OpenBSD Archive

Introduction to sysclean(8) on OpenBSD

sysclean(8) is a system tool designed for help system administrator to keep their OpenBSD clean after upgrade. It walks the installed system and compare to a reference system, reporting to the user additional things in the installed system. The purpose is to point any elements that wouldn’t be present if a fresh install was done, instead of an upgrade. This seems like a useful tool.

OpenBSD: viable ROP-free roadmap for i386/armv8/riscv64/alpha/sparc64

Years later, Todd Mortimer and I developed RETGUARD. At the start of that initiative he proposed we protect all functions, to try to guard all the RET instructions, and therefore achieve a state we call “ROP-free”. I felt this was impossible, but after a couple hurdles the RETGUARD performance was vastly better than the stack protector and we were able to protect all functions and get to ROP-free (on fixed-sized instruction architecures). Performance was acceptable to trade against improved security. RETGUARD provides up to 4096 cookies per DSO, per-function, but limited to avoid excessive bloat. It is difficult to do on architectures with very few registers. Code was only written for clang, there is no gcc codebase doing it. clang code for some architectures was never written (riscv64). I hope that sets the stage for what is coming next. We were able to enable RETGUARD on all functions because it was fast. Look, I have no clue what any of this means. None at all. However, I do somewhat grasp this is a big deal… I just need OSNews readers to explain in layman’s terms why, exactly.

OpenBSD/arm64 on Hetzner Cloud

Hetzner introduced its Ampere Altra powered arm64-based cloud servers earlier this year, making it possible to easily run OpenBSD/arm64 on their platform. The only caveat for now is that the viogpu(4) driver is required, which was committed by jcs@ in April 2023 and thus only available in snapshots. It will first appear in OpenBSD 7.4. Excellent news.

Wayland on OpenBSD

These are my notes from experimenting with building Wayland bits on OpenBSD during g2k23 in Tallinn… Thanks to the OpenBSD foundation for organizing this event. This is still far from a complete running system as there are many issues on the road, but it’s a good start and it shows that it’s definitely not impossible to get Wayland running on OpenBSD. This is one of the very few valid criticisms of Wayland: it’s designed and developed entirely for Linux, with no regard for BSD or other platforms. Now, I find this an entirely valid choice and completely understandable choice to make from the developers’ perspectives, but it’s still unpleasant that the BSD world is stuck with archaic, unmaintained X.org while the Linux world has moved on. In that light, it’s great to see that Wayland may, in fact, not be as married to Linux as we think.

OpenBSD 7.3 released

OpenBSD 7.3 has been released. As usual, there’s no nice write-up of the major new features and changes – as befits OpenBSD as a project, I’m not complaining – and since I’m not too well-versed in the world of OpenBSD, I don’t really know which of the massive list of changes impact the average OpenBSD user the most.

OpenBSD 7.2 released

OpenBSD 7.2 has been released. The major new features in this release are all concerned with expanding the operating system’s hardware support. This release adds supports for Apple’s M2, the Ampere Altra, and the Qualcomm Snapdragon 8cx Gen 3.

OpenBSD has two new C compilers: chibicc and kefir

In my never ending quest to have oksh support every C compiler in existence, I have ported two more C compilers to OpenBSD. They are chibicc and kefir. As always, let’s review them and at the end I’ll have links to unofficial ports so that you can play around with these C compilers. As you all know, these things are a little over my head, but I know many OSNews readers are far more knowledgeable about and interested in these things than I am.

OpenBSD 7.1 on PINE64 RockPro64

This is a small write-up about installing OpenBSD 7.1 on a PINE64 RockPro64 SBC. RockPro64 is a beefy single-board computer made by a company that brought us awesome devices like Pinebook Pro (laptop), Pinecil (soldering iron), PineTime (smartwatch) and of course PinePhone. The board utilizes the same hexa-core processor as Pinebook Pro – Rockchip RK3399, and 4 gigabytes of LPDDR4 RAM. One of the distinct features of that computer is a PCI-express X4 socket. Unfortunately I wasn’t able to use any video card there even with “stock” GNU/Linux – ARM64 GPU drivers for AMD/NVIDIA is just not there yet I assume. The slot is often being used for a network cards and SATA controllers – there is even an official case for RP64 with 3.5″ hard drives spots inside, quite handy for a homemade NAS or something of sorts. Exactly what it says on the tin.

Compiling an OpenBSD kernel 50% faster

This is approximately as wise as taking off from Mars in a ragtop rocket, but don’t worry, the math all checks out. My theory is that compiling less code will be faster than compiling more code, but first we must find the code so we know not to compile it. This is vital information to know in your day-to-day computing life.

OpenBSD 7.1 released

OpenBSD 7.1 has been released. The biggest improvement in this point release is support for Apple Silicon, which is now ready for general use. Of course, there’s a lot more in this new release, so head on over to the changelog to get all the details.

OpenBSD 7.0 released

OpenBSD 7.0 has been released, and it seems a big focus for this release was improving ARM64 support, and adding support for RISC-V. There’s a long list or other improvements and fixes, too, of course. Downloads are where they always are.

Recent and not so recent changes in OpenBSD that make life better

Known to be “functional, free and secure by default”, the OpenBSD operating system has played an important role in open source for more than a quarter century. It has also been fairly central to what I have done for the last two decades and some. What follows is my personal view of what life with OpenBSD has been like, with an emphasis on moments and developments that I feel made life, or at least my life, better. Good article about an operating system that seems to just do its thing, and do it well.

The state of toolchains in OpenBSD

For most of the 2010s, the OpenBSD base system has been stuck with GCC 4.2.1. It was released in July 2007, imported into the OpenBSD source tree in October 2009, and became the default compiler on the amd64, i386, hppa, sparc64, socppc and macppc platforms in OpenBSD 4.8, released in November 2010. As specified in the commit message during import, this is the last version released under the GPLv2 license. OpenBSD was not the only operating system sticking to GCC 4.2.1 for licensing reasons, FreeBSD did the same, and Mac OS X as well. As a general rule, and this is not OpenBSD specific, being stuck with old compilers is problematic for several reasons. It seems most platforms OpenBSD supports now come with modern, up-to-date toolchains.

OpenBSD 6.9 released

OpenBSD 6.9 has been released. This release focuses a lot on improving support for certain platforms, such as powerpc64 – mainly for modern POWER9 systems such as the Blackbird (which we reviewed late last year) and Talos II (which I have here now for review), arm64, and preliminary support for Apple’s ARM M1 architecture. There is way, way more in this release, of course, so feel free to peruse the release notes. On a related note, I recently bought an HP Visualize C3750 PA-RISC workstation, and it’s been pretty much impossible to get my hands on a proper copy of HP-UX 11i v1 that works on the machine. As such, in the interim, I installed OpenBSD on it, and it’s been working like a charm. I still need to set up and try X, but other than that, it’s been a very pleasant experience. Effortless installation, good documentation, and user friendlier than I expected.

OpenBSD 6.8 released

OpenBSD has marked its 25th birthday with a brand new release – OpenBSD 6.8. One of the major new features is support for 64bit PowerPC processors – POWER8 and POWER9 specifically, and the Raptor Computing Systems Talos II and Blackbird platforms in particular.

Rethinking OpenBSD security

OpenBSD aims to be a secure operating system. In the past few months there were quite a few security errata, however. That’s not too unusual, but some of the recent ones were a bit special. One might even say bad. The OpenBSD approach to security has a few aspects, two of which might be avoiding errors and minimizing the risk of mistakes. Other people have other ideas about how to build secure systems. I think it’s worth examining whether the OpenBSD approach works, or if this is evidence that it’s doomed to failure. I picked a few errata, not all of them, that were interesting and happened to suit my narrative.

OpenBSD system-call-origin verification

A new mechanism to help thwart return-oriented programming (ROP) and similar attacks has recently been added to the OpenBSD kernel. It will block system calls that are not made via the C library (libc) system-call wrappers. Instead of being able to string together some “gadgets” that make a system call directly, an attacker would need to be able to call the wrapper, which is normally at a randomized location. I understood some of these words.