OpenBSD Journal

In response to the DEF CON presentation by Ilja van Sprundel,a large set of kernel patches have been released (for OpenBSD 6.0 and 6.1).These important patches should be applied ASAP!From the announce@ mailing list:

Ingo Schwarze (schwarze@) writes in saying:

With this commit, the default compiler for (-current base system on the) amd64 and i386 platforms has been changed to clang(1):

The flak reports by Ted Unangst (tedu@) continue with part 624.Update - part 625

As we see from the commit message, new developer Pratik Vyas (pd@) adds the ability to do paused VM migrations for VMM.Mike Larkin also writes on Twitter:

Over at his blog, Undeadly co-editor Peter Hansteen describes the experience of installing OpenBSD-current on a new laptop.The article, OpenBSD and the modern laptop, goes into some detail on the install procedure, and hits only minor snags even when using modern and recent additions such as UEFI boot.The conclusion is that OpenBSD is well suited for laptop and desktop use, and things tend to just work.On the other hand, we strongly suggest Peter posted the article before the contents of his home directory had actually been completely transferred. He's such a packrat.

As you may have heard (and as was mentioned in an earlier article), on recent OpenBSD snapshots we have KARL, which means that the kernel is relinked so each boot comes with a new kernel where all .o files are linked in random order and with random offsets. Theo de Raadt summarized the status in a message to the tech@ mailing list, subject kernel relinking as follows:

TL;DR - A modernised version of Undeadly is available for testing at <https://beta.undeadly.org/>.Broken features of the current site have been fixed, removed, or replaced.The new software supports - and, where appropriate, requires - HTTPS. Testing, contributions, and constructive feedback would be appreciated.An effort to modernise the Undeadly software was initiated in response to the article Undeadly and HTTPS.This has resulted in substantially reworked software which is now available for public testing.Note that this is not the completely new system which is (arguably) needed.Read more...

Theo de Raadt (deraadt@) provided some history on the insecurity of TIOCSTI [simulate typed input on terminal], with a proposal to disable it on OpenBSD:

The OpenBSD presence at the just concluded BSDCan was quite strong, and here is the first trip report, from Phillipp Buehler:

Our next report from the d2k17 hackathon comes from Martin Pieuchot, who writes:

Alexander Bluhm (bluhm@) wrote in with a hackathon report:

You heard it here (or on tech@) first: Trapsleds are in, and it makes OpenBSD even safer. Work done by Todd Mortimer and submitted to tech@ in the Trapsleds thread was later committed by Theo de Raadt.Todd's message to tech says,

In amessage to the tech@ mailing list,Theo de Raadt (deraadt@) has announced a new randomization feature forkernel protection:

OpenBSD developer Adam Wolk (awolk@) talks about a community effort to read at least one C source file from OpenBSD every day at https://blog.tintagel.pl/2017/06/09/openbsd-daily.html.

A new Microsoft Azure blog entry, Running OpenBSD on Azure, describes OpenBSD support:

Florian Obser (florian@) kindly supplied a report on his d2k17 activities:

Our next d2k17 report comes from Antoine Jacoutot (ajacoutot@), who writes:

Our second d2k17 report is from Ken Westerback (krw@), who writes:

The first report from the recently completed d2k17 hackathon comes from Stefan Sperling, who writes:

The flak reports by Ted Unangst (tedu@) continue with parts 620, 621, and 622.As always, there are plenty of interesting developments.Update: part 623

Relayd and Httpd Mastery, the latest book in the "Mastery" series by Michael W Lucas, is now available.From the author's page for the book:

Kenneth R Westerback of The OpenBSD Foundation (aka krw@, when wearing his dev hat) writes:

OpenBSD 6.1 was announced as the first release with no CD available for purchase.Now it turns out that in fact, exactly one CD set was made, and it can be yours if you are the successful bidder in the auction that ends on May 13, 2017.Bob Beck (beck@) writes in to tell us

Errata for OpenBSD 6.1 and 6.0 have been announced. The message to announce@openbsd.org [from T.J. Townsend (tj@)] reads:

In a series of commits starting here and ending with this one, Damien Miller completed the removal of all support for the now-historic SSHv1 protocol from OpenSSH. The final commit message, for the commit that removes the SSHv1 related regression tests, reads:

Landry Breuil, OpenBSD's firefox (and other Mozilla ports) maintainer, writes:Maybe i haven't talked about it enough on the lists, but since i'vebeen maintaining the various mozillas in the portstree (cvs log says istarted around firefox 3.6.something... 7 years ago. *sigh*) alot of things changed, so i wanted take the 6.1 release as an occasionto sum up the various ways one could run which version of which firefoxon which version of OpenBSD.Read more...

Every OpenBSD release since 3.0 (back in 2001) has had at least one relase song, and OpenBSD 6.1 is no different. Today, Theo de Raadt released the OpenBSD 6.1. The Songs page has download links, lyrics and a background story, which reads:

A series of commits, culminating in this one, have seen clang(1) added to the base system (as a non-default compiler) on the amd64 and i386 platforms:

April 11, 2017: The OpenBSD project has announced the availability of the newest release, OpenBSD 6.1:

Ian Darwin writes in about his work deploying the arm64 platform and the Raspberry Pi 3:So I have this empty white birdhouse-like thing in the yard, open at the front. It was intended to house the wireless remote temperature sensor from alow-cost weather station, which had previously been mounted on a dark-colored wall of the house (reading were really high when the sun reached that side of the house!).But when I put the sensor into the birdhouse, the signal is too weak for the weather station to receive it(the mounting post was put in place by a previous owner of our property, and is set deeply in concrete).So the next plan was to pop in a tiny OpenBSD computer with a uthum(4) temperature sensor and stream the temperature over WiFi.Read more...

While the world largely wasn't looking, there was a nano hackathon last month, Hackathon report - e2k17 Hackathon, Edmonton Alberta. Bob Beck (beck@) writes,

Mike Larkin (mlarkin@) writes on tech@:

Google's golang, collaboratively developed by Unix and C pioneers like Ken Thompson, Rob Pike et al has been very BSD friendly (the language itself is BSD licensed) and it just got even friendlier for OpenBSD's pledge mechanism.To quote the diff:"unix: add support for OpenBSD pledgePledge, the privilege-restricting syscall and mitigation mechanism,was missing from syscall_openbsd.go. As of the latest release, itis officially supported in 'stable'."Link to the full golang diff here: https://go.googlesource.com/sys/+/8fd966b47dbdd4faa03de0d06e3d733baeb9a1a9%5E%21/

On behalf of the EuroBSDCon 2017 Program Committee, here is the Call for Proposals for the EuroBSDCon 2017 conference which will take place in Paris, France from 21st through 24th of September 2017:

Ingo Schwarze (schwarze@) has written in with another (beautifully formatted)report on even more great mandoc(1)enhancements:Read more...

Ted Unangst (tedu@) continues his flak series with part 6 and part 7.

If you follow commits closely, via source-changes@ or otherwise, you may already know that mandoc has grown another useful feature. Ingo Schwarze sent us this very nicely formatted article about the new mandoc to markdown converter:Read more...

Ken Westerback (krw@ when wearing his developer hat) writes in with a summary:

Hrvoje Popovski kindly wrote in to point out that Martin Pieuchot (mpi@) has written a piece entitled What happened to my vlan?.The piece begins:

Ingo Schwarze (schwarze@) writes in:

Next up in our series of a2k17 hackathon reports is this one from Antoine Jacoutot, who writes:

Patrick Wildt (patrick@) reports on progress with arm64 platform support:

Our next a2k17 report comes from Martin Pieuchot (mpi@), who writes:

Still fresh from the just completed hackathon down under Ken Westerback writes,

Fresh from the newly completed a2k17 hackathon comes this report from Bob Beck:

Martin Pieuchot has written another article chronicling the modernization of the network stack. Martin writes,

Avoid possible side-channel leak of ECDSA private keys when signing.A source code patch exists which remedies this problem:for 6.0.for 5.9This is related to CVE-2016-7056 "ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)"Additional details can be read here: http://seclists.org/oss-sec/2017/q1/52Thanks to M:Tier https://stable.mtier.org for raising awareness on this patch.

OpenBSD as WiFi access points look set to be making a comeback in the near future. With this diff https://marc.info/?l=openbsd-tech&m=148396652007923&w=2, Stefan Sperling added 802.11n hostap mode, with full support initially for the Atheros chips supported by the athn(4) driver.

Michael W Lucas is offering the chance to get your name in his forthcoming book on relayd and httpd: