OpenBSD Journal

Over on tech@, Ted Unangst (tedu@) is airing a patch to introduce better support ACPI WMI, looking for tests and comments: List: openbsd-tech Subject: acpi wmi asus driver From: "Ted Unangst" <tedu () tedunangst ! com> Date: 2025-05-11 1:57:07 My newish ASUS laptop needs WMI to handle hotkeys like backlight toggle. More importantly, for me, it's needed to handle the Fn-F hotkey to switch fan/performance profiles. The system is far more pleasant to use in whisper mode. I also notice a substantial improvement in battery life, without much performance difference. It affects the power limits, but more long term I think.

Read more…

Alexander Bluhm (bluhm@) has committed changes which eliminate contention by caching the socket lock in TCP input:

CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2025/05/07 08:10:19 Modified files: sys/net : if.c if_var.h sys/netinet : tcp_input.c tcp_var.h Log message: Cache socket lock during TCP input. Parallel TCP input is running for a few days now and looks quite stable. Final step is to implement caching of the socket lock. Without large receive offloading (LRO) in the driver layer, it is very likely that consecutive TCP segments are in the input queue. This leads to contention of the socket lock between TCP input and socket receive syscall from userland.

Read more…

Following its recent introduction on tech@ [See earlier article], David Gwynne (dlg@) has committed bpflogd(8) to the tree:

CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2025/05/06 19:41:59 Added files: usr.sbin/bpflogd: Makefile bpflogd.8 bpflogd.c log.c log.h Log message: bpflogd(8): capture packets from BPF and write them to a log file this is like pflogd(8), but different. the main differences are:

Read more…

Following its recent introduction on tech@ [See earlier article], David Gwynne (dlg@) has committed lldpd(8) to the tree:

CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2025/05/02 00:12:53 Added files: usr.sbin/lldpd : Makefile lldpctl.h lldpd.8 lldpd.c log.c log.h pdu.c pdu.h Log message: lldpd(8): a daemon that acts as an LLDP agent on Ethernet interfaces. lldpd uses the recently added AF_FRAME Ethernet sockets to listen for LLDP packets on all Ethernet interfaces in the system, and stores them so a lldp(8) client connecting to the control socket can fetch and display the packets.

Read more…

Damien Miller (djm@) has completed the planned [See previous articles] removal of DSA signature support from OpenSSH:

CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/05/05 23:40:56 Modified files: usr.bin/ssh : sshkey.h sshkey.c sshd.c sshd-session.c sshd-auth.c sshconnect.c ssh_config ssh.c ssh-keysign.c ssh-keyscan.c ssh-keygen.c ssh-add.c readconf.c pathnames.h hostfile.c dns.c authfile.c authfd.c PROTOCOL Removed files: usr.bin/ssh : ssh-dss.c Log message: finally remove DSA signature support from OpenSSH. feedback/ok tb@, ok deraadt@

The editors would like to encourage our readers to arrange a proper wake for this one.
Please keep going until we can be quadruply sure it's all gone.

In a message to tech@ with the subject "die DSA die", Damien Miller (djm@) presents a diff that will remove the last bits of DSA support from OpenSSH:

List: openbsd-tech Subject: die DSA die From: Damien Miller <djm () mindrot ! org> Date: 2025-05-05 6:34:15 This finally removes all the remaining bits of DSA support from OpenSSH and fixes up the regress tests that I could run. I'm not set up to run the ssh.com interop tests so it's possible they are broken by this. ok? Index: usr.bin/ssh/authfd.c [ … ]

followed by the diff that implements the change.

(An earlier Undeadly article provides some background on DSA removal.)

Note that Damien asks for testing help here -- if you are able to help testing this change before it goes in for real, please do!

A long discussion on tech@ (initiated by a suggestion/patch from Jesper Wallin) has culminated in Damien Miller (djm@) committing changes which increase security by taking advantage of the use of unveil(2) elsewhere in the OpenBSD ecosystem:

CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/05/04 20:48:07 Modified files: usr.bin/ssh/sshd-session: Makefile usr.bin/ssh/sshd-auth: Makefile usr.bin/ssh/ssh-agent: Makefile usr.bin/ssh : ssh-agent.c ssh-agent.1 session.c pathnames.h misc.h misc.c hostfile.c Log message: Move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8). This ensures processes (such as Firefox) that have restricted filesystem access that includes /tmp (via unveil(3)) do not have the ability to use keys in an agent.

Read more…

Klemens Nanni (kn@) has committed the his proposed change [See previous article] such that the OpenBSD installer now prefers disks over 1GB when prompting for the root disk. The commit message explains the change:

CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2025/05/04 06:32:41 Modified files: distrib/miniroot: install.sub Log message: Prefer disks bigger than 1G as default root disk on install -current picks the alphanumerically first disk as default, which isn't the beset choice if install media, softraid(4) key disks or small external media attaches before the disk one intends to use.

Read more…

You can tell it's right after a release is cut when new ideas are fielded in patches to tech@. One such small but potentially important change that is being aired now is a change to the installer to suggest the larger one when several disks are available. Klemens Nanni (kn@) describes the motivation for the change as

[…] whenever install media, small USB sticks or softraid(4) keydisks attach before you actual disk, defaulting to sd0 is most certainly not what you want. An easy rule of thumb that works great for me is to reshuffle the list of valid root disks such that small ones come last.

The message with the patch reads: List: openbsd-tech Subject: installer: default root disk: prefer those bigger than 1G From: Klemens Nanni <kn () openbsd ! org> Date: 2025-05-01 15:41:25 Now we show all valid root disks and pick the first one, i.e. the alphanumerically lowest value, as default:

Read more…

In a post to tech@, Martin Pieuchot (mpi@) has requested testing of a diff (against -current) to enable running the upper part of the fault handler in parallel :

Hello, Diff below enables running the fault handler in parallel. Please test an report back, with dmesg, if this increases or decreases the perfs of your usual setup. Thanks for the help, Martin

Read more…

LibreSSL version 4.1.0 has been released.

This is the version found in (the recently released) OpenBSD 7.7

The release notes read,

We have released LibreSSL 4.1.0, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release for the 4.1.x branch, also available with OpenBSD 7.7 It includes the following changes from LibreSSL 4.0.0: * Portable changes - Added initial experimental support for loongarch64. - Fixed compilation for mips32 and reenable CI. - Fixed CMake builds on FreeBSD. - Fixed the --prefix option for cmake --install. - Fixed tests for MinGW due to missing sh(1).

Read more…

Klemens Nanni (kn@) committed a change removing misleading messages on package update:

CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2025/04/28 12:56:25 Modified files: usr.sbin/pkg_add/OpenBSD: Delete.pm Log message: Stop advising to remove files on update The following only make sense on for pkg_delete(1), yet pkg_add(1) prints them as well, which is confusing at best and trips up way too many people: "You should also run ..." (often "rm -rf /something/important*") "You should also remove ..." No longer print those when -u is used. There may be some commands "i like it" ian kirill OK phessler kmos

Quieter and more accurate updates - what's not to like?

As we saw recently in the Graphed and measured: running TCP input in parallel story, Alexander Bluhm (bluhm@) has been working on parallel TCP input, finally making tcp_input() MP-safe. This work has now been committed,

List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Alexander Bluhm <bluhm () openbsd ! org> Date: 2025-04-26 13:58:08 CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2025/04/26 07:58:08 Modified files: sys/netinet : in_proto.c sys/netinet6 : in6_proto.c Log message: Run TCP input in parallel on multiple CPUs.

Read more…

The OpenBSD project has announced OpenBSD 7.7, its 58th release.

The new release contains a number of significant improvements, including but certainly not limited to:

• Multiple SMP improvements have been made. TCP output and TCP timers now run in parallel. Only TCP input still uses exclusive netlock.
• drm(4) has been updated to to Linux 6.12.21
• Performance policy specification is now more flexible. [See earlier report]
• sysctl(8) now supports an input file. [See earlier report]
• Improvements to network hardware support include new drivers ice(4) for Intel E810 Ethernet devices, and ixv(4) for virtual functions of Intel 82598EB, 82559, and X540.
• By default, sysupgrade(8) now upgrades to the next release. [See earlier report]
• fw_update(8) now supports arbitrary dmesg files. [See earlier report]
• Support for FRAME sockets was added. [See earlier report]
• ifconfig scan can now detect/display WPA3 access points.
• (Limited) EFI boot manager support has been added to installboot(8).
• unwind(8) now supports wildcards in block list. [See earlier report]
• rpki-client(8) now has a stricter aging policy for Trust Anchor certificates. [See earlier report]
• LibreSSL 4.1.0 [See earlier report for version 4.0.0]
• OpenSSH 10.0 [See earlier reports on sshd(8) splitting, and on release]

See the full changelog for more details of the changes made over this latest six month development cycle.

The Installation Guide details how to get the system up and running with a fresh install, while those who already run earlier releases should follow the Upgrade Guide, in most cases using sysupgrade(8).

Readers are encouraged to celebrate the new release by donating to the project to support further development of our favourite OS!

Our favorite operating system may be on the verge of having a LLDP (Link Layer Discovery Protocol) daemon added to the base system. David Gwynne (dlg@) is circulating a patch on tech@ that introduces the daemon,

List: openbsd-tech Subject: LLDP daemon and display tool From: David Gwynne <david () gwynne ! id ! au> Date: 2025-04-24 3:49:53 this adds a small daemon and command line tool for receiving and displaying LLDP messages from neighbors connected to Ethernet interfaces. the daemon is called olldpd(8) to avoid colliding with the existing lldpd from ports. the command line tool is lldp(8). it uses the AF_FRAME sockets that were recently added rather than BPF. this means it retains fewer privileges while it's running because it doesn't have to open and configure BPF devices when new interfaces appear in the system. avoiding BPF means it has basically 0 impact on the kernel packet path because AF_FRAME is handled as a last resort for packets rather than up front for every packet on an interface.

