openntpd or ntpd on HardenedBSD-aarch64-12.0-HARDENEDBSD-4aa8137dc0c-RaspberryPi3

[johns.tablet20]

Hi,

I've installed
HardenedBSD-aarch64-12.0-HARDENEDBSD-4aa8137dc0c-RaspberryPi3 on a
rpi3+. Time is out by an hour and I'm looking for ntpd/openntpd to make
sure it's running but although it's mentioned in /etc/rc.conf, I can't
seem to launch the binary.

I have the following in /etc/rc.conf:
local_openntpd_enable="YES"

what to do?

thanks,
--
johns.t...@gmail.com

[Shawn Webb]

Use the previous image. The one you're using was a test image for CFI
on arm64. It was built with OpenSSL in base (so, ntpd instead of
openntpd).

This is the image you should use:
https://hardenedbsd.org/~shawn/rpi3/2018-06-13/

It'll take around three weeks for the arm64 package repo to catch up
to the OpenSSL switch.

Thanks,

--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal: +1 443-546-8752
Tor+XMPP+OTR: lat...@is.a.hacker.sx
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE

[johns.tablet20]

On 09/07/2018 00:13, Shawn Webb wrote:
> Use the previous image. The one you're using was a test image for CFI
> on arm64. It was built with OpenSSL in base (so, ntpd instead of
> openntpd).

oh, that's what I want! I want openssl in base. I'm not sure what CFI is
though.

> This is the image you should use:
> https://hardenedbsd.org/~shawn/rpi3/2018-06-13/

is this one also openssl in base?

> It'll take around three weeks for the arm64 package repo to catch up
> to the OpenSSL switch.

That's OK, I only need a few packages and am happy to build my own from
ports.

--
johns.t...@gmail.com

[Shawn Webb]

Okay, if you want OpenSSL in base, use the image you're currently
using. Just set ntpd_enable="YES" in rc.conf and you should have
working ntpd.

Until the arm64 package repo finishes rebuilding (in three weeks'
time), you'll need to build from ports on your own.

CFI is Control Flow Integrity, a powerful exploit mitigation:
https://clang.llvm.org/docs/ControlFlowIntegrity.html

[johns.tablet20]

On 09/07/2018 00:21, Shawn Webb wrote:
> Okay, if you want OpenSSL in base, use the image you're currently
> using. Just set ntpd_enable="YES" in rc.conf and you should have
> working ntpd.

This is why I'm confused. There is no ntpd binary in /usr/sbin or
anywhere else on the system.

--
johns.t...@gmail.com

[Shawn Webb]

Interesting. You might have found a bug. I'll look into it shortly.

[johns.tablet20]

On 09/07/2018 00:32, Shawn Webb wrote:
> Interesting. You might have found a bug. I'll look into it shortly.

:D

ntpdate is also missing.

--
johns.t...@gmail.com

[Shawn Webb]

On Mon, Jul 09, 2018 at 12:37:29AM +0100, johns.tablet20 wrote:
> On 09/07/2018 00:32, Shawn Webb wrote:
> > Interesting. You might have found a bug. I'll look into it shortly.
>
> :D
>
> ntpdate is also missing.

Fixed with commit 6ba2fde0e70[1]. It'll be in the next RPI3 build. In the
meantime, you'll need to install ntpd from ports.

[1]: https://github.com/HardenedBSD/hardenedBSD/commit/6ba2fde0e70

[johns.tablet20]

On 09/07/2018 00:40, Shawn Webb wrote:
> Fixed with commit 6ba2fde0e70[1]. It'll be in the next RPI3 build. In the
> meantime, you'll need to install ntpd from ports.

OK, thanks!

--
johns.t...@gmail.com