OpenBSD Journal

Theg2k18hackathon has just concluded, and already we have our first report.Marc Espie (espie@) wrote in:

In a change which is bound to be welcomed widely, -current has gained"auto-join" for Wi-Fi networks.Peter Hessler (phessler@) has been working on this for quite some time and he wrote about it in his p2k18 hackathon report. He has committedthe work from the g2k18 hackathon in Ljubljana:

In this post, Paul Smith shows how to reduce buffer bloat and improve interactive traffic latencies.

Reyk Floeter (reyk@) hascommittedsupport for simple request rewrites tohttpd(8)/httpd.conf(5) [in -current]:

As part of ongoing mitigations against CPU vulnerabilities,-current has gained a new sysctl, "hw.smt",to control Simultaneous Multi Threading (SMT).This is disabled by default (only on Intel® CPUs, for now).Read more…

There have been more developments in the continuing work mitigatingagainst (Intel®, and potentially other) CPU vulnerabilities…Philip Guenther (guenther@)committed the following:Read more…

Reyk Floeter (reyk@) hascommitteda simple LDAP client to -current:

Earlier this month, Philip Guenther (guenther@)committed(to amd64 -current) a change from lazy to semi-eager FPU switchingto mitigate against rumored FPU state leakagein Intel® CPUs.Theo de Raadt (deraadt@) discussed this in hisBSDCan 2018session.Using information disclosed in Theo's talk,Colin Percivaldeveloped a proof-of-concept exploit in around 5 hours.This seems to have prompted an early end to an embargo(in which OpenBSD was not involved), and theofficial announcementof the vulnerability.

BSDCan 2018has concluded, and materials for (some of) the OpenBSD-related tutorials andtalks can be found inthe usual place.Highlights includethe unveiling of unveil(),hinted at by Bob Beck (beck@) in hisp2k18 report,and"Speculating about Intel", by Theo de Raadt (deraadt@). [An unofficial video of the latter presentation isavailable.]At the time of writing,officialvideo recordings are not yet available.

Todd Mortimer (mortimer@) hascommitted"RETGUARD" for clang (for amd64).This is a new anti-ROPsecurity mechanism, which uses random per-function cookiesto protect return addresses on the stack.Read more…

Joel Sing (jsing@) hascommittedCrypto Simplified Interface (CSI) to -current:

Gilles Chehade (gilles@) hascommitted(to -current) the newsmtpd.confgrammar discussed inhis p2k18 hackathon report.Read more…

Next up in the stream of p2k18 reports is one from Antoine Jacoutot (ajacoutot@):

Next up in our series of p2k18 hackathon reports is from Paul Irofti (pirofti@), who writes:

Peter Hessler (phessler@) writes about his time in Nantes:

Eric Faurot (eric@) is next with his report on what he did in Nantes:

Stefan Sperling (stsp@) kindly sent in a report on his activities around p2k18:

Our next p2k18 report comes from Christian "naddy" Weisgerber, who writes:

Landry Breuil (landry@) has an extensive report for our readers:

Next up with a p2k18 report is Jasper Lievisse Adriaanse (jasper@):

Next up with a p2k18 report is Bob Beck (beck@):

Next up is the report from Ken Westerback (krw@):

The latest p2k18 hackathon report comes from Gilles Chehade (gilles@),who writes:

As more and more developers arrive back home from France, more reports arrive to you to keep you informed of what happened in Nantes. This time, it's Philip Guenther (guenther@) who writes in with his report:

Next up in our series of p2k18 reports is that from Klemens Nanni (kn@):

Here is another report from the just concluded p2k18 hackathon, from Marc Espie (espie@), who writes:

Working at p2k18, Theo de Raadt (deraadt@) hascommittedSpectre Variant 2 mitigations:

Working at p2k18, Eric Faurot (eric@) hascommitteda simple SMTP client to -current:

Ken Westerback (krw@ when wearing his developer hat) writes:

In this commit, visa@ submitted code (disabled for now) to use built-in accelerationon octeon CPUs, much like AESNI for x86s.I decided to test tcpbench(1) and IPsec, before and after updating and enabling the octcrypto(4) driver.Read more…

The MAP_STACK anti-ROP mechanism described in a recentarticlehas beencommittedto-current.Thecommit messageincludes:

Landry Breuil (landry@ when wearing his developer hat) wrotein…

April 2, 2018: The OpenBSDproject has announced the availability of the newest release,OpenBSD 6.3:

Recently, Theo de Raadt (deraadt@)describeda new type of mitigation he has been working on together with Stefan Kempf (stefan@):

Mike Larkin (mlarkin@) has just given a presentation atbhyvecon Tokyo 2018.The slides are nowavailable (as PDF).In addition to the excellent summary of the state-of-play forvmmand friends, the presentation offers a tantalizing glimpse at possible futuredirections.Update: videois available

Good news for people doing upgrades only once per year: syspatches will be provided for both supported releases. The commit from T.J. Townsend (tj@) speaks for itself:

Ken Westerback (krw@) has sent in the first report from the (recently concluded) a2k18 hackathon:

The recent changes in -current mitigating the Meltdown vulnerability have been backported to the6.1 and6.2(amd64) releases, and thesyspatch update (for 6.2) is now available.Happy syspatching, and don't forget to show your appreciation bydonating to the project.

Meltdown mitigation is coming to OpenBSD. Philip Guenther (guenther@) has just committed a diff that implements a new mitigation technique to OpenBSD: Separation of page tables for kernel and userland. This fixes the Meltdown problems that affect most CPUs from Intel. Both Philip and Mike Larkin (mlarkin@) spent a lot of time implementing this solution, talking to various people from other projects on best approaches.In the commit message, Philip briefly describes the implementation:Read more…

As you may have heard, the a2k18 hackathon is in progress. As can be seen from the commit messages, several items of goodness are being worked on.One eagerly anticipated item is the arrival of TCP syncookies (read: another important tool in your anti-DDoS toolset) in PF. Henning Brauer (henning@) added the code in a series of commits on February 6th, 2018, with this one containing the explanation:Read more…

Remi Locherer wrote in:

Details of the2018 campaign have been added to the Foundation's website. The goal for theyear is for $300,000. The total for "smaller" donations has alreadytaken the OpenBSD community to bronze level sponsorship!Please show your support by contributing.

Patrick Wildt (patrick@) recently committed some code that will update the Intel microcode on many Intel CPUs, a diff initially written by Stefan Fritsch (sf@). The microcode of your CPU is basically the firmware that runs on your (Intel) processor, defining its instruction set in terms of so called "microinstructions". The new code depends, of course, on the corresponding firmware package, ported by Patrick which can be installed using a very recent fw_update(1). Of course, this all plays into the recently revealed problems in Intel (and other) CPUs, Meltdown and Spectre.Read more…

ITWirehas publishedan articleregarding Theo de Raadt's (deraadt@) reaction to theMeltdown/Spectre disclosures.One choice quote reads:

If you run a mail service, you probably like to have greylisting in place, via spamd(8) or similar means. However, there are some sites that simply do not play well with greylisting, and for those it's useful to extract SPF information to identify their valid outgoing SMTP hosts. Now OpenBSD offers a straightforward mechanism to do that and fill your nospamd table, right from the smtpctl utility via the subcommand spf walk. Gilles Chehade (gilles@) describes how in a recent blog post titled spfwalk.This feature is still in need of testing, so please grab a snapshot and test!

Amessage to tech@from Philip Guenther (guenther@) provides the first publicinformation from developers regarding the OpenBSD response to the recentlyannouncedCPU vulnerabilities:

In amessage to misc@,Tom Smyth wrote (in part):

In amessage to tech@,Theo de Raadt (deraadt@) provided some insights into ongoingwork on pledge(2):

arm64 is now anofficially supported platform for OpenBSD.As some readers will have noticed,there's nowsyspatch(8) support, too.Theo de Raadt (deraadt@) committed the following change: