OpenBSD Journal

Crystal Kolipe writes in, saying

We've just published the first part of a new ten-part series called, 'A reckless guide to OpenBSD'. The series covers all sorts of things from configuring dpb through hacking the framebuffer console code, compiling a custom kernel, and lots of other stuff in-between.

https://www.exoticsilicon.com/jay/reckless_guide_to_openbsd

The whole series was written by Jay Eptinxa here at Exotic Silicon, and we're publishing it in weekly installments.

We're already looking forward to the upcoming installments.

Thanks to Jay and Crystal for writing and publishing this!

Crystal Kolipe has done a four partmulti-part write up about getting OpenBSD running on a PinePhone here:
https://www.exoticsilicon.com/crystal/pinephone_openbsd/part_1

As mentioned in the piece, this comes with a bit of a warning:

The information presented on these pages is NOT intended to be followed as a guide to installing OpenBSD on your own Pinephone device, and must not be used for this purpose.

Unlike most SBCs, the Pinephone contains a rechargeable battery intended to power the device. Correct configuration of the charging circuits, including various safety features such as thermal protection will not be enabled by the current OpenBSD kernel as of the time of writing.

Nonetheless, it seems promising! Not that this particular undeadly editor actually has a PinePhone to test such things with personally.

Update: We were notified that the wrong author was attributed, so have corrected the article to show the write up is from Crystal Kolipe

A long list of recent LibreSSL commits by Theo Buehler (tb@) culminated in bumps to library versions:

CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2022/01/14 02:15:08 Modified files: lib/libcrypto : shlib_version lib/libssl : shlib_version lib/libtls : shlib_version Log message: bump libcrypto, libssl, libtls majors after struct visibility changes and Symbol addition and removal in libcrypto.

Undeadly reached out to Theo asking whether he would share with readers an explanation of the changes. He kindly responded:

Today's commits were nothing super exciting, just a lot of work, most of it boring and mechanical…

Read more…

Johathan Gray (jsg@) has updated DRM to Linux 5.15.14 (with support for several additional chips):

CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2022/01/13 23:53:17 Modified files: sys/dev/fdt : rkdrm.c rkvop.c sys/dev/ic : anxdp.c sys/dev/pci/drm: dma-resv.c drm_agpsupport.c drm_atomic.c […] Log message: update drm to linux 5.15.14 new hardware support includes Intel ehl/Elkhart Lake (embedded) jsl/Jasper Lake (atom) rkl/Rocket Lake (desktop) AMD van gogh APU (gfx1033) yellow carp / rembrandt APU (gfx1035?) Ryzen 6000 APU navy flounder / navi 22 (gfx1031) RX 6700, RX 6700 XT, RX 6700M, RX 6800M, RX 6850M XT dimgrey cavefish / navi 23 (gfx1032) Pro W6600, Pro W6600M, RX 6600, RX 6600 XT, RX 6600M, RX 6600S, RX 6650M, RX 6650M XT, RX 6700S, RX 6800S beige goby / navi 24 (gfx1034) RX 6500 XT, RX 6400, RX 6500M, RX 6300M Thanks to the OpenBSD Foundation for sponsoring this work niklas@ for helping with ttm and amdgpu and patrick@ for adapting rockchip drm.

Make sure to test the new DRM code on your machines (old and new) as this will be part of the 7.1 release in a few months.

Damien Miller (djm@) just noted on social media that he has committed (starting here) changes which allow control over ssh-agent(1) key-forwarding based on destination host and forwarding path.

A detailed description is available on the OpenSSH site.

After much preparatory work in base and ports, clang(1) has been upgraded to version 13.0.0 (on the relevant platforms).

Patrick Wildt (patrick@) made the commits.

Interesting developments (in -current) since OpenBSD 7.0 include:

• Wireless drivers iwm(4) and iwx(4) now support 40MHz channels - see commits. On tech@, Stefan Sperling (stsp@) has requested testing of a diff to add such support to iwn(4).
• A realpath(1) utility was added, largely for the benefit of porters.
• scp(1) has swapped back to using the SFTP protocol by default. See earlier report.
• The implementations of poll(2), select(2), ppoll(2), and pselect(2) were changed to be based on kqueue(2).
• httpd(8) has gained support for custom error pages.
• Syscall kevent(2) has been unlocked.
• Port net/vpnc-scripts has gained support for resolvd(8).
• Sysctl hw.perfpolicy is now set to auto by default at startup. See the commit message for the details.
• igc(4), a driver for Intel 2.5Gb Ethernet controllers, has been added.
• Mouse tracking is now disabled by default in xterm(1). Setting X resource allowMouseOps to true reinstates the earlier behaviour.

The OpenBSD project has released OpenBSD 7.0, the project's 51st release. As usual, the release page offers highlights, installation and upgrade instructions, as well as links to other resources such as the detailed changelog.

Notable improvements include, but are not limited to:

• Support has been added for a new hardware platform, riscv64, for 64-bit RISC-V systems. [See earlier reports.]
• /etc/bsd.re-config(5) was introduced, providing a mechanism to make config(8)-modified GENERIC kernels compatible with KARL.
• Hibernate time has been reduced. [See earlier report.]
• The timeout(1) utility was imported from NetBSD. [See earlier report.]
• openrsync(1) now has include and exclude options. [See earlier report.]
• doas(1) will now retry up to 3 times on password authentication failure.
• ucc(4), a driver for USB HID Consumer Control keyboards, was added. This exposes volume, audio, and application launch keys.
• xterm(1) is now unveiled. [See earlier report.]
• printf(3) and friends now log an error and abort when confronted with format %n.
• iked(8) now has client-side support for DNS configuration. [See earlier report.]
• traceroute(8) speed has been boosted through asynchronous handling of probe packets and DNS. [See earlier report.]
• dhcpleased(8) and resolvd(8) are both enabled by default and provide the standard mechanism for configuring IPv4 addresses by DHCP. [See previous reports.] The combination also makes nameserver information gathered via slaacd usable in dynamic configurations. dhclient(8) remains available for special cases. A "nameserver" command was added to route(8), allowing sending DNS nameserver prooposals to resolvd(8) over the routing socket.
• In LibreSSL 3.4.1, support has been added for the OpenSSL 1.1.1 TLSv3 APIs. The "new" X.509 validator is enabled, allowing verification of modern certificate chains.
• In OpenSSH 8.8, the RSA/SHA1 signature type [not RSA ("ssh-rsa") keys - see previous report] is disabled by default. scp(1) supports optional use of the SFTP protocol. [Since our previous report, the default has reverted to using the original scp/rcp protocol by default.]

Those upgrading from the 6.9 release (or earlier) should consult the Upgrade Guide.

While your install sets download or when your packages update, please take the time to look at and use one or more of the recommended ways to support the project, such as making a donation. Corporate entities may prefer to send money to The OpenBSD Foundation, a Canadian non-profit corporation. You can also get merchandise and help OpenBSD visibility. Also, don't forget to listen to the release song (mp3 or ogg) and check out the lyrics.

Thanks to the developers for all the excellent work that has gone into this great new release!

In the run-up to the OpenBSD 7.0 release, we note several recent interesting things previously unreported:

• The 7.0 release song is available.
• The loongson hardware platform has been retired. The upcoming OpenBSD 7.0 will be the last release to support this platform.
• On tech@, Stefan Sperling (stsp@) has requested testing of a patch adding initial 40Mhz channel support for iwm(4).
• Mark Kettenis (kettenis@) added support for Apple M1 to U-Boot -- also see Bryan Steele's mastodon link.
• Brian Callahan (bcallah@ when wearing his OpenBSD hat) has been interviewed by the good folks at at BSD Now.

As a result of a licence change by Realtek, that company's wireless firmware images are now included in the tree. The following commit by Kevin Lo (kevlo@) explains the details:

Read more…

Did you just run syspatch(8) and see it fail?

Here's the reason: one of the two root certificates behind the (excellent) Let's Encrypt CA service has expired. A bug in (the "legacy" verifier of) LibreSSL also contributed.

The syspatches (for OpenBSD 6.8, 032, for OpenBSD 6.9, 018) mitigate the unfortunate situation.

However, your syspatch may fail if your local mirror uses a Let's Encrypt certificate. Patch-22! In that case, the best advice may be to try a mirror that does not use a Let's Encrypt certificate just to get past this speed bump.

Read more…

EuroBSDCon 2021 was held [virtually] earlier this month. Videos of the presentation are now available.

Amongst the OpenBSD-related presentations is that by Marc Espie (espie@) - Debug Packages in OpenBSD (slides, video).

Thanks to a commit by Damien Miller (djm@), scp(1) (in -current) now defaults to using the SFTP protocol:

CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2021/09/08 17:31:39 Modified files: usr.bin/ssh : scp.1 scp.c Log message: Use the SFTP protocol by default. The original scp/rcp protocol remains available via the -O flag. Note that ~user/ prefixed paths in SFTP mode require a protocol extension that was first shipped in OpenSSH 8.7. ok deraadt, after baking in snaps for a while without incident

As explained in the OpenSSH Release Notes,

SFTP offers more predictable filename handling and does not require expansion of glob(3) patterns via the shell on the remote side.

In a recent message to tech@ Martin Pieuchot (mpi@) wrote about analysis of kernel lock contention. We reproduce the message(s) here, reformatted with his permission.

Unlocking UVM [virtual memory - Ed.] faults makes build time decrease a lot and improve the overall latency of mixed userland workload. In other words it gives a smoother feeling for "desktop usage": it is now possible to do 'make -j17' and watch a HD video at the same time.

Read more…

Florian Obser (florian@) has committed a significant speed boost for traceroute(8):

CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2021/09/03 03:13:00 Modified files: usr.sbin/traceroute: Makefile traceroute.8 traceroute.c traceroute.h worker.c Log message: Make traceroute(8) faster by sending probes and doing DNS async. Traditional traceroute would send one probe and then wait for up to 5 seconds for a reply and then send the next probe. On a lossy link that eventually ends in a black hole this would take about 15 minutes and people would hit control-c in anger. This rewrites the traceroute engine to use libevent and asr's async DNS interface. Probes are now send every 30ms or as soon as we get an answer back. With that we got the 15 minute worse case down to about 10 seconds. A minor adjustment that is possible with this is to delay printing a line until we get to a line with answers. This has two effects: 1) If there are intermediate hops that don't answer, output pauses for a bit so we keep the visual cue of "something might be wrong here". 2) If there is a black hole at the end, we don't print out many "* * *" lines and thus scrolling the interesting bits out of the terminal. We collapse those lines and just print 64 * * * at the end. Unfortunately the -c option to send udp probes to a fixed port had to go for now. But we should be able to add it back. "Once you have seen the new one you can't go back to the old one" & enthusiastic OK deraadt@ OK sthen@ "I am very distressed that florian went to bed without committing it" beck@

Florian tooted links to recordings showing the old and new behaviours with an earlier version of this work.

With the following commit, Matthieu Herrb (matthieu@) gave xterm(1) some unveil(2) goodness:

CVSROOT: /cvs Module name: xenocara Changes by: matthieu@cvs.openbsd.org 2021/09/02 03:31:38 Modified files: app/xterm : main.c Log message: Unveil paths needed by xterm at run-time. work with tb@ and deraadt@ Only in (default) case where there are no exec-formatted or exec-selected resources set. In those case the commands and their arguments could be anywhere.

With the following commit, Tobias Heider (tobhe@) added client-side support for DNS configuration to iked(8):

CVSROOT: /cvs Module name: src Changes by: tobhe@cvs.openbsd.org 2021/09/01 09:30:07 Modified files: sbin/iked : config.c iked.c iked.h ikev2.c ikev2_msg.c ikev2_pld.c policy.c types.h vroute.c Log message: Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection. Automatic name server configuration is enabled by default for policies using the 'iface' option. discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@

Job Snijders (job@) imported the timeout(1) utility from NetBSD:

CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2021/09/01 09:50:34 Added files: usr.bin/timeout: Makefile timeout.1 timeout.c Log message: Import timeout(1) from NetBSD The timeout(1) utility can be used to run commands with a time limit. OK deraadt@ beck@

Following initial import, job@ and others applied the OpenBSD-stick.

OpenBSD Journal co-editor Solène Rapenne (solene@) writes, I have a simple DSL line with 15 Mb/s in download and 900 kb/s upload rates and there are many devices using the Internet and two people in remote work. Some poorly designed software (mostly on windows) will auto update without allowing to reduce the bandwidth or some huge bloated website will require lot of download and will impact workers using the network.

The point of this article is to explain how to use OpenBSD as a router on your network to allow the Internet access to be used fairly by devices on the network to guarantee everyone they will have at least a bit of Internet to continue working flawlessly.

Read the whole thing, Fair Internet bandwidth management on a network using OpenBSD for a walkthrough of implementing queueing and QoS traffic shaping for your network.

Theo de Raadt (deraadt@) committed a change which significantly reduces hibernate time on machines with larger amounts of RAM:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2021/08/30 03:45:29 Modified files: sys/kern : subr_hibernate.c Log message: increase hibernate writeout speed a little. modern machines have vast tracts of unused memory, and the empty-space RLE scanner (uvm_page_rle) would rescan for empty space needlessly wasting excessive cpu time 16G machine, 100sec -> 9sec 40G machine, 325sec -> 28sec with kettenis mlarkin

We are always happy to bear good news!