OpenBSD Journal

Rafael Sadowski (rsadowski@) has added a new post to his Shut up and hack series, titled Effortless OpenBSD Audio and Desktop Screen Recording Guide, where he takes the reader through the steps needed to configure your OpenBSD system for audio and video recording. The post even includes a youtube video where he demonstrates recording while he is putting final touches on the blog post.

You can take in the blog post here: Effortless OpenBSD Audio and Desktop Screen Recording Guide.

The OpenSSH project has announced the timeline for the removal of DSA support from OpenSSH:

[…] OpenSSH plans to remove support for DSA keys in the near future. This message describes our rationale, process and proposed timeline. Rationale --------- DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is <=80 bits symmetric equivalent[1][2]. OpenSSH has disabled DSA keys by default since 2015 but has retained optional support for them. DSA is the only mandatory-to-implement algorithm in the SSHv2 RFCs[3], mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was designed and specified. […] In summary: 2024/01 - this announcement 2024/03 (estimated) - DSA compile-time optional, enabled by default 2024/06 (estimated) - DSA compile-time optional, *disabled* by default 2025/01 (estimated) - DSA is removed from OpenSSH

Please read the announcement message for full details.

While you were likely busy celebrating the new year, OpenBSD developer Solene Rapenne (solene@) found the time to write an article detailing various OpenBSD workstation hardening tips.

It's a useful collection of things you could do to secure your environment and customize your setup to best fill your needs.

Enjoy!

Following the recent CFT, Marcus Glocker (mglocker@) has committed [to -current] TSO for em(4):

CVSROOT: /cvs Module name: src Changes by: mglocker@cvs.openbsd.org 2023/12/31 01:42:33 Modified files: sys/dev/pci : if_em.c if_em.h if_em_hw.h Log message: Add TCP Segmentation Offload (TSO) support for em(4). Following chip-sets are currently known to support TSO; 82575, 82576, 82580, I350, and I210. Suggested by claudio@. Feedback and testing from many on tech@.

This means that those of us with supported em(4) variants can look forward to measurably improved network performance.

Well done, mglocker@ and all those who tested!

In a message to the tech@ mailing list, Theo de Raadt (deraadt@) gave a summary of progress so far, along with a patch for testing what will likely be the next steps in the process.

The message leads in,

List: openbsd-tech Subject: update on pinsyscalls(2) From: "Theo de Raadt" <deraadt () openbsd ! org> Date: 2023-12-30 18:56:35 The pinsyscalls(2) diff is now much smaller, since many pieces it depends upon have been commmited. All the DSO containing system call entries have the proper annotations for kernel and ld.so to do the right thing.

Read more…

Sebastian Benoit (benno@) announced the release of version 8.8 of rpki-client.

It's basically a bug-fix release; see the release announcement for details.

Stefan Sperling (stsp@) has committed to -current a WIP driver for Qualcomm ath11k wi-fi adapters (such as that found in the Lenovo ThinkPad X13s):

CVSROOT: /cvs Module name: src Changes by: stsp@cvs.openbsd.org 2023/12/28 10:36:29 Modified files: sys/arch/amd64/conf: GENERIC RAMDISK_CD sys/arch/arm64/conf: GENERIC RAMDISK sys/conf : files sys/dev/pci : files.pci Added files: sys/dev/ic : qwx.c qwxreg.h qwxvar.h sys/dev/pci : if_qwx_pci.c Log message: Introduce qwx(4), a work-in-progress port of the Linux ath11k driver. This driver is not working yet. Scanning almost works but a lot more work remains to be done. So far most of the porting work was done by myself, with some help from mpi, patrick, and kettenis. Obviously this driver remains disabled for now. Enable relevant lines in the kernel config if you want to help out with development. At present firmware files must be obtained manually and placed in the directory /etc/firmware/qwx/WCN6855/hw2.1/ This will be improved later. Thanks to the OpenBSD Foundation for supporting this effort.

So summing up, thanks to support from the OpenBSD Foundation, work on support for this popular hardware has started, and is progressing towards useable status.

It's not quite there yet, but this being early in the cycle, there is reason to hope for official support status by the time of the upcoming release.

In a recent message to tech@, Marcus Glocker (mglocker@), asks users running -current for testing of a potenially performance enhancing diff:

List: openbsd-tech Subject: Add TSO support for em(4) From: Marcus Glocker <marcus () nazgul ! ch> Date: 2023-12-21 22:42:39 As already discussed with claudio@ and Paul over chat. This diff adds TSO support for the em(4) 82575, 82576, 82580, I350, and I210 chip sets. This is more or less and adaption from what the FreeBSD driver does.

Read more…

KDE Plasma is now fully functional on OpenBSD and available via the package system. To install, a simple

$ pkg_add kde-plasma

is sufficient (also see the twitter post and the final commits here and here).

Congratulations to Rafael Sadowski (rsadowski@) on the completion of this mammoth effort.

Sebastian Benoit (benno@) announced the release of version 8.7 of rpki-client:

rpki-client 8.7 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon.

Read more…

As announced by Damien Miller OpenSSH 9.6/9.6p1 has been released.

The complete release notes may be found here: https://www.openssh.com/releasenotes.html#9.6.

Among notable changes, this release includes a fix for the Terrapin Attack.

Read more…

The work described in Theo de Raadt's post (see our previous article) continues:

• pinsyscalls(2) has been committed.
• syscall(2) has been removed from -current:

  Read more…

Theo de Raadt (deraadt@) posted to tech@ regarding restrictions on the addresses from which system calls can be made.

In addition to providing background, the post contains information (and a patch) for an imminent change - the introduction of a new syscall, pinsyscalls(2) [link not working at the time of writing because change not yet committed], which specifies the addresses from which individual system calls are permitted.

pinsyscalls(2) will be called only from the shared library linker, ld.so(1).

Version 0.95 of Game of Trees has been released (and the port updated):

* got 0.95; 2023-12-08 see git repository history for per-change authorship information

Read more…

Otto Moerbeek (otto@), the author of OpenBSD's malloc(3) implementation, has comitted another great feature - backtraces for leak detection:

CVSROOT: /cvs Module name: src Changes by: otto@cvs.openbsd.org 2023/12/04 00:01:45 Modified files: lib/libc/stdlib: malloc.3 malloc.c Log message: Save backtraces to show in leak dump. Depth of backtrace set by malloc option D (aka 1), 2, 3 or 4. No performance impact if not used. ok asou@

Otto's original message to tech@ includes an example use of the feature.

Version 0.94 of Game of Trees has been released (and the port updated):

* got 0.94; 2023-11-29 see git repository history for per-change authorship information

Read more…

Tobias Heider (tobhe@) has announced the release of version 7.3 of OpenIKED:

We have released OpenIKED 7.3, which will be arriving in the OpenIKED directory of your local OpenBSD mirror soon.

Read more…

Omar Polo (op@) has announced the release of version 7.4.0p1 of OpenSMTPD.

It is a bugfix release.

In a long series of commits, Robert Nagy (robert@) updated clang(1)/llvm in -current to version 16:

CVSROOT: /cvs Module name: src Changes by: robert@cvs.openbsd.org 2023/11/11 11:01:31 Log message: import of llvm from LLVM 16.0.6 Status: Vendor Tag: LLVM Release Tags: LLVM_16_0_6 U src/gnu/llvm/llvm/.clang-format U src/gnu/llvm/llvm/.clang-tidy U src/gnu/llvm/llvm/.gitattributes […] U src/gnu/llvm/llvm/utils/vscode/llvm/syntaxes/ll.tmLanguage.yaml U src/gnu/llvm/llvm/utils/yaml-bench/CMakeLists.txt U src/gnu/llvm/llvm/utils/yaml-bench/YAMLBench.cpp 67 conflicts created by this import. Use the following command to help the merge: cvs checkout -jLLVM:yesterday -jLLVM src/gnu/llvm/llvm

Naturally, this has involved supporting work elsewhere in base, and in ports.

A new stable release of LibreSSL is out, and should be arriving on a mirror near you shortly.

Brent Cook (bcook@)'s announcement reads:

We have released LibreSSL 3.8.2, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release for the 3.8.x branch, also available with OpenBSD 7.4

Read more…