Read more…

In a recent post to tech@, David Gwynne (dlg@) introduced a new daemon to log packets from BPF.

The message reads

List: openbsd-tech Subject: bpflogd(8): capture packets via BPF to log files From: David Gwynne <david () gwynne ! id ! au> Date: 2025-04-24 5:44:53 this is basically pflogd(8), but different. the reason it exists is because i needed to continously log some packets from span ports coming from multiple switches to try and help debug a network issue that only seems to occur every couple of months. pflogd provides that for a single pflog interface, but i needed it on multiple ethernet interfaces.

Read more…

Version 0.111 of Game of Trees has been released (and the port updated, with additional useful information in the commit message):

• introduce gotsysd: configure gotd servers by committing to gotsys.git repo
• make gotd run 'gotsys check' on gotsys.conf commits before accepting them
• make gotd run 'gotsys apply' when the gotsys.git repo receives changes
• add a missing malloc failure check to gotd's repo_write process
• make got clone/fetch work against Git servers which do not speak English
• stop processing more messages upon error in gotd repo_write process
• close file descriptors passed to gotd_imsg_compose_event() on failure
• potential fix for use-after-free in lib/repository.c's match_packed_object()
• make gotd return an informative error when the connection limit is exceeded
• in gotctl info, display the time when a client connection was created
• add reload support to gotd, triggered via 'gotctl reload', not via SIGHUP!
• test S_ISREG in parse_ref_file() explicitly rather than via getline(3)
• release ref-file lock when fstat fails in parse_ref_file()
• do not treat unhandled signals as a fatal error in gotwebd
• fix an edge case of tog spinning when 'B' is pressed in log view
• stop using got_repo_map_path() in gotwebd to fix spurious realpath(3) errors
• avoid creation of pack_fds array when not needed, saving file descriptors
• gotwebd now runs as the _gotwebd user by default, rather than "www"
• gotwebd can now serve repositories outside the /var/www chroot directory
• the gotwebd.conf repos_path directive is no longer relative to the chroot
• get rid of the gotwebd-specific libexec helpers in /var/www/bin/gotwebd
• improve gotwebd behaviour when sending data to already disconnected clients
• plug some memory leaks in got-send-pack and got-fetch-pack
• fix got-fetch-http performance when server sends chunked HTTP responses

Over on tech@, Alexander Bluhm (bluhm@) is airing a patch to improve parallel TCP input, and is looking for testers:

List: openbsd-tech Subject: running TCP input in parallel From: Alexander Bluhm <bluhm () openbsd ! org> Date: 2025-04-17 16:53:19 Hi, To run tcp_input() in parallel efficently, we have to lock the socket in a smart way. I have measured multiple variants. http://bluhm.genua.de/perform/results/2025-04-16T09:33:58Z/perform.html The relevant TCP graph is here. http://bluhm.genua.de/perform/results/2025-04-16T09:33:58Z/gnuplot/tcp.html http://bluhm.genua.de/perform/results/2025-04-16T09:33:58Z/gnuplot/tcp6.html First column (left) is no locking at all, just exclusive net lock.

Read more…

The OpenBSD project has announced the release of version 9.5 of rpki-client:

rpki-client 9.5 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - rpki-client now includes arin.tal which is no longer legally encumbered. See https://www.arin.net/announcements/20250116-tal/ - rpki-client reports Certification Authorities that do not meaningfully participate in the RPKI as non-functional CAs. By definition, a CA is non-functional if there is no currently valid Manifest. The number of such CAs is printed at the end of each run and more detailed information is available in the JSON (-j) and ometrics (-m) output. - OpenBSD reliability errata 014: Incorrect internal RRDP state handling in rpki-client can lead to a denial of service. Affected are rpki-client versions 7.5 - 9.4. - Termination of rsync child processes with SIGTERM is no longer treated as an error if rpki-client has sent this signal. This only affects openrsync. - Do not exit filemode with an error if a .gbr or a .tak object contains control characters in its UTF-8 strings. Instead, only warn and emit a sanitized version in JSON output. Upcoming breaking change: - Starting with release 9.6, rpki-client will emit all key identifiers (AKI and SKI) encoded in JSON as bare hex strings without colons.

Read more…

Theo de Raadt (deraadt@) updated the version of OpenBSD -current to "7.7-current".

Those running the latest-and-greatest [via a sufficiently new snapshot or built from source] no longer need to use "-D snap" with pkg_add(1) (and pkg_info(1)).