HardenedBSD March 2025 Status Report
5 views
Skip to first unread message
Shawn Webb
Mar 31, 2025, 7:55:24 PMMar 31
to HardenedBSD Users
Hey all,
March was a busy month for the project with regards to the infrastructure. We
saw some commits to src and ports, but development was pretty quiet overall. On
12 March 2025, we drastically expanded power capacity in the server room, adding
two new 20 amp circuits. The electrician also prepared for an eventual
mini-split HVAC unit that we hope to requisition in the next year or two.
Due to the electrical work, we skipped performing package builds for March.
We'll resume our regular package building schedule on 01 April 2025.
Years ago, we supported arm64 with HardenedBSD's hardened/current/master branch
and provided regular builds and a package repo. We scaled down that support when
I had switched employers. Back then, the infrastructure was hosted at my
employer's mini-datacenter, whereas now it's hosted in my home. Now that we have
the power capacity, I worked on powering on one of our two Cavium ThunderX1
servers. The NIC (an Intel NIC that uses the em(4) driver) seems not to be
stable in this particular setup. Once we get stable networking, I plan to regain
official support for HardenedBSD on arm64.
I worked with the Radicle team ( https://radicle.xyz/ ) to officially start
research and development for larger code repositories. Currently, our src and
ports repos are too large for Radicle to handle.
In the src tree:
1. 0x1eef wrote a periodic(8) script that applies a stricter set of permissions
to certain files and directories. Please refer to
/etc/mtree/BSD.hardened.dist for which files and directories are applicable.
2. The retain option in jemalloc is disabled by default (see malloc.conf(5)) for
more information about this option. Disabling the retain option increases the
entropy applied to the heap and can help mitigate Use-After-Free (UAF)
vulnerabilities.
3. The IP ID randomization period was increased from 8192 to 32768. This
increases the window of the randomized IP ID value, making it slightly more
difficult for an attacker.
In the ports tree:
1. Register zeroing (ZEROREG) was enabled for net/wireshark.
I'd like to finish this status report with a call for donations. The last major
hurdle for us is cooling. A mini-split heat pump HVAC unit is going to be
crucial for us this summer as we scale up our infrastructure. We currently use a
portable A/C unit, and that seems to be sufficient for now since outdoor
temperatures are manageable. However, when summer hits and it's 110F outside, we
may have to power off some servers to keep indoor temperatures steady. I have
not received any estimates or quotes, but I suspect it will be between $5,000
and $7,000 USD. Donations by those in the US are eligible for tax deduction.
I plan to get us fully supported on LiberaPay over the next month or two. I've
set up a profile here: https://liberapay.com/hardenedbsd-finances/. I still have
some work to do in order to get us fully set up on LiberaPay. I will reply to
this status report when the account's setup is complete.
In April, I plan to continue work on the BATMAN port. I'm hoping to get it to a
buildable state. Once it's buildable, then we can separate the GPL code out into
various ports entries.
I'm also coordinating with two other FreeBSD developers about optionally
supporting different compiler toolchains, starting with Rust, for base userland
components.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
March was a busy month for the project with regards to the infrastructure. We
saw some commits to src and ports, but development was pretty quiet overall. On
12 March 2025, we drastically expanded power capacity in the server room, adding
two new 20 amp circuits. The electrician also prepared for an eventual
mini-split HVAC unit that we hope to requisition in the next year or two.
Due to the electrical work, we skipped performing package builds for March.
We'll resume our regular package building schedule on 01 April 2025.
Years ago, we supported arm64 with HardenedBSD's hardened/current/master branch
and provided regular builds and a package repo. We scaled down that support when
I had switched employers. Back then, the infrastructure was hosted at my
employer's mini-datacenter, whereas now it's hosted in my home. Now that we have
the power capacity, I worked on powering on one of our two Cavium ThunderX1
servers. The NIC (an Intel NIC that uses the em(4) driver) seems not to be
stable in this particular setup. Once we get stable networking, I plan to regain
official support for HardenedBSD on arm64.
I worked with the Radicle team ( https://radicle.xyz/ ) to officially start
research and development for larger code repositories. Currently, our src and
ports repos are too large for Radicle to handle.
In the src tree:
1. 0x1eef wrote a periodic(8) script that applies a stricter set of permissions
to certain files and directories. Please refer to
/etc/mtree/BSD.hardened.dist for which files and directories are applicable.
2. The retain option in jemalloc is disabled by default (see malloc.conf(5)) for
more information about this option. Disabling the retain option increases the
entropy applied to the heap and can help mitigate Use-After-Free (UAF)
vulnerabilities.
3. The IP ID randomization period was increased from 8192 to 32768. This
increases the window of the randomized IP ID value, making it slightly more
difficult for an attacker.
In the ports tree:
1. Register zeroing (ZEROREG) was enabled for net/wireshark.
I'd like to finish this status report with a call for donations. The last major
hurdle for us is cooling. A mini-split heat pump HVAC unit is going to be
crucial for us this summer as we scale up our infrastructure. We currently use a
portable A/C unit, and that seems to be sufficient for now since outdoor
temperatures are manageable. However, when summer hits and it's 110F outside, we
may have to power off some servers to keep indoor temperatures steady. I have
not received any estimates or quotes, but I suspect it will be between $5,000
and $7,000 USD. Donations by those in the US are eligible for tax deduction.
I plan to get us fully supported on LiberaPay over the next month or two. I've
set up a profile here: https://liberapay.com/hardenedbsd-finances/. I still have
some work to do in order to get us fully set up on LiberaPay. I will reply to
this status report when the account's setup is complete.
In April, I plan to continue work on the BATMAN port. I'm hoping to get it to a
buildable state. Once it's buildable, then we can separate the GPL code out into
various ports entries.
I'm also coordinating with two other FreeBSD developers about optionally
supporting different compiler toolchains, starting with Rust, for base userland
components.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages