OpenBSD Journal

In amessageto tech@, Theo de Raadt (deraadt@) discusses the state of development ofunveil(2)support in userland (and for a certain port):Read more…

A new g2k18 hackathon report has arrived, this time from Kenneth Westerback (krw@), who writes:

Philip Guenther (guenther@)and Bryan Steele (brynet@)have added more mitigations against speculative executionCPU vulnerabilitieson the amd64 platform.Read more…

rad(8) [as described in the g2k18 hackathonreport byFlorian Obser (florian@)]is now the only IPv6router advertisement daemon in -current, following the removal ofrtadvd(8).Advice on making the transition has beenadded to current.html

Claudio Jeker (claudio@) is next up with his report from Ljubljana:

Another g2k18 hackathon report has arrived, this one fromCarlos Cardenas (ccardenas@), who writes:

The next g2k18 report comes from Klemens Nanni (kn@), who writes:

Fresh from the just concluded hackathon in Ljubjlana comes our next report from Florian Obser(florian@) who writes:

Next in from Ljubljana is Matthieu Herrb (matthieu@):

Before winning the football world cup, the french were writing their hackathon reports. Here's the one from Antoine Jacoutot (ajacoutot@):

Theg2k18hackathon has just concluded, and already we have our first report.Marc Espie (espie@) wrote in:

In a change which is bound to be welcomed widely, -current has gained"auto-join" for Wi-Fi networks.Peter Hessler (phessler@) has been working on this for quite some time and he wrote about it in his p2k18 hackathon report. He has committedthe work from the g2k18 hackathon in Ljubljana:

In this post, Paul Smith shows how to reduce buffer bloat and improve interactive traffic latencies.

Reyk Floeter (reyk@) hascommittedsupport for simple request rewrites tohttpd(8)/httpd.conf(5) [in -current]:

As part of ongoing mitigations against CPU vulnerabilities,-current has gained a new sysctl, "hw.smt",to control Simultaneous Multi Threading (SMT).This is disabled by default (only on Intel® CPUs, for now).Read more…

There have been more developments in the continuing work mitigatingagainst (Intel®, and potentially other) CPU vulnerabilities…Philip Guenther (guenther@)committed the following:Read more…

Reyk Floeter (reyk@) hascommitteda simple LDAP client to -current:

Earlier this month, Philip Guenther (guenther@)committed(to amd64 -current) a change from lazy to semi-eager FPU switchingto mitigate against rumored FPU state leakagein Intel® CPUs.Theo de Raadt (deraadt@) discussed this in hisBSDCan 2018session.Using information disclosed in Theo's talk,Colin Percivaldeveloped a proof-of-concept exploit in around 5 hours.This seems to have prompted an early end to an embargo(in which OpenBSD was not involved), and theofficial announcementof the vulnerability.

BSDCan 2018has concluded, and materials for (some of) the OpenBSD-related tutorials andtalks can be found inthe usual place.Highlights includethe unveiling of unveil(),hinted at by Bob Beck (beck@) in hisp2k18 report,and"Speculating about Intel", by Theo de Raadt (deraadt@). [An unofficial video of the latter presentation isavailable.]At the time of writing,officialvideo recordings are not yet available.

Todd Mortimer (mortimer@) hascommitted"RETGUARD" for clang (for amd64).This is a new anti-ROPsecurity mechanism, which uses random per-function cookiesto protect return addresses on the stack.Read more…

Joel Sing (jsing@) hascommittedCrypto Simplified Interface (CSI) to -current:

Gilles Chehade (gilles@) hascommitted(to -current) the newsmtpd.confgrammar discussed inhis p2k18 hackathon report.Read more…

Next up in the stream of p2k18 reports is one from Antoine Jacoutot (ajacoutot@):

Next up in our series of p2k18 hackathon reports is from Paul Irofti (pirofti@), who writes:

Peter Hessler (phessler@) writes about his time in Nantes:

Eric Faurot (eric@) is next with his report on what he did in Nantes:

Stefan Sperling (stsp@) kindly sent in a report on his activities around p2k18:

Our next p2k18 report comes from Christian "naddy" Weisgerber, who writes:

Landry Breuil (landry@) has an extensive report for our readers:

Next up with a p2k18 report is Jasper Lievisse Adriaanse (jasper@):

Next up with a p2k18 report is Bob Beck (beck@):

Next up is the report from Ken Westerback (krw@):

The latest p2k18 hackathon report comes from Gilles Chehade (gilles@),who writes:

As more and more developers arrive back home from France, more reports arrive to you to keep you informed of what happened in Nantes. This time, it's Philip Guenther (guenther@) who writes in with his report:

Next up in our series of p2k18 reports is that from Klemens Nanni (kn@):

Here is another report from the just concluded p2k18 hackathon, from Marc Espie (espie@), who writes:

Working at p2k18, Theo de Raadt (deraadt@) hascommittedSpectre Variant 2 mitigations:

Working at p2k18, Eric Faurot (eric@) hascommitteda simple SMTP client to -current:

Ken Westerback (krw@ when wearing his developer hat) writes:

In this commit, visa@ submitted code (disabled for now) to use built-in accelerationon octeon CPUs, much like AESNI for x86s.I decided to test tcpbench(1) and IPsec, before and after updating and enabling the octcrypto(4) driver.Read more…

The MAP_STACK anti-ROP mechanism described in a recentarticlehas beencommittedto-current.Thecommit messageincludes:

Landry Breuil (landry@ when wearing his developer hat) wrotein…

April 2, 2018: The OpenBSDproject has announced the availability of the newest release,OpenBSD 6.3:

Recently, Theo de Raadt (deraadt@)describeda new type of mitigation he has been working on together with Stefan Kempf (stefan@):

Mike Larkin (mlarkin@) has just given a presentation atbhyvecon Tokyo 2018.The slides are nowavailable (as PDF).In addition to the excellent summary of the state-of-play forvmmand friends, the presentation offers a tantalizing glimpse at possible futuredirections.Update: videois available

Good news for people doing upgrades only once per year: syspatches will be provided for both supported releases. The commit from T.J. Townsend (tj@) speaks for itself:

Ken Westerback (krw@) has sent in the first report from the (recently concluded) a2k18 hackathon:

The recent changes in -current mitigating the Meltdown vulnerability have been backported to the6.1 and6.2(amd64) releases, and thesyspatch update (for 6.2) is now available.Happy syspatching, and don't forget to show your appreciation bydonating to the project.

Meltdown mitigation is coming to OpenBSD. Philip Guenther (guenther@) has just committed a diff that implements a new mitigation technique to OpenBSD: Separation of page tables for kernel and userland. This fixes the Meltdown problems that affect most CPUs from Intel. Both Philip and Mike Larkin (mlarkin@) spent a lot of time implementing this solution, talking to various people from other projects on best approaches.In the commit message, Philip briefly describes the implementation:Read more…