Solved Secure level 1 prevents wifi firmware from loading

L

loveydovey

I have a Ralink wifi adapter here. All the required kernel modules are loaded on boot. If I boot with secure level -1, I can bring up the wlan0 device and it says run0 loads the firmware. But if I boot with secure level 1, it does add the wlan0 interface, but it doesn't load the firmware (and thus I can't even scan wifi networks, obviously).

How do I get my wifi adapter firmware to load with secure level 1??
🆘
 
It may work if you add this to loader.conf

Code: 
     Alternatively, to load the driver as a module at boot time, place the
     following lines in loader.conf(5):

           if_run_load="YES"
           runfw_load="YES"

Can't load them at a later stage though, because level 1 will prevent loading/unloading kernel modules (runfw(4) is a kernel module).

Code: 
     1     Secure mode - the system immutable and system append-only flags may
           not be turned off; disks for mounted file systems, /dev/mem and
           /dev/kmem may not be opened for writing; /dev/io (if your platform
           has it) may not be opened at all; kernel modules (see kld(4)) may
           not be loaded or unloaded.  The kernel debugger may not be entered
           using the debug.kdb.enter sysctl unless a MAC(9) policy grants
           access, for example using mac_ddb(4).  A panic or trap cannot be
           forced using the debug.kdb.panic, debug.kdb.panic_str and other
           sysctl's.
 
Solution with caveats:
Code: 
wlans_run0="wlan0"
ifconfig_wlan0="up"
in /etc/rc.conf
BUT:
If you remove the USB wifi adapter from your USB port and plug it back in while on secure level 1, the adapter will not work because it will not be able to load firmware.
SirDice, is this due to the security-mindedness?
 
loveydovey said:
Solution with caveats:
Code: 
wlans_run0="wlan0"
ifconfig_wlan0="up"
in /etc/rc.conf
BUT:
If you remove the USB wifi adapter from your USB port and plug it back in while on secure level 1, the adapter will not work because it will not be able to load firmware.
SirDice, is this due to the security-mindedness?
Click to expand...
Why would you run at securelevel 1 if you dont care about security? Just run securelevel -1
 
Because who's gonna switch to FreeBSD from Linux if there's no way to unplug and plug your USB Wifi adapter back in? Maybe there's a way to allow very specific firmware to load with securelevel 1?
 
loveydovey said:
Solution with caveats:
Code: 
wlans_run0="wlan0"
ifconfig_wlan0="up"
in /etc/rc.conf
BUT:
If you remove the USB wifi adapter from your USB port and plug it back in while on secure level 1, the adapter will not work because it will not be able to load firmware.
SirDice, is this due to the security-mindedness?
Click to expand...
Yes it is. You can't allow loading of any firmware when the security level is at 1, this is by design. If you don't want that, don't use security level 1.
 
loveydovey said:
Because who's gonna switch to FreeBSD from Linux if there's no way to unplug and plug your USB Wifi adapter back in? Maybe there's a way to allow very specific firmware to load with securelevel 1?
Click to expand...
Have you any idea what the security levels mean and what they do?
 
The securelevels specifically prevent this because if you can load arbitrary code into hardware devices, you can violate the security of the kernel. sorry.
 
loveydovey said:
Because who's gonna switch to FreeBSD from Linux if there's no way to unplug and plug your USB Wifi adapter back in?
Click to expand...
Please tell me which Linux users use the Linux equivalent of FreeBSD's securelevel 1? And no, appArmor or SELinux is not the same thing.
 
Secure level higher than default is intended to run on "stabully configured hardwares", means, not at all change the configuration after entering into higher secure level. Plug & play AFTER entering higher secure level is NOT allowed.

So any configurations (attaching or detaching devices and corresponding kmods) SHALL be 100% completed BEFORE entering into higher secure level.
And once secure level is elevated, the only way to lowering it is to shutdown and restart.
 
  • Like
Reactions: mer
T-Aoki said:
Plug & play AFTER entering higher secure level is NOT allowed.
Click to expand...
Ok, so you are using FreeBSD on a desktop and you bump into your USB WiFi dongle by accident, and it falls off, and you must reboot? You've already plugged and played by allowing the kernel drivers to be loaded on boot.
 
yes. don't do that. securelevel is for servers that are locked in controlled-access rooms, not end-user desktops. you pressed the "security over convenience" button by turning on securelevel, it is functioning as designed.
 
loveydovey said:
Ok, so you are using FreeBSD on a desktop and you bump into your USB WiFi dongle by accident, and it falls off, and you must reboot? You've already plugged and played by allowing the kernel drivers to be loaded on boot.
Click to expand...
I myself don't use secure level, as my understanding about secure level is for servers inside datacenters or locked out place on-premise, both of which authorized persons only are allowed to enter the room the server(s) is / are at. In this case, configurations of all devices are completely fixed and modified only when special maintainances / repairs that mandates powering off.

If I understand correctly, servers which need hot swaps of drives in RAID (including ZRAID by ZFS) cannot use secure level (at least replaced new drive cannot be used for reconstruction until restart), so storage servers need to be purely strage server and don't use secure level, while other servers use secure level.
 
I mean we can see a design wherein you can preload known-good firmwares before the system reaches securelevel 1, to be reloaded on hotplug, but then we can foresee the OP complaining that they can't, then, plug in an unknown random USB device which needs firmware without rebooting.

If you opt in to additional security controls, you are explicitly asking for operation to be more inconvenient in exchange. A famous adage goes "You cannot have your cake and eat it too".
 
You must log in or register to reply here.
Back
Top