OpenBSD Journal

Version 0.83 of Game of Trees has been released (and the port updated):

Read more…

Theo de Raadt (deraadt@) posted to tech@ a status report (and 2 test programs) regarding execute-only (xonly). The report begins:

We've made good progress in the xonly effort so here's a small summary. architectures crossed over completely arm64 - X bit without implied R in mmu riscv64 - X bit without implied R in mmu amd64 - using hardware 'PKU' feature powerpc64 - using feature similar to PKU hppa - using gateway feature

As part of her efforts in developing patches for the console (many of which have been committed recently), Crystal Kolipe created some patches for taking screenshots of the OpenBSD console.

She wrote an in depth article, Coding new ioctls to produce screendumps from the console, about her work.

We will look forward to further development and refinement on this.

Game of Trees 0.82 has been released (and the port updated).

Read more…

Support for execute-only (xonly) code (on which we reported earlier) has been committed to -current by Theo de Raadt (deraadt@).

The commits were:

Read more…

In a toot, Stefan Sperling (stsp@) announced:

#gameoftrees has reached another milestone […] We now offer public anonymous access to our Git repository via SSH, using our own server implementation (available in the ports tree of #OpenBSD -current).

git clone ssh://anonymous@got.gameoftrees.org/got.git
[…]

Read more…

As with library order randomisation (libc.so/libcrypto/ld.so) at boot and kernel relinking at boot, boot time relinking of sshd(8) is now implemented in -current. Theo de Raadt committed the changes:

Read more…

Game of Trees 0.80 has been released (and the port updated).

Read more…

On the tech@ mailing list, Theo de Raadt (deraadt@) has issued a request for testing of patch(es) for execute-only (xonly) binaries on amd64. The message is quite long, but well worth reading in its entirety for those interested. Selected highlights include:

Some of you have probably noticed activity about "xonly" happening to a bunch of architectures. First arm64, then riscv64, then hppa, and ongoing efforts with octeon, sparc64 (sun4u only), and more of this is going to come in the future. Like past work decades ago (and I suppose continually also) on W^X, and increasing use of c, the idea here is to have code (text segments) not be readable. Or in a more generic sense, if you mprotect a region with only PROT_EXEC, it is not readable. […] But most of us have amd64 machines. Thrilling news:

Read more…

Todd Mortimer (mortimer@) has committed (to -current) retguard for amd64 system calls:

CVSROOT: /cvs Module name: src Changes by: mortimer@cvs.openbsd.org 2023/01/10 18:55:18 Modified files: lib/libc/arch/amd64: SYS.h lib/libc/arch/amd64/sys: Ovfork.S brk.S sbrk.S sigpending.S sigprocmask.S sigsuspend.S tfork_thread.S libexec/ld.so/amd64: SYS.h Log message: Add retguard to amd64 syscalls. Since we got rid of padded syscalls we have enough registers to do this. ok deraadt@ ok kettenis@

Read more…

The end of the year is rapidly approaching, and Rafael Sadowski (rsadowski@) has published the OpenBSD KDE Status Report 2022. The report leads in,

A lot has happened since the last OpenBSD KDE Status Report in 2021. Let’s split the report in four areas the good, the bad, the plasma and libinput.

and goes on to describe in some detail the work put in to update the KDE ecosystem on our favorite operating system.

You can read the whole thing by following either link.

A new release of the OpenBSD rpki-client, a key component in BGP routing security is available.

The announcement by Sebastian Benoit (benno@) reads,

From: Sebastian Benoit <benno () openbsd ! org> Date: Tue, 13 Dec 2022 23:18:32 +0000 To: openbsd-tech Subject: rpki-client 8.2 released rpki-client 8.2 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.

Read more…

A new development release of LibreSSL is out, and should be arriving on a mirror near you shortly.

Brent Cook (bcook@)'s announcement reads,

We have released LibreSSL 3.7.0, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is a development release from the 3.7.x branch, which will eventually ship with OpenBSD 7.3.

Read more…

A rewritten version of vmd(8)'s BIOS memory map handling could soon be appearing in -current.

In a recent post to tech@ and supplemented by an accompanying post to ports@ since the changes touch on SeaBIOS, Dave Voutila (dv@) describes the changes and the motiviation for changing them, ie

In short, this nukes some old hacks we've been carrying to communicate things like >4GB of memory to SeaBIOS via CMOS. It assumes vmd(8) properly builds and conveys a bios e820 memory map via the fw_cfg api.

Follow the links to the messages for the full story, test the patches if you feel up to it. While the ETA of the upcoming commit is not yet certain, expect to see this change go in soon.

Following the recent discovery of a security issue in FreeBSD's ping(8), OpenBSD developer Florian Obser (florian@) wanted to know if something similar lurked in the OpenBSD code as well.

The result of his investigation can be found in the article called Fuzzing ping(8) … and finding a 24 year old bug., which leads in,

FreeBSD had a security fluctuation in their implementation of ping(8) the other day. As someone who has done a lot of work on ping(8) in OpenBSD this tickled my interests.

What about OpenBSD?

ping(8) is ancient:

Read the rest of the article here. It is quite a story, with lessons to be considered by anyone working on code that's been around a few years or decades.

As Florian mentions in his post, the fix has been committed to the repo (with a subsequent tweak).

Support for lladdr-tied configuration of (network) interfaces [on which we reported earlier] has been committed. Andrew Fresh (afresh1@) made the commit:

CVSROOT: /cvs Module name: src Changes by: afresh1@cvs.openbsd.org 2022/12/05 13:12:00 Modified files: etc : netstart distrib/miniroot: install.sub share/man/man5 : hostname.if.5 Log message: Add support configuring hostname.if(5) by lladdr Original implementation by martijn@ Feedback and suggestions from kn@, sthen@, claudio@, florian@, and deraadt@. ok deraadt

As explained in the change to the hostname.if(5) man page, only one of hostname.if and hostname.lladdr should exist (but priority is given to the former).

Updated: 2022-12-16
A commit from Andrew Fresh (afresh1@) has reversed the prioritisation: priority is now given to hostname.lladdr.

On December 1st, 2022 the OpenIKED project announced a new stable version, OpenIKED 7.2.

Read more…

The OpenBSD Foundation, which is central to funding the OpenBSD project, needs your help to reach its 2022 Fundraising Goal of $300,000.

At the time of writing, the amount raised in 2022 stands at a little over 50% of the stated goal.

The Foundation needs your help to sustainably fund the project. Please head over to the Foundation's donations page, and make sure you drag your employer over there too!

With about 30 days left in 2022, we know we can do it!

It started with a thread on misc@ with the subject "Locking network card configuration" where the problem description is, when two or more network interfaces are attached to the same USB bus, their numbering may not be entirely predictable. The question is, what workarounds are possible?

The thread, where several developers offered their insights, and which soon migrated to tech@ with the subject switched to "lladdr support for netstart/hostname.if (was: Re: Locking network card configuration)" and later "lladdr support for netstart/hostname.if" turned up several suggestions, with several patches, and potential support for link level address (MAC address) tied configuration via a new hostname.MAC(5) file to supplement the more familiar hostname.if(5) config file, complete with corresponding ifconfig(8) options.

Please read the messages and patches, and if you have useful input for the developers on this, please chime in via tech@ or in comments here if you prefer.

Once again, an interesting feature that may materialize for testing in snapshots in the near future.

In a recent message to the tech mailing list, Theo de Raadt (deraadt@) summarized the state of the new memory protections work. The thread also includes a followup from Otto Moerbeek (otto@) on consequent changes to the memory allocation mechanisms.

Theo writes,

From: "Theo de Raadt" <deraadt () openbsd ! org> Date: Fri, 18 Nov 2022 03:10:05 +0000 To: openbsd-tech Subject: More on mimmutable [LONG] I am getting close to having the big final step of mimmutable in the tree. Here's a refresher on the how it works, what's already done, and the next bit to land. DESCRIPTION The mimmutable() system call changes currently mapped pages in the region to be marked immutable, which means their protection or mapping may not be changed in the future. mmap(2), mprotect(2), and munmap(2) to pages marked immutable will return with error EPERM.

Read more…