What security does a default OpenBSD installation offer? (by solene@)

In a recent blog post, OpenBSD developer Solène Rapenne (solene@) offers an over view of the security features offered by a default OpenBSD installation.

The first paragraph of the introduction reads,

In this text I will explain what makes OpenBSD secure by default when you install it. Do not take this for a security analysis, but more like a guide to help you understand what is done by OpenBSD to have a secure environment. The purpose of this text is not to compare OpenBSD to other OSes but to say what you can honestly expect from OpenBSD.

A worthy reminder of how the system works, and a very handy piece to show to anybody who wonders why one would choose to use OpenBSD over anything else. You can read the whole thing here.

dhcpleased(8) – DHCP client daemon

With the following commit, Florian Obser (florian@) imported dhcpleased(8), DHCP daemon to acquire IPv4 address leases from servers, plus dhcpleasectl(8), a utility to control the daemon:

CVSROOT:	/cvs
Module name:	src
Changes by:	florian@cvs.openbsd.org	2021/02/26 09:16:37

Added files:
	sbin/dhcpleased: Makefile bpf.c bpf.h checksum.c checksum.h 
	                 control.c control.h dhcpleased.8 dhcpleased.c 
	                 dhcpleased.h engine.c engine.h frontend.c 
	                 frontend.h log.c log.h 
	usr.sbin/dhcpleasectl: Makefile dhcpleasectl.8 dhcpleasectl.c 
	                       parser.c parser.h 

Log message:
Import dhcpleased(8) - a dhcp daemon to acquire IPv4 address leases
from servers.

Read more…

resolvd(8) – daemon to handle nameserver configuration

With the following commit, Florian Obser (florian@) imported resolvd(8), a daemon for handling nameserver configuration:

CVSROOT:	/cvs
Module name:	src
Changes by:	florian@cvs.openbsd.org	2021/02/24 11:10:41

Added files:
	sbin/resolvd   : Makefile resolvd.8 resolvd.c 

Log message:
Import resolvd(8), a daemon to rewrite resolv.conf.
prodding deraadt

Since the initial import, resolvd(8) has seen:

  1. some significant reworking
  2. improvements to the man page
  3. linking to the build

Read more…

OpenBSD booting multi-user on Apple M1

Mark Kettenis (kettenis@) is teasing OpenBSD booting multi-user on Apple M1 hardware:

So OpenBSD boots multi-user on the new Apple M1 hardware.  This still
has some hacks in it that need to be fixed, so don't expect support
for this in the tree right now.  But a big thank you to those that
contributed to the pool for getting us some hardware.

[…]

See the full post for the dmesg.

Congratulations to all those involved!

Catchup 2021-02-13

Recent noteworthy things commited to -current and not previously reported include:

  • [2021-01-26] Patrick Wildt (patrick@) continues work [with help from Mark Kettenis (kettenis@)] on supporting the Apple M1.
  • [2021-02-06] Solène Rapenne (solene@) blogged about using 2FA with TOTP.
  • [2021-02-08] Stefan Sperling (stsp@) added a RAID1C (raid1 + crypto) softraid(8) discipline.
  • [2021-02-09] Patrick Wildt (patrick@) added lldb(1) (for amd64 and arm64 platforms).
  • [2021-02-09] maxburst feature removed from tcp_output by Jan Klemkov (jan@)
    [2021-02-09] PF_LOCK() activated by Patrick Wildt (patrick@)
    [2021-02-10] Vitaliy Makkoveev (mvs@) moved UNIX domain sockets out of the kernel lock
  • [2021-02-11] Jonathan Gray (jsg@) upgraded libdrm to version 2.4.104, with changes to the relevant devices (see FAQ).
  • [2021-02-12] Otto Moerbeek (otto@) has requested testing/review of a patch enhancing malloc(3) "junking".

All in all, this looks promising for the upcoming OpenBSD 6.9 release!

BREAKING pf(4) change: change route-to so it sends packets to IPs instead of interfaces.

Does your pf configuration have route-to rules? If so, you need to consider the implications of this commit by David Gwynne (dlg@) carefully.

CVSROOT:	/cvs
Module name:	src
Changes by:	dlg@cvs.openbsd.org	2021/01/31 17:31:05

Modified files:
	sbin/pfctl     : parse.y pfctl_parser.c 
	share/man/man5 : pf.conf.5 
	sys/net        : if_pfsync.c pf.c pfvar.h 

Log message:
change route-to so it sends packets to IPs instead of interfaces.

this is a significant (and breaking) reworking of the policy based
routing that pf can do. the intention is to make it as easy as
nat/rdr to use, and more robust when it's operating.

This change is intended to make configuration and maintenance easier, but it runs a high risk of breaking existing configurations. Read on for the rest of David's commit message, with some background.

Read more…

OpenBSD KDE Status Report

OpenBSD has managed to drop KDE3 and KDE4 in the 6.8 -> 6.9 release cycle. That makes me very happy because it was a big piece of work and long discussions. This of course brings questions: Kde Plasma 5 package missing.

After half a year of work, I managed to successfully update the Qt5 stack to the last LTS version 5.15.2. On the whole, the most work was updating QtWebengine. What a monster! With my CPU power at home, I can build it 1-2 times a day which makes testing a little bit annoying and time intensive.

But today we can be happy about an up-to-date KDE stack in OpenBSD. Currently - at the end of January - our stack is very up-to-date:

  • Qt 5.15.2
  • Qt Creator 4.14.0
  • KDE Frameworks 5.78.0
  • KDE Applications 20.12.1 (Almost everything!)
  • Kdevelop 5.6.1
  • Krita 4.4.2
  • KMyMoney 5.1.1
  • DigiKam 7.1.0

I try to keep KDE Applications 20.12.x stable until the 6.9 release.

Let's move on to the topic of KDE Plasma. The Plasma desktop and some other KDE applications have a strong dependence on Wayland. As long as there is no Wayland under OpenBSD, there will also be no KDE Plasma.

It can be observed that more and more KDE applications already prefer a strong dependency on Wayland. For example Spectacle.

In summary, no OpenBSD Wayland support, no KDE Plasma, and probably less and less KDE applications.

ujoy(4) added to -current

With the following commit, Thomas Frohwein (thfr@) added a joystick/gamecontroller driver to -current:

CVSROOT:	/cvs
Module name:	src
Changes by:	thfr@cvs.openbsd.org	2021/01/22 22:08:36

Modified files:
	etc            : MAKEDEV.common 
	etc/etc.alpha  : MAKEDEV.md 
	etc/etc.amd64  : MAKEDEV.md 
[…]
	sys/dev/usb    : files.usb uhid.c uhid.h 
	sys/sys        : conf.h 
Added files:
	share/man/man4 : ujoy.4 
	sys/dev/usb    : ujoy.c 

Log message:
introduce ujoy(4), a restricted subset of uhid(4) for gamecontrollers.
This includes ujoy_hid_is_collection() to work around limitations of
hid_is_collection() until this can be combined without fallout.

input, testing with 8bitdo controller, and ok brynet@
PS4 controller testing, fix for hid_is_collection, and ok mglocker@

Read more…