HardenedBSD November 2024 Status Report
11 views
Skip to first unread message
Shawn Webb
Nov 30, 2024, 3:45:05 PM11/30/24
to HardenedBSD Users
Hey all,
This month saw a few improvements in HardenedBSD's source tree.
We can now boot to multi-user on the StarFive VisionFive2 riscv64 SBC dev
boards. They use a 39-bit address space, so we had to tune down our ASLR deltas
for this board as if we were operating on a 32-bit architecture. This is
obviously far from optimal, but it's what we have.
Changes to the src tree:
1. Ensure libhbsdcontrol operates only on regular files.
2. Ensure hbsdcontrol does not follow symlinks by default. Provide an option to
override.
3. Allow the RTLD ASLR delta to be overridden in the kernel config file.
4. Lower ASLR deltas for StarFive VisionFive2 SBC boards.
5. Drop TCP SYN+FIN packets by default.
In ports:
1. Do not override the default LLVM version in devel/electron32
2. Bring in the -ftrivial-var-auto-init=zero patch from HardenedBSD src for:
- devel/llvm17
- devel/llvm18
- devel/llvm19
3. Bump net-p2p/heartwood-httpd to 0.17.1
4. Disable _FORTIFY_SOURCE for:
- x11/swaylock
- x11/swaybg
- x11-wm/sway
5. Bump hardenedbsd/hbsdmon to 1.0_13
6. Disable PaX PAGEEXEC for www/firefox
7. Set default LLVM version to 19 for 15-CURRENT systems
We performed emergency maintenance on the 14-STABLE build server. We replaced
three sticks of RAM. As of this writing, it appears we have to replace more
sticks. Once the package build that's running right now finishes, we will do
that.
We received a large donation specifically for the purchase of a new Framework
laptop. That purchase has been made and we are awaiting shipping. The timing of
this couldn't be better as the laptop I used to use for when I'm bed-bound is
now too old to run modern HardenedBSD. (The problem being the video card is
ancient and there are no supporte drivers for it.) Many of you know I have
various random health issues (migraines, back injury, chronic fatigue), so
having a more mobile system will help me be active where ever I am.
We will soon be ordering some new hard drives for our NAS server. Once ordered
and installed, we will reconfigure how we are storing build artifacts. Right
now, each build server has enough storage to store its own build artifacts.
However, this means that when we perform maintnance on the build server, the
build artifacts are temporarily unavailable. Centralizing artifact storage onto
a NAS will enable us to be more efficient when performing maintanance. We plan
to make that purchase in January 2025.
I have started a discussion with the FreeBSD Foundation, the HardenedBSD
Foundation, the Colorado BSD User's Group, and the Google Summer of Code student
Aymeric Wibo, to organize a hackathon in January or February 2025. This
hackathon will be geared towards getting the BATMAN-adv mesh networking GSoC
work to a state where it can be reviewed for merging into FreeBSD. I'm excited
to see where this goes and its human rights impact as we design, build, and
deploy surveillance- and censorship-resistant mesh networks.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
This month saw a few improvements in HardenedBSD's source tree.
We can now boot to multi-user on the StarFive VisionFive2 riscv64 SBC dev
boards. They use a 39-bit address space, so we had to tune down our ASLR deltas
for this board as if we were operating on a 32-bit architecture. This is
obviously far from optimal, but it's what we have.
Changes to the src tree:
1. Ensure libhbsdcontrol operates only on regular files.
2. Ensure hbsdcontrol does not follow symlinks by default. Provide an option to
override.
3. Allow the RTLD ASLR delta to be overridden in the kernel config file.
4. Lower ASLR deltas for StarFive VisionFive2 SBC boards.
5. Drop TCP SYN+FIN packets by default.
In ports:
1. Do not override the default LLVM version in devel/electron32
2. Bring in the -ftrivial-var-auto-init=zero patch from HardenedBSD src for:
- devel/llvm17
- devel/llvm18
- devel/llvm19
3. Bump net-p2p/heartwood-httpd to 0.17.1
4. Disable _FORTIFY_SOURCE for:
- x11/swaylock
- x11/swaybg
- x11-wm/sway
5. Bump hardenedbsd/hbsdmon to 1.0_13
6. Disable PaX PAGEEXEC for www/firefox
7. Set default LLVM version to 19 for 15-CURRENT systems
We performed emergency maintenance on the 14-STABLE build server. We replaced
three sticks of RAM. As of this writing, it appears we have to replace more
sticks. Once the package build that's running right now finishes, we will do
that.
We received a large donation specifically for the purchase of a new Framework
laptop. That purchase has been made and we are awaiting shipping. The timing of
this couldn't be better as the laptop I used to use for when I'm bed-bound is
now too old to run modern HardenedBSD. (The problem being the video card is
ancient and there are no supporte drivers for it.) Many of you know I have
various random health issues (migraines, back injury, chronic fatigue), so
having a more mobile system will help me be active where ever I am.
We will soon be ordering some new hard drives for our NAS server. Once ordered
and installed, we will reconfigure how we are storing build artifacts. Right
now, each build server has enough storage to store its own build artifacts.
However, this means that when we perform maintnance on the build server, the
build artifacts are temporarily unavailable. Centralizing artifact storage onto
a NAS will enable us to be more efficient when performing maintanance. We plan
to make that purchase in January 2025.
I have started a discussion with the FreeBSD Foundation, the HardenedBSD
Foundation, the Colorado BSD User's Group, and the Google Summer of Code student
Aymeric Wibo, to organize a hackathon in January or February 2025. This
hackathon will be geared towards getting the BATMAN-adv mesh networking GSoC
work to a state where it can be reviewed for merging into FreeBSD. I'm excited
to see where this goes and its human rights impact as we design, build, and
deploy surveillance- and censorship-resistant mesh networks.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages