HardenedBSD October 2022 Status Report
4 views
Skip to first unread message
Shawn Webb
Oct 31, 2022, 7:49:34 PM10/31/22
to HardenedBSD Users
Hey all,
It has been an exciting month for HardenedBSD. First up is an important
announcement. I am officially looking for new job opportunities. This is
important for the HardenedBSD project since the development and build
infrastructure is housed at my (now former) employer's office.
I'm grateful for the two-and-a-half years in which BlackhawkNest has provided
the project with free hosting. They have agreed to continue hosting the
development/build infrastructure for free until the end of November.
BlackhawkNest has been incredibly supportive of the project in many ways and I
wish them well in their future endeavors.
HardenedBSD's development and build infrastructure will need to find a new home.
Looking at the long term, I would eventually like HardenedBSD to stand
independent of my employment. However, we currently lack the funding and will
need to continue to rely on my employer until we gain enough sustained funding.
It is my hope that HardenedBSD's development and build infrastructure is
transitioned in a timely manner to its new home, where ever that may be, before
the end of November 2022. If you would like to help out in the effort to make
HardenedBSD's infrastructure stand independent, please donate. We appreciate the
community's contributions to the project, regardless of the form those
contributions come in (code, advocacy, funding, etc.)
Please note that OS binary updates, package repos, and installer images are
hosted elsewhere and will not be interrupted. GitLab and the build systems will
be the only systems impacted.
Now, let's get into progress in the project itself!
In src:
1. Shawn added a new sysctl tunable (hardening.pax.kmod_laod_disable) that, when
set, disables loading all kernel modules from that point forward. The kld
rc script has been updated such that users can specify hbsd_late_kld_prohibit
in rc.conf, which will set the sysctl node after loading modules specified in
kld_list. This work was sponsored by BlackhawkNest, Inc.
2. Significant progress has been made on Cross-DSO CFI support. An installable
version of HardenedBSD 14-CURRENT with Cross-DSO CFI enable can now build
itself (meaning, `make buildworld buildkernel` works in a fully Cross-DSO
CFI'd system.)
* There's still more work to be done here. On a normal install of HardenedBSD
14-CURRENT, the following command fails when building the compiler
toolchain:
`make buildworld WITHOUT_SYSTEM_COMPILER=yes WITHOUT_SYSTEM_LINKER=yes`
* The `ctfmerge` application segfaults when building the kernel. ctfmerge is
needed for DTrace support. I plan to disable ctfmerge (thus disabling
DTrace) in the Cross-DSO CFI feature branch and circle back around to
fixing whatever bugs lie in ctfmerge. I'd rather keep the momentum around
Cross-DSO CFI support going.
In ports:
1. Shawn forked FreeBSD's Poudriere project to support the needs of building
packages in HardenedBSD. By default, Poudriere creates a 1GB tmpfs mount for
data. HardenedBSD has (slightly) outgrown that, so the size has increased to
2GB to account for future growth.
2. Shawn disabled CFI for x11-servers/xorg-server
3. Loic fixed x11-wm/enlightenment
4. Loic fixed mail/bogofilter
5. Loic fixed sysutils/pefs-kmod
6. Loic fixed net-mgmt/netdisco-mibs
7. Loic fixed x11-toolkits/gtkd
8. Loic fixed x11-wm/piewm
9. Loic removed lib32 in emulators/libc6-shim
10. Shawn bumped the version for hardenedbsd/liblattutil
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
It has been an exciting month for HardenedBSD. First up is an important
announcement. I am officially looking for new job opportunities. This is
important for the HardenedBSD project since the development and build
infrastructure is housed at my (now former) employer's office.
I'm grateful for the two-and-a-half years in which BlackhawkNest has provided
the project with free hosting. They have agreed to continue hosting the
development/build infrastructure for free until the end of November.
BlackhawkNest has been incredibly supportive of the project in many ways and I
wish them well in their future endeavors.
HardenedBSD's development and build infrastructure will need to find a new home.
Looking at the long term, I would eventually like HardenedBSD to stand
independent of my employment. However, we currently lack the funding and will
need to continue to rely on my employer until we gain enough sustained funding.
It is my hope that HardenedBSD's development and build infrastructure is
transitioned in a timely manner to its new home, where ever that may be, before
the end of November 2022. If you would like to help out in the effort to make
HardenedBSD's infrastructure stand independent, please donate. We appreciate the
community's contributions to the project, regardless of the form those
contributions come in (code, advocacy, funding, etc.)
Please note that OS binary updates, package repos, and installer images are
hosted elsewhere and will not be interrupted. GitLab and the build systems will
be the only systems impacted.
Now, let's get into progress in the project itself!
In src:
1. Shawn added a new sysctl tunable (hardening.pax.kmod_laod_disable) that, when
set, disables loading all kernel modules from that point forward. The kld
rc script has been updated such that users can specify hbsd_late_kld_prohibit
in rc.conf, which will set the sysctl node after loading modules specified in
kld_list. This work was sponsored by BlackhawkNest, Inc.
2. Significant progress has been made on Cross-DSO CFI support. An installable
version of HardenedBSD 14-CURRENT with Cross-DSO CFI enable can now build
itself (meaning, `make buildworld buildkernel` works in a fully Cross-DSO
CFI'd system.)
* There's still more work to be done here. On a normal install of HardenedBSD
14-CURRENT, the following command fails when building the compiler
toolchain:
`make buildworld WITHOUT_SYSTEM_COMPILER=yes WITHOUT_SYSTEM_LINKER=yes`
* The `ctfmerge` application segfaults when building the kernel. ctfmerge is
needed for DTrace support. I plan to disable ctfmerge (thus disabling
DTrace) in the Cross-DSO CFI feature branch and circle back around to
fixing whatever bugs lie in ctfmerge. I'd rather keep the momentum around
Cross-DSO CFI support going.
In ports:
1. Shawn forked FreeBSD's Poudriere project to support the needs of building
packages in HardenedBSD. By default, Poudriere creates a 1GB tmpfs mount for
data. HardenedBSD has (slightly) outgrown that, so the size has increased to
2GB to account for future growth.
2. Shawn disabled CFI for x11-servers/xorg-server
3. Loic fixed x11-wm/enlightenment
4. Loic fixed mail/bogofilter
5. Loic fixed sysutils/pefs-kmod
6. Loic fixed net-mgmt/netdisco-mibs
7. Loic fixed x11-toolkits/gtkd
8. Loic fixed x11-wm/piewm
9. Loic removed lib32 in emulators/libc6-shim
10. Shawn bumped the version for hardenedbsd/liblattutil
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages