HardenedBSD December 2024 Status Report
11 views
Skip to first unread message
Shawn Webb
Dec 31, 2024, 12:47:30 PM12/31/24
to HardenedBSD Users
Hey all,
December was a delightfully relatively busy month for HardenedBSD. I
started research on mitigating SROP due to a discussion with one of
the Syd Linux developers. While I don't have an implementation just
yet, I've started research on that.
I created a private fork of the HardenedBSD src tree meant for
collaborating with Aymeric Wibo on completing the BATMAN-adv mesh
networking support. The idea here is to use the private fork to first
separate the GPL bits into ports entries. The bits of code that land
in the public src tree will NOT be GPL.
Notable changes in the src tree:
1. There was a regression in how we apply ASLR to mmap(MAP_STACK)
mappings. The delta was improperly computed but is now fixed.
2. Default to PIE on all architectures.
3. fusefs(4) is now compiled with -ftrivial-auto-var-init=zero.
4. syslogd will no longer accept remote connections by default. Please
note that this could impact users' environments. Deployments that
need to accept remote connections will need to be modified. Please
reference commit 50ed55c154b79f41fadd4b77ede9c202b83435b5 for more
information.
5. Enable use of -fzero-call-used-regs=used across (nearly) the
entirety of base userland. The only component in base userland that
has this feature disabled is in the bootloader.
Notable changes in the ports tree:
1. PaX PAGEEXEC is disabled for www/firefox.
2. Default LLVM version is bumped to 19, matching llvm in base.
3. _FORTIFY_SOURCE was disabled for:
* x11-wm/sway
* x11/swaybg
* x11/swaylock
4. net-p2p/heartwood-httpd was bumped.
5. Ports built with llvm-from-ports version 17, 18, and 19 will have
-ftrivial-auto-var-init=zero enabled by default.
6. The build of devel/electron32 was fixed by using the default llvm
version.
7. net-p2p/heartwood was bumped to 1.1.0.
8. Fix ranlib version detection.
9. security/libhijack version was bumped.
10. Apply -fzero-call-used-regs=all by default across the entire
ports tree (new hardening option: ZEROREG).
11. Disable register zeroing for:
* archivers/libdeflate
* databases/mongodb80
* devel/highway
* devel/qt6-base
* devel/wasi-compiler-rt
* devel/wasi-libcxx
* editors/libreoffice
* graphics/libjxl
* graphics/openjph
* lang/go-devel (applies to golang universally)
* multimedia/svt-av1
* multimedia/vmaf
* security/libsodium
* www/node20
* www/node22
12. sysutils/vm-bhyve-hbsd version was bumped.
Please note that there likely is a lot of fallout to address regarding
register zeroing in ports. The next few package builds for both
14-STABLE and 15-CURRENT will likely have a few packages missing. I
plan to address those broken ports/packages as soon as I find out
they're broken. Please be patient as we address the breakages.
I plan to apply updates across the entire HardenedBSD development
infrastructure on Saturday, 04 Jan 2025. I will keep everyone informed
as to when the maintenance period begins and ends. The package builds
will commence immediately after the infrastructure is back online.
Happy New Years! I hope 2025 treats everyone well. I'm excited to see
the mesh networking work progress. I believe we will see an every
increasing need for the deployment of these types of networks.
The HardenedBSD Foundation and the community are immensly grateful for
the contributions made in 2024. This project could not survive if not
for the graceous contributions that come in all their forms: monetary,
patch submissions, advocacy, documentation, and otherwise. We look
forward to a bright and productive 2025.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
December was a delightfully relatively busy month for HardenedBSD. I
started research on mitigating SROP due to a discussion with one of
the Syd Linux developers. While I don't have an implementation just
yet, I've started research on that.
I created a private fork of the HardenedBSD src tree meant for
collaborating with Aymeric Wibo on completing the BATMAN-adv mesh
networking support. The idea here is to use the private fork to first
separate the GPL bits into ports entries. The bits of code that land
in the public src tree will NOT be GPL.
Notable changes in the src tree:
1. There was a regression in how we apply ASLR to mmap(MAP_STACK)
mappings. The delta was improperly computed but is now fixed.
2. Default to PIE on all architectures.
3. fusefs(4) is now compiled with -ftrivial-auto-var-init=zero.
4. syslogd will no longer accept remote connections by default. Please
note that this could impact users' environments. Deployments that
need to accept remote connections will need to be modified. Please
reference commit 50ed55c154b79f41fadd4b77ede9c202b83435b5 for more
information.
5. Enable use of -fzero-call-used-regs=used across (nearly) the
entirety of base userland. The only component in base userland that
has this feature disabled is in the bootloader.
Notable changes in the ports tree:
1. PaX PAGEEXEC is disabled for www/firefox.
2. Default LLVM version is bumped to 19, matching llvm in base.
3. _FORTIFY_SOURCE was disabled for:
* x11-wm/sway
* x11/swaybg
* x11/swaylock
4. net-p2p/heartwood-httpd was bumped.
5. Ports built with llvm-from-ports version 17, 18, and 19 will have
-ftrivial-auto-var-init=zero enabled by default.
6. The build of devel/electron32 was fixed by using the default llvm
version.
7. net-p2p/heartwood was bumped to 1.1.0.
8. Fix ranlib version detection.
9. security/libhijack version was bumped.
10. Apply -fzero-call-used-regs=all by default across the entire
ports tree (new hardening option: ZEROREG).
11. Disable register zeroing for:
* archivers/libdeflate
* databases/mongodb80
* devel/highway
* devel/qt6-base
* devel/wasi-compiler-rt
* devel/wasi-libcxx
* editors/libreoffice
* graphics/libjxl
* graphics/openjph
* lang/go-devel (applies to golang universally)
* multimedia/svt-av1
* multimedia/vmaf
* security/libsodium
* www/node20
* www/node22
12. sysutils/vm-bhyve-hbsd version was bumped.
Please note that there likely is a lot of fallout to address regarding
register zeroing in ports. The next few package builds for both
14-STABLE and 15-CURRENT will likely have a few packages missing. I
plan to address those broken ports/packages as soon as I find out
they're broken. Please be patient as we address the breakages.
I plan to apply updates across the entire HardenedBSD development
infrastructure on Saturday, 04 Jan 2025. I will keep everyone informed
as to when the maintenance period begins and ends. The package builds
will commence immediately after the infrastructure is back online.
Happy New Years! I hope 2025 treats everyone well. I'm excited to see
the mesh networking work progress. I believe we will see an every
increasing need for the deployment of these types of networks.
The HardenedBSD Foundation and the community are immensly grateful for
the contributions made in 2024. This project could not survive if not
for the graceous contributions that come in all their forms: monetary,
patch submissions, advocacy, documentation, and otherwise. We look
forward to a bright and productive 2025.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages