile/obj/RPI/netbsd build.sh ended: Mon Apr 24 17:27:42 BST 2017 ===> .
*Writing Pi image to SD card*: Either you ran build.sh with the release target or you fetched a pre-built image from nycdn.NetBSD.org for your Pi, such as: http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/201704222230Z/evbarm-earmv6hf/... (It is likely this url will become invalid as old builds are purged and new ones are generated. Substitute 201704222230Z with the most recent release available on http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD.
*Uncompress image*: gunzip rpi.img.gz
Use the flash instructions relevant to the operating system the SD card will be written on http://elinux.org/RPi_Easy_SD_Card_Setup Section 3.3 for Windows Section 3.4 for Mac OS X Section 3.5 for Linux Where the documentation refers to Raspbian images, substitute the NetBSD rpi.img you have.
*Preparing to boot*: For the Pi 3, serial console access is not currently available in NetBSD. The system should work with an HDMI display & USB keyboard however. There is nothing further to do for you in this section. For the Pi & Pi 2, connect your USB to TTL adapter to the GND, TXD & RXD pins The location of the pins are the same on the Pi & Pi2, see https://www.raspberrypi.org/documentation/usage/gpio/images/gpio-led.png and https://pinout.xyz
You'll need to run a terminal emulator set at 115200 BAUD. Use the cu utility on Linux & OS X.
*On Windows*: Use Terraterm http://ttssh2.osdn.jp Set baud rate to 115200 Choose com port associated with your USB adapter.
*On Debian & derivatives* (Ubuntu): you need to install the uucp package to obtain the cu utility. The ownership of the device file for the USB adapter need to be changed otherwise you will receive "line in use" error. chown uucp:uucp /dev/ttyUSB0
*On OS X*: Depending on the USB to TTL adapter, the device node in /dev will have a different name Run ls /dev/tty.* to see some of the serial devices detected. Such as /dev/tty.SLAB_USBtoUART or /dev/tty.usbserial-RANDOMCHARACTERS eg /dev/tty.usbserial-AM01Z4V3
*Running cu*: Replace /dev/ttyUSB0 with the device node relevant to your system. sudo cu -l /dev/ttyUSB0 -s 115200
*Exiting cu*: press ~.
*Enable serial console on Pi* (not for Pi3): The rpi.img is split into a DOS partition (containing firmware & NetBSD kernel) and NetBSD UFS partition (containing NetBSD operating system). On the DOS partition there is file called cmdline.txt The first line reads root=ld0a console=fb Delete the console=fb so that it reads root=ld0a Save & exit text editor
*Booting Pi*: Insert SD card into Pi Apply power Login as root (no password)
*Tamper proofing / Tamper detection* (Veriexec)
*A device node is needed for veriexec to function, it is currently not created automatically*: cd /dev sh MAKEDEV veriexec
*Make a duplicate copy of the ls utility*: cp /bin/ls /bin/ls-2
*Set the veriexec mode to be IDS (Intrusion Detection System) when it runs*: echo veriexec_strict=1 >> /etc/rc.conf
*Generate a has of all executables in search patch*: veriexecgen
*Verify the hashes on for ls & ls-2 are listed*: grep ls /etc/signatures
*Enable veriexec temporarily*: (ignore any errors related to /etc/signatures) /etc/rc.d/veriexec onestart
*Confirm you are able to read /bin/ls-2*: cksum -a SHA256 /bin/ls-2
*Clobber /bin/ls-2*: echo 1 > /bin/ls-2
*Try to re-read /bin/ls-2 (it should fail with an error)*: cksum -a SHA256 /bin/ls-2