#39 New option --sysrq
Opened 5 months ago by jankratochvil. Modified 5 months ago
jankratochvil/arm-image-installer jan-sysrq  into  master

file modified
+16

@@ -17,6 +17,7 @@ 

  	--image=IMAGE	- xz compressed image file name

  	--media=DEVICE	- media device file (/dev/[sdX|mmcblkX])

  	--norootpass	- Remove the root password

+ 	--sysrq		- Enable System Request debugging of the kernel

  	--resizefs	- Resize root filesystem to fill media device

  	--supported	- List of supported hardware

  	--target=TARGET	- target board

@@ -103,6 +104,9 @@ 

  		--norootpass)

  			NOROOTPASS=1

  			;;

+ 		--sysrq)

+ 			SYSRQ=1

+ 			;;

  		--resizefs)

  			RESIZEFS=1

  			;;

@@ -222,6 +226,10 @@ 

  if [ "$NOROOTPASS" != "" ]; then

  	echo "= Root Password will be removed."

  fi

+ # Enable System Request debugging of the kernel

+ if [ "$SYSRQ" != "" ]; then

+ 	echo "= System Request debugging of the kernel will be enabled."

+ fi

  # Resize root filesystem to fill media device

  if [ "$RESIZEFS" != "" ]; then

  	echo "= Root partition will be resized"

@@ -461,6 +469,14 @@ 

  	echo "= Removing the root password."

  	sed -i 's/root:x:/root::/' /tmp/root/etc/passwd

  fi

+ # Enable System Request debugging of the kernel

+ if [ "$SYSRQ" != "" ]; then

+ 	echo "= Enabling System Request debugging of the kernel."

+ 	cat >> /tmp/root/etc/sysctl.d/arm-image-installer-sysrq.conf <<-EOH

+ 		# Controls the System Request debugging functionality of the kernel

+ 		kernel.sysrq = 1

+ 	EOH

+ fi

  # Add ssh key to the image

  if [ "$SSH_KEY" != "" ]; then

  	if [ -f $SSH_KEY ]; then

We don't want to change the defaults here. It should be an opt in option as the vast majority of users won't use it and it has other implications, like changes for keyboard defaults.

rebased onto a347832

5 months ago

I do not understand "keyboard defaults". SysRq by default has some security implications if a bad guy physically comes to the machine accessing its keyboard / serial port console but IMO this does not apply much to ARM boxes, the question is whether it does or not.

@jankratochvil I would disagree with the "this does not apply much to ARM boxes", since there's more ARM machines getting deployed in physically less trusted or untrusted locations like kiosks or the like.
As such, from a security point of view I have serious concerns about enabling all sysrq by default.

ARM machines getting deployed in physically less trusted or untrusted locations

OK; I have already updated the patch from --nosysrq to --sysrq and so it is no longer the default.

This is not the default for Fedora anywhere, so I'm quite happy to have the functionality to easily enable it through arm-image-installer but it should default to what the defaults are for the distro as a whole.

Metadata