OpenBSD Journal

When a new processor is released, how long would you expect it to take before your favorite operating system adds support for it?

In the case of OpenBSD/arm64, the time lag can occasionally be measured in days if not hours.

In a recent message to tech@, Patrick Wildt (patrick@) premiered the patch to add support for the Qualcomm Snapdragon Elite X processor the day after it was officially released.

Patrick's message reads, List: openbsd-tech Subject: Qualcomm Snapdragon X Elite minimal support From: Patrick Wildt <patrick () blueri ! se> Date: 2024-06-19 20:28:08 Hi there, the Qualcomm Snapdragon Elite X machines were released yesterday, I got a Lenovo Yoga Slim 7 today, and it's already booting up with working NVMe, USB and keyboard. Wonder if I beat my last record.

Read more…

In a recent commit, Damien Miller (djm@) introduced the new sshd(8) configurations options, PerSourcePenalties and PerSourcePenaltyExemptList, to provide a built in facility in sshd(8) itself to penalize undesirable behavior, and to shield specific clients from penalty, respectively.

The commit message reads, List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Damien Miller <djm () cvs ! openbsd ! org> Date: 2024-06-06 17:15:26 CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2024/06/06 11:15:26 Modified files: usr.bin/ssh : misc.c misc.h monitor.c monitor_wrap.c servconf.c servconf.h srclimit.c srclimit.h sshd-session.c sshd.c sshd_config.5 Log message: Add a facility to sshd(8) to penalise particular problematic client behaviours, controlled by two new sshd_config(5) options: PerSourcePenalties and PerSourcePenaltyExemptList.

Read more…

As noted earlier, OpenBSD-current now has IPv6 prefix delegation available via the new dhcp6leased(8) deamon.

Now before he committed the code, Florian Obser (florian@) wrote a blog post on the process of developing the new program in a piece called DHCPv6-PD - First steps.

The prologue leads in,

The single most requested feature missing in OpenBSD base directed at me is DHCPv6-PD. Recently I got a working setup at home using dhcpcd from ports and a donated Fritz!Box 6660 Cable1, 2. Time to hack on this.

He follows up with details on how the ideas and the code developed. Read the whole thing at DHCPv6-PD - First steps.

Version 0.100 of Game of Trees has been released (and the port updated).

* got 0.100; 2024-06-03 see git repository history for per-change authorship information

Read more…

Florian Obser (florian@) has committed (to -current) dhcp6leased(8), a DHCPv6 client for handling Prefix Delegation (PD):

CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2024/06/02 06:28:05 Added files: sbin/dhcp6leased: Makefile control.c control.h dhcp6leased.8 dhcp6leased.c dhcp6leased.conf.5 dhcp6leased.h engine.c engine.h frontend.c frontend.h log.c log.h parse.y printconf.c Log message: Import dhcp6leased(8) dhcp6leased is a daemon to manage IPv6 prefix delegations. It requests a prefix from an upstream DHCPv6 server and configures downstream network interfaces. rad(8) can be used to advertise available prefixes to clients.

Read more…

Theo de Raadt (deraadt@) has committed -fret-clean for clang: CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2024/06/02 09:40:43 Modified files: gnu/llvm/clang/include/clang/Driver: Options.td gnu/llvm/clang/lib/Driver/ToolChains: Clang.cpp gnu/llvm/llvm/lib/Target/X86: X86.h X86TargetMachine.cpp gnu/usr.bin/clang/libLLVMX86CodeGen: Makefile share/man/man1 : clang-local.1 Log message: add -fret-clean option (amd64 and i386 only at first), defaulting to off. This causes the caller to cleans the return address off the stack after a callq completes. The option is best used in low-level libraries (such as libc), because libc contains low-level system call stubs. The option reduces hints (found on the stale parts of the stack) about libc.so's mapping location, and together with random-relinking, relro got/pic, and xonly makes some exploit methods more difficult. ok mortimer, mlarkin, much discussion with kettenis, in snaps for 2 weeks.

See our earlier article for more discussion.

For now, this is only for amd64 and i386.

Future versions of OpenBSD may include core system libraries and binaries built with logic to remove return addresses off the stack. With this in place, whole classes of bugs would be harder to exploit.

In a message to the tech@ mailing list titled clang -fret-clean: cleaning return addresses off stack, Theo de Raadt (deraadt@) explains how this would work and includes code to implement the feature for the X86 architecture only:

List: openbsd-tech Subject: clang -fret-clean: cleaning return addresses off stack From: "Theo de Raadt" <deraadt () openbsd ! org> Date: 2024-05-25 6:18:59 There are many address space mitigations in play now which make standard control-flow methods and ROP-style methods more difficult than ever before. None of them are a silver bullet; added up they are a big deal, but noone is saying they are a comprehensive solution, One thing I've worried about for a while is that program bugs being exercised tend to happen in the main program, or in some large library. But many types of attack methodology require reaching system calls via libc, in as direct and simple fashion as possible. ASLR location of libc has made that a bit harder, boot-time random relinking of libc makes it even more difficult. But there's a few things which do hint at where libc is mapped.

Read more…

As you may be aware, OpenBSD runs on Apple Silicon M series processors, thanks to the efforts of the OpenBSD/arm64 developers.

For those running our favorite operating system alongside the Apple product, sometimes special measures are needed, though.

Mark Kettenis (kettenis@) sent a message titled Important message for Apple Silicon OpenBSD/arm64 users to the misc@ and arm@ mailing lists, warning about possible firmware issues:

Subject: Important message for Apple Silicon OpenBSD/arm64 users From: Mark Kettenis <mark.kettenis () xs4all ! nl> Date: 2024-05-21 20:54:21 As indicated here: https://social.treehouse.systems/@AsahiLinux/112449204541186432 The system firmware that comes with macOS Sonoma 14.5 triggers a bug in the m1n1 bootloader that is used to boot OpenBSD on these machines. The bug will prevent OpenBSD from booting on some machines after the macOS update has been installed. The recommended fix is to update the "stage1" m1n1 by booting into macOS and running:

Read more…

YES! KDE6 landed in OpenBSD -current

Rafael Sadowski (rsadowski@) writes in his most recent blog entry on KDE6 on OpenBSD, and goes on to say

We are currently in an excellent phase ahead of the upcoming OpenBSD release 7.6, which gives us plenty time to thoroughly test KDE Plasma 6. My goal is to make sure it works well and is stable for everyone.

Also worth noting is some still in progress work, Stay tuned for more updates as we progress towards the integration of KDE Plasma 6 into OpenBSD 7.6.

But don't just take our word for it, read the whole thing, KDE6 on OpenBSD over at Rafael's blog. There you will find detailed descriptions of how to perform the upgrade, and a video of the important points.

With the following commit, Damien Miller (djm@) commenced the process of splitting sshd(8) into multiple binaries:

CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2024/05/16 18:30:24 Modified files: usr.bin/ssh : Makefile Makefile.inc auth-rhosts.c auth.c auth.h auth2-gss.c auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c auth2.c channels.c kex.c kex.h kexgexs.c misc.c misc.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h msg.c packet.c packet.h pathnames.h servconf.c servconf.h serverloop.c session.c ssh_api.c sshd.c usr.bin/ssh/sshd: Makefile Added files: usr.bin/ssh : sshd-session.c usr.bin/ssh/sshd-session: Makefile Log message: Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned.

Read more…

Is the classical TCP congestion control mechanism known as Nagle's algorithm (RFC 896 - Congestion Control) headed for the scrap heap of history?

A recent post on tech@ titled Add sysctl to disable Nagle's algorithm (RFC 896 - Congestion Control) from Job Snijders (job@) with a patch to implement the disabling sysctl indicates that some at least think that deprecation is in order.

The message leads in,

List: openbsd-tech Subject: Add sysctl to disable Nagle's algorithm (RFC 896 - Congestion Control) From: Job Snijders <job () openbsd ! org> Date: 2024-05-13 18:41:55 Dear all, Back in the early 1980s, a suggestion was put forward how to improve TCP congestion control, also known as "Nagle's algorithm". See RFC 896. Nagle's algorithm can cause consecutive small packets from userland applications to be coalesced into a single TCP packet. This happens at the cost of an increase in latency: the sender is locally queuing up data until it either receives an acknowledgement from the remote side or sufficient additional data piled up to send a full-sized segment.

Read more…

The LibreSSL project has announced the release of [bugfix] version 3.9.2 of the software:

We have released LibreSSL 3.9.2, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. It includes the following change from LibreSSL 3.9.1: * Bugfixes - OpenBSD 7.5 errata 003. A missing bounds check could lead to a crash due to dereferencing a zero-sized allocation. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

Version 0.99 of Game of Trees has been released (and the port updated).

* got 0.99; 2024-05-05 see git repository history for per-change authorship information - make 'got fetch' work with URLs which refer to $HOME via a tilde: ~user - replace strftime %G-%m-%d with %F to prevent 2024-12-30 -> 2025-12-30 - fix spurious errors from got-fetch-http when server has no more data to send - prevent gotd notification process from exiting due to EPIPE - fix I/O hangs with TLS in got-notify-http - document http and https protocol support in got.conf(5), too - fix an fd leak in gotd's notify process causing endless CPU spin - back out got stage -R option addition; deemed too inconvenient in practice - fix got-fetch-http GET request URL; add leading slash and avoid double slashes - allow custom GOT_TEST_HTTP_PORT when running regression tests - gotwebd: add magic ".git" handling; try foo.git if repository foo is not found - expose authenticated gotd user account in HTTP notifications - gotd.conf(5) HTTP/JSON documentation fixes - fix endless loop upon Ctrl-D (EOF) input during got stage/unstage/revert -p - make gotd notifications work when 'git push' is used instead of 'got send' - make got stage -p behave the same way in interactive and -F modes for 'q' - fix lingering gotd processes from clients closing connections early - regress: prevent spurious failure of gotd test_clone_basic_access_denied - fix an issue where 'git fetch' would error or hang against gotd - use polling read in got_pkt_readn() to avoid endless hangs in gotsh

And we, too, are curious what the next version number will be :)

Regular readers will be aware that OpenBSD ships with its own mail server implementation, OpenSMTPD, in its base system.

In a recent message to the tech@ mailing list, Omar Polo (op@) asked for comments or oks for a patches implementing a change of table protocols. A little later, Gilles Chehade (gilles@) posted to the misc@opensmtpd.org mailing list with the backstory for this change.

The message follows in full below (apparently the otherwise fine marc.info archive site no longer archives the list):

Date: Fri, 03 May 2024 08:22:03 +0000 From: gilles@poolp.org To: misc@opensmtpd.org Subject: smtpd: change the table protocol Hello, This is a copy of a mail I sent to OpenBSD hackers a few days ago so you are aware of work being done on OpenSMTPD by Omar Polo. ~~~ TL;DR: proposal to change table backends wire protocol to one that's closer to filters, it has proven to work for years now, comes with many benefits and it is a very trivial change that we can pull in a handful of hours: https://tmp.omarpolo.com/smtpd-tables.7.html

Read more…

Have you had your laptop accidentally un-hibernate while you weren't looking, leaving you with a totally drained battery?

Now OpenBSD-current has a fix for that, thanks to this commit by Klemens Nanni (kn@). The commit message reads,

List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Klemens Nanni <kn () cvs ! openbsd ! org> Date: 2024-04-25 18:31:49 CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2024/04/25 12:31:49 Modified files: sys/lib/libsa : softraid.c sys/arch/amd64/stand/boot: boot.8 sys/arch/amd64/stand/efiboot: Makefile.common cmd_i386.c conf.c efiboot.c efiboot.h Log message: Add boot.conf(8) 'mach idle [secs]' to halt at idle passphrase prompts

Read more…

The version control system gameoftrees 0.98 has been released and should soon show up in OpenBSD -current packages. An update for the -portable version will follow as well.

The main improvements in the new release are listed in the release notes as

- speed up got tag -l by caching timestamps in got_ref_cmp_tags() - provide a macro for vi(1) path for use by -portable at compile time - avoid a rename/stat race when gotd installs a new pack and then uses it - make 'got ref -l' output consistent when packed references exist - make 'got ref -l' work consistently when a reference argument is given - add initial support for notifications to gotd(8), via email and http/json

Read more…

The OpenBSD toolbox for network debugging just got better. In a recent thread on tech@ titled pfctl show fragment info, Alexander Bluhm (bluhm@) posted a patch to enable packet reassembly statistics in pfctl(8).

Several other developers joined in, and Claudio Jeker (claudio@) suggested that systat(8) should too be enhanced to display packet reassembly data in pf(4) related views.

This suggestion was well received, and the resulting code has now been committed,

Read more…

The work to improve the capabilities of the network stack is about to take a noticeable step forward. In a message to tech@ titled parallel raw IP input, Alexander Bluhm (bluhm@) posted a patch that he describes as

List: openbsd-tech Subject: parallel raw IP input From: Alexander Bluhm <bluhm () openbsd ! org> Date: 2024-04-11 20:24:39 Hi, As mvs@ mentioned, running raw IP in parallel is easier as it is less complex than UDP. Especially there is no socket splicing. So I fixed one race in rip_input() and reused my shared net lock ip_deliver() loop.

Read more…

A series of commits by Jeremie Courreges-Anglas (jca@) has modified tar(1) such that its default write format (for archives) is that of pax(1). The message with the final commit captures the gist of the change:

CVSROOT: /cvs Module name: src Changes by: jca@cvs.openbsd.org 2024/04/16 17:09:35 Modified files: bin/pax : options.c tar.1 Log message: Switch tar(1) write default format to 'pax' Lets us store longer file names, link names, finer grained timestamps, larger archive member files, etc; at the expense of larger uncompressed archives and less widespread support across the ecosystem. If you're unhappy with the new defaults, you can use -F ustar. Or you can help fix bugs / find a better middle ground. Prodding from various including job@ and deraadt@ ok sthen@ caspar@ millert@

The OpenSMTPD project has released its first post-OpenBSD 7.5 version, OpenSMTPD 7.5.0p0, with a number of notable improvements.

The announcement reads,

Subject: OpenSMTPD 7.5.0p0 Released From: Omar Polo <op () openbsd ! org> Date: 2024-04-10 8:38:12 OpenSMTPD is a FREE implementation of the SMTP protocol with some common extensions. It allows ordinary machines to exchange e-mails with systems speaking the SMTP protocol. It implements a fairly large part of RFC5321 and can already cover a large range of use-cases. It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux and OSX. The archives are now available from the main site at www.OpenSMTPD.org

Read more…