OpenBSD Archive

New OpenBSD kernel security feature

Theo de Raadt unveiled and described an interesting new kernel security feature: Kernel Address Randomized Link.

Over the last three weeks I've been working on a new randomization feature which will protect the kernel.

The situation today is that many people install a kernel binary from OpenBSD, and then run that same kernel binary for 6 months or more. We have substantial randomization for the memory allocations made by the kernel, and for userland also of course.

However that kernel is always in the same physical memory, at the same virtual address space (we call it KVA).

Improving this situation takes a few steps.

OpenBSD on the HP Stream 7

Recent events have rocked the mobile computing world to its core. OpenBSD retired the zaurus port, leaving users in desperate need of a new device. And not long before that, Microsoft released the Anniversary Update to Windows 10, but increased the free space requirement needed to install the update to exceed what's possible on devices with only 32GB, leaving users with cheap 32GB eMMC equipped devices such as the HP Stream series searching for a new operating system. With necessity as both mother and father, the scene is set for a truly epic pairing. OpenBSD on the HP Stream 7.

The HP Stream line is a series of budget computers in a couple form factors. The Stream 11 is a fairly typical netbook. However, the Stream 7 and 8 are tablets. They look like cheap Android devices, but inside the case, they’re real boys, er PCs, with Intel Atom CPUs.

To install OpenBSD on such a device, we need a few parts.

OpenBSD 6.0 released

OpenBSD 6.0 has been released, with tones of improvements. They're listing this one as one of the biggest changes:

In their latest attempt to push better security practices to the software ecosystem, OpenBSD has turned W^X on by default for the base system. Binaries can only violate W^X if they're marked with PT_OPENBSD_WXNEEDED and their filesystem is mounted with the new wxallowed option. The installer will set this flag on the /usr/local partition (where third party packages go) by default now, but users may need to manually add it if you're upgrading. More details can be found in this email. If you don't use any W^X-violating applications, you don't need the flag at all.

Why OpenBSD is important to me

OpenBSD is an operating system that prioritizes security, encryption, and free (as in free and open) software. It's built in the open - anyone can see the code and discussions around it. That's no accident - the earliest contributors recognized that transparency and public discussion are essential to effective security. If you follow the project and the email lists for any length of time, it becomes clear that the core contributors are passionate about security and quality. These are volunteers that spend their limited, precious spare time on building a great operating system that they give away for free because they want to see secure, high quality software thrive in the world. They've been doing it for 20 years.

What they've made works really well. While it's not as easy for a consumer to use as Windows or OS X, to someone more technically inclined, it's straightforward to use as a server or as a desktop for many use cases. And the big feature: it starts our very secure and if you're careful you can keep it that way as you customize it to suit your purpose.

A heartfelt case for OpenBSD.

OpenBSD 5.9 released

OpenBSD 5.9 has been released a few days early! As always, OpenBSD doesn't do a very good job of summarising the most important changes in this new release, but that's okay - OpenBSD isn't targeted at people like me who know very little about the BSDs. It doesn't really matter - those of you using OpenBSD were probably already aware of what was coming anyway, and if not, the release notes will still make complete sense to you.

Microsoft Funds OpenBSD

The Microsoft corporation has become OpenBSD's first "Gold Level" sponsor after a large donation. (Facebook and Google are both silver contributors). The move is likely related to Microsoft's use of OpenSSH in future versions of Powershell. Meanwhile at the FreeBSD site companies LineRate, NetApp, Google, Hudson River Trading, and Netflix dominate the top sponsors. Noticeably absent was the Apple Computer Corporation who base their OSX and IOS systems off of the free software BSD systems. More info about OpenBSD's 2015 fundraising campaign here.

Bitrig 1.0 released

Bitrig 1.0 - an OpenBSD fork - has been released. Why, exactly, did Bitrig fork OpenBSD?

OpenBSD is an amazing project and has some of the best code around but some of us are of the opinion that it could use a bit of modernization. OpenBSD is a very security conscious project and, correspondingly, has to be more conservative with features. We want to be less restrictive with the codebase when it comes to experimenting with features.

OpenBSD gets USB 3.0 support

The OpenBSD operating system, famous for its proactive approach to security, has gained support for USB 3.0 devices. A brief announcement was made on November 10th, letting OpenBSD users know USB 3.0 support had arrived.

The post said legacy USB 1.x devices would continue to work on USB 3.0 ports.

For those of you who'd been looking forward to using those blue USB ports of yours, now's the time to plug in as many 3.0 devices as you can find! Of course, just about the time we publish this story, USB1.x devices are now supported on a USB 3.x controller.

“OpenBSD will shut down if we do not have the funding”

See the email thread on the misc list for more details.

In light of shrinking funding, we do need to look for a source to cover project expenses. If need be the OpenBSD Foundation can be involved in receiving donations to cover project electrical costs.

But the fact is right now, OpenBSD will shut down if we do not have the funding to keep the lights on.

If you or a company you know are able to assist us, it would be greatly appreciated, but right now we are looking at a significant funding shortfall for the upcoming year - Meaning the project won't be able to cover 20 thousand dollars in electrical expenses before being able to use money for other things. That sort of situation is not sustainable.

The OpenBSD project is the incubator for a number of other projects including OpenSSH and OpenSMTPD. If you use these or just want the project to survive, consider making a donation.

OpenBSD 5.0 Released

"OpenBSD 5.0 has been published, six months after the release of version 4.9. The OpenBSD project's newest release of the free BSD based UNIX-like operating system includes a number new and updated drivers, performance improvements and new features. OpenBSD 5.0 includes the GNOME 2.32.2, KDE 3.5.10 and Xfce 4.8.0 desktop environments. It also contains a number of new and updated packages including versions 3.5.19, 3.6.18 and 5.0 of the Firefox web browser, PHP 5.2.17 and 5.3.6, LibreOffice 3.4.1, and Chromium 12. The release includes September's release of OpenSSH 5.9." GNOME 2 you say? Huh. Interesting.

OpenBSD 4.9 Released

OpenBSD 4.9 release is ready, now with enabled NTFS by default (read-only), SMP kernels can now boot on machines with up to 64 cores, maximum allocation size for i386 bumped to 2G, added support for AES-NI instructions found in recent Intel processors, further improvements in suspend and resume and much more.

More Details Emerge Regarding OpenBSD FBI Backdoors

Yesterday, we reported on the allegations made by Gregory Perry. He claims that 10 years ago, several developers were paid by the FBI to implement hidden backdoors into OpenBSD's IPSEC stack. This has prompted a lot of speculation about the allegations' validity, and less than 24 hours later, it has descended into one person's word against that of others. Update: Jason Wright, too, denies all the allegations. "I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF). It is a baseless accusation the reason for which I cannot understand."