OpenBSD Archive

OpenBSD 6.8 released

OpenBSD has marked its 25th birthday with a brand new release – OpenBSD 6.8. One of the major new features is support for 64bit PowerPC processors – POWER8 and POWER9 specifically, and the Raptor Computing Systems Talos II and Blackbird platforms in particular.

Rethinking OpenBSD security

OpenBSD aims to be a secure operating system. In the past few months there were quite a few security errata, however. That’s not too unusual, but some of the recent ones were a bit special. One might even say bad. The OpenBSD approach to security has a few aspects, two of which might be avoiding errors and minimizing the risk of mistakes. Other people have other ideas about how to build secure systems. I think it’s worth examining whether the OpenBSD approach works, or if this is evidence that it’s doomed to failure. I picked a few errata, not all of them, that were interesting and happened to suit my narrative.

OpenBSD system-call-origin verification

A new mechanism to help thwart return-oriented programming (ROP) and similar attacks has recently been added to the OpenBSD kernel. It will block system calls that are not made via the C library (libc) system-call wrappers. Instead of being able to string together some “gadgets” that make a system call directly, an attacker would need to be able to call the wrapper, which is normally at a randomized location. I understood some of these words.

OpenBSD 6.6 released

Theo de Raadt announced the release of OpenBSD 6.6 on October 17, 2019. Marquee features include a new system upgrade tool, an AMD GPU driver, upgrades to core systems daemons ntpd and smtpd, and other platform improvements.

OpenBSD is now my workstation

Why OpenBSD? Simply because it is the best tool for the job for me for my new-to-me Lenovo Thinkpad T420. Additionally, I do care about security and non-bloat in my personal operating systems (business needs can have different priorities, to be clear). I will try to detail what my reasons are for going with OpenBSD (instead of GNU/Linux, NetBSD, or FreeBSD of which I’m comfortable using without issue), challenges and frustrations I’ve encountered, and what my opinions are along the way. I’ve never managed to really get into the BSDs, as Linux has always served my needs for a UNIX-like operating system quite well. I feel like the BSDs are more pure and less messy than Linux, but is that actually true, or just my perception?

OpenBSD on a laptop

You won't find nearly as many online resources about setting up OpenBSD, because honestly, you really don't need any. Unlike much of Linux and FreeBSD, the included manuals are high quality, coherent, and filled with practical examples. You also need very little third party software to do basic tasks - almost everything you need is well-integrated into the base system.

You'll notice that many features that require toil to achieve on FreeBSD, such as suspend on lid close, working volume buttons, and decent battery life, work out of the box on OpenBSD. You can tell the developers actually use this thing on their personal devices.

And while the official OpenBSD FAQ has all you need to get an installation up and running, it takes a bit of grinding to massage the base installation into a seamless laptop experience. So, I wrote this guide to give you a jump start. Things should just work as long as you have a non-bleeding-edge, semi-mainstream laptop, but ThinkPads are your best bet. Enjoy!

OpenBSD’s unveil()

One of the key aspects of hardening the user-space side of an operating system is to provide mechanisms for restricting which parts of the filesystem hierarchy a given process can access. Linux has a number of mechanisms of varying capability and complexity for this purpose, but other kernels have taken a different approach. Over the last few months, OpenBSD has inaugurated a new system call named unveil() for this type of hardening that differs significantly from the mechanisms found in Linux.

OpenBSD on the Microsoft Surface Go

For some reason I like small laptops and the constraints they place on me (as long as they're still usable). I used a Dell Mini 9 for a long time back in the netbook days and was recently using an 11" MacBook Air as my primary development machine for many years. Recently Microsoft announced a smaller, cheaper version of its Surface tablets called Surface Go which piqued my interest.

Quite a few things don't yet work on OpenBSD, but these first few people who try things like OpenBSD on new Surface devices pave the way for support to improve.

Towards secure system graphics: Arcan and OpenBSD

Let me preface this by saying that this is a (very) long and medium-rare technical article about the security considerations and minutiae of porting (most of) the Arcan ecosystem to work under OpenBSD. The main point of this article is not so much flirting with the OpenBSD crowd or adding further noise to software engineering topics, but to go through the special considerations that had to be taken, as notes to anyone else that decides to go down this overgrown and lonesome trail, or are curious about some less than obvious differences between how these things "work" on Linux vs. other parts of the world.

You know you're getting something good with a preface like this.

New OpenBSD kernel security feature

Theo de Raadt unveiled and described an interesting new kernel security feature: Kernel Address Randomized Link.

Over the last three weeks I've been working on a new randomization feature which will protect the kernel.

The situation today is that many people install a kernel binary from OpenBSD, and then run that same kernel binary for 6 months or more. We have substantial randomization for the memory allocations made by the kernel, and for userland also of course.

However that kernel is always in the same physical memory, at the same virtual address space (we call it KVA).

Improving this situation takes a few steps.

OpenBSD on the HP Stream 7

Recent events have rocked the mobile computing world to its core. OpenBSD retired the zaurus port, leaving users in desperate need of a new device. And not long before that, Microsoft released the Anniversary Update to Windows 10, but increased the free space requirement needed to install the update to exceed what's possible on devices with only 32GB, leaving users with cheap 32GB eMMC equipped devices such as the HP Stream series searching for a new operating system. With necessity as both mother and father, the scene is set for a truly epic pairing. OpenBSD on the HP Stream 7.

The HP Stream line is a series of budget computers in a couple form factors. The Stream 11 is a fairly typical netbook. However, the Stream 7 and 8 are tablets. They look like cheap Android devices, but inside the case, they’re real boys, er PCs, with Intel Atom CPUs.

To install OpenBSD on such a device, we need a few parts.

OpenBSD 6.0 released

OpenBSD 6.0 has been released, with tones of improvements. They're listing this one as one of the biggest changes:

In their latest attempt to push better security practices to the software ecosystem, OpenBSD has turned W^X on by default for the base system. Binaries can only violate W^X if they're marked with PT_OPENBSD_WXNEEDED and their filesystem is mounted with the new wxallowed option. The installer will set this flag on the /usr/local partition (where third party packages go) by default now, but users may need to manually add it if you're upgrading. More details can be found in this email. If you don't use any W^X-violating applications, you don't need the flag at all.

Why OpenBSD is important to me

OpenBSD is an operating system that prioritizes security, encryption, and free (as in free and open) software. It's built in the open - anyone can see the code and discussions around it. That's no accident - the earliest contributors recognized that transparency and public discussion are essential to effective security. If you follow the project and the email lists for any length of time, it becomes clear that the core contributors are passionate about security and quality. These are volunteers that spend their limited, precious spare time on building a great operating system that they give away for free because they want to see secure, high quality software thrive in the world. They've been doing it for 20 years.

What they've made works really well. While it's not as easy for a consumer to use as Windows or OS X, to someone more technically inclined, it's straightforward to use as a server or as a desktop for many use cases. And the big feature: it starts our very secure and if you're careful you can keep it that way as you customize it to suit your purpose.

A heartfelt case for OpenBSD.

OpenBSD 5.9 released

OpenBSD 5.9 has been released a few days early! As always, OpenBSD doesn't do a very good job of summarising the most important changes in this new release, but that's okay - OpenBSD isn't targeted at people like me who know very little about the BSDs. It doesn't really matter - those of you using OpenBSD were probably already aware of what was coming anyway, and if not, the release notes will still make complete sense to you.