HardenedBSD-stable amd64 installers

11-STABLE
git git clone --single-branch --branch hardened/11-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ hardenedbsd-11-stable
installers http://installer.hardenedbsd.org/hardened_11_stable_master-LAST/
PORTS
git git clone --single-branch --branch master https://github.com/hardenedbsd/hardenedbsd-ports/ /usr/ports/
tar.gz fetch -o hardenedbsd-ports.tar.gz 'https://github.com/HardenedBSD/hardenedbsd-ports/archive/master.tar.gz'
zip fetch --no-verify-peer -o hardenedbsd-ports.zip 'https://github.com/HardenedBSD/hardenedbsd-ports/archive/master.zip'

Preliminary Call-For-Testing: Cross-DSO CFI

Over the past year, HardenedBSD has been hard at work in integrating the Cross-DSO CFI implementation in llvm. We have reached a point where we can release an early (pre-alpha) public Call For Testing (CFT) of this work.

For reasons which will be described below, we recommend this CFT be used by those using root-on-ZFS with boot environments. We recommend testing in a dedicated boot environment.

This initial round of testing is best suited for development server installations. Production servers and desktops/laptops are not advised for testing at this time. We're looking for feedback on what works and doesn't work.

Introduction

Control Flow Integrity, or CFI, is an exploit mitigation that aims to make it harder for an attacker to hijack the control flow of an executable image. llvm's CFI implementation provides forward-edge protection, meaning it protects call sites and non-return code branches. llvm includes basic and incomplete backward-edge protection via SafeStack.

CFI in llvm consists of two flavors:

1. Non-Cross-DSO CFI
2. Cross-DSO CFI

For over a year now, HardenedBSD has adopted non-Cross-DSO CFI in 12-CURRENT/amd64. Support for non-Cross-DSO CFI was added for 12-CURRENT/arm64 on 01 July 2018. Non-Cross-DSO CFI applies CFI to the applications themselves, but not on the shared objects they depend on. Cross-DSO CFI applies CFI to both applications and shared objects, enforcing CFI across shared object boundaries.

When an application or shared object is compiled, its source files typically get compiled first to intermediate object files. Enabling Cross-DSO CFI requires compiling and linking both static and shared libraries with Link Time Optimization (LTO). When LTO is enabled, these object files are no longer ELF object files, but rather LLVM IR bitcode object files.

Linking applications that have been compiled with LTO generally only requires ld.lld as the linker. Linking libraries that have been compiled with LTO requires switching certain compiler toolchain components to ones that understand LLVM IR bitcode. To prepare for Cross-DSO CFI, we switched ar, ranlib, nm, and objdump to their respective llvm compiler toolchain components. This gives us the ability to use LTO across-the-board for the HardenedBSD userland, with a few exceptions.

Note that because Cross-DSO CFI requires storing metadata regarding the shared library boundaries at runtime, Cross-DSO CFI requires ASLR and PaX NOEXEC at a minimum to be effective. If an attacker knows the address of the metadata pages, the attacker can first perform data-only attacks for later code execution/code reuse attacks. Similarily, if an attacker is able to mark non-executable, yet writable, pages as executable while still obeying CFI, (example: JIT compiled code) the attacker can still gain perform execution/code reuse attacks.

Known Issues And Limitations

There are a few known issues. Before we dive into the testing procedure, I would like to talk a bit about known regressions. Note that this list of known issues essentially also constitutes a "work-in-progress" and every known issue will be fixed prior to the
official launch of Cross-DSO CFI.

It seems llvm does not like statically compiling applications with LTO that have a mixture of C and C++ code. /sbin/devd is one of these applications. As such, when Cross-DSO CFI is enabled, devd is compiled as a Position-Independent Executable (PIE). Doing this breaks UFS systems where /usr is on a separate partition. We are currently looking into solving this issue to allow devd to be statically compiled again.

NO_SHARED is now unset in the tools build stage (aka, bootstrap-tools, cross-tools). This is related to the static compilation issue above. Unsetting NO_SHARED for to tools build stage is only a band-aid until we can resolve static compliation with LTO.

One goal of our Cross-DSO CFI integration work is to be able to support the cfi-icall scheme when dlopen(3) and dlsym(3)/dlfunc(3) is used. This means the runtime linker (RTLD), must be enhanced to know and care about the CFI runtime. This enhancement is not currently implemented, but is planned.

When Cross-DSO CFI is enabled, SafeStack is disabled. This is because compiling with Cross-DSO CFI brings in a second copy of the sanitizer runtime, violating the One Definition Rule (ODR). Resolving this issue should be straightforward: Unify the sanitizer runtime into a single common library that both Cross-DSO CFI and SafeStack can link against.

As of 07 Jun 2018, libpmc and friends are receiving a lot of code churn in upstream FreeBSD. The jevents application in lib/libpmc/pmu-events is used as a build tool to generate code. Enabling Cross-DSO CFI disables building PMC-related tools (libpmc and friends) due to the jevents application segfaulting during the build process.

When the installed world has Cross-DSO CFI enabled, performing a buildworld with Cross-DSO CFI disabled fails. This is somewhat related to the static compilation issue described above.

Linking with Cross-DSO CFI can cause lld to use an extremely large amount of memory. For each parallel build job, budget around 15GB of memory for the linker.

Due to the issues discussed above, this CFT is applicable to users who either use ZFS or where /usr is contained within the root filesystem.

Procedure For Testing

Use git to clone locally the HardenedBSD Playground repo. The instructions below assume using /usr/src as the location for the source tree. It also blows away your existing source tree, if it exists. If you want to keep your existing source tree, feel free to
modify the steps below to your liking.

Due to the complexity of building Cross-DSO CFI, the buildworld step must be completed twice: once without Cross-DSO CFI and a second time with. The non-Cross-DSO CFI world must be installed prior to performing the second build. As noted above, we will work to ensure this doesn't need to happen later.

These instructions make the following assumptions:

1. The root filesystem is on ZFS, with the proper layout for ZFS Boot Environments.
2. The beadm package is installed.
3. The existing installation is running 12-CURRENT on amd64.


# cd /usr
# rm -rf src
# git clone https://github.com/HardenedBSD/hardenedBSD-playground.git \
src
# cd src
# git checkout -b hardened/current/cross-dso-cfi \
origin/hardened/current/cross-dso-cfi
# make -sj$(sysctl -n hw.ncpu) buildworld buildkernel
# beadm create cfi-01
# beadm mount cfi-01 /tmp/newbe
# make -s installworld installkernel DESTDIR=/tmp/newbe
# mergemaster -iFUD /tmp/newbe
# beadm umount cfi-01
# beadm activate cfi-01
# shutdown -r now

Binary Updates

We will provide binary updates in base for the hardened/current/cross-dso-cfi feature branch on amd64 until this work gets merged into hardened/current/master. Take a look at Appendix A for a sample hbsd-update.conf configuration file for the Cross-DSO CFI work.

Future Work

We're not done, yet! There's still plenty of work to do. Of upmost importance is fixing static compilation with LTO enabled. Without it, statically-linked applications will crash. devd can go back to being a statically-linked application and users with /usr on a separate non-ZFS filesystem will be able to take advantage of Cross-DSO CFI.

Secondly, we need to re-integrate SafeStack, giving us backward-edge protections once again.

Third up is integration with the RTLD. Without it, we still need to disable the cfi-icall scheme for applications that make use of dlopen(3)+dlsym(3)/dlfunc(3).

Given that we're in uncharted territory, we will likely find other issues. We will keep the community updated and informed. Once all issues have been resolved, we will work on integration with ports.

We need to ensure buildworld works with the various CFI (MK_CFI and MK_CROSS_DSO_CFI) options toggled, regardless of installed world state.

Given the tremendous memory requirements, HardenedBSD may not be able to apply Cross-DSO CFI across the entire package repository. The current amd64 package building system is a dual Xeon system with eight cores per CPU (sixteen cores total), 192GB RAM, and 64GB swap. Without Cross-DSO CFI, building the package repo for amd64 takes around 82 hours to complete using all sixteen cores. With Cross-DSO CFI enabled, the package build server eventually runs out of swap using only eight of the sixteen cores.

Though we plan to support Cross-DSO CFI in arm64, amd64 will be the primary development platform until the major issues are worked out. The sanitizer framework needs to be updated to take FreeBSD/HardenedBSD into account on arm64. As of 14 July 2018, the llvm sanitizer framework does not support FreeBSD/arm64. With time, we plan to change that.

HardenedBSD may very well be the first UNIX-like operating system with full Cross-DSO CFI integration across its entire base operating system userland.

Appendix A - hbsd-update.conf

# hbsd-update.conf
# Configuration settings for hbsd-update.
# This file is read in through a /bin/sh shell and uses that syntax.

# dnsrec:
# DNS TXT record to use when looking up the version info for the
# latest update.
#
# This record name seems redundant, but it provides the following
# information:
#     1) architecture
#     2) branch (hardened/current/master) in reverse form
#     3) repo (hardenedbsd)
dnsrec="$(uname -m).cross-dso-cfi.current.hardened.hardenedbsd-playground.updates.hardenedbsd.org"

# kernel:
# Which kernel to install.
# By default, this is intelligently detected by parsing `uname -v`
# output.
#kernel="HARDENEDBSD"

# capath:
# Location of the trusted root certificate store.
capath="/usr/share/keys/hbsd-update/trusted"

# branch:
# Which branch/tag we are pointing to. This option is only used in
# this file for the baseurl option below.
branch="hardened/current/cross-dso-cfi"

# baseurl:
# Where to get the update from.
baseurl="http://updates.hardenedbsd.org/pub/HardenedBSD-playground/updates/${branch}/$(uname -m)"

# dnssec:
# Use DNSSEC for validating the DNS TXT record. Default: yes
#dnssec="no"

Mid-July HardenedBSD Foundation Status

On 09 July 2018, the HardenedBSD Foundation Board of Directors held the kick-off meeting to start organizing the Foundation. The following people attended the kick-off meeting:

1. Shawn Webb (in person)
2. George Saylor (in person)
3. Ben Welch (in person)
4. Virginia Suydan (in person)
5. Ben La Monica (phone)
6. Dean Freeman (phone)
7. Christian Severt (phone)

We discussed the very first steps that need to be taken to organize the HardenedBSD Foundation as a 501(c)(3) not-for-profit organization in the US. We determined we could file a 1023EZ instead of the full-blown 1023. This will help speed the process up drastically.

The steps are laid out as follows:

  1. Register a Post Office Box (PO Box) (completed on 10 Jul 2018).
  2. Register The HardenedBSD Foundation as a tax-exempt nonstock corporation in the state of Maryland (started on 10 Jul 2018, submitted on 18 Jul 2018).
  3. Obtain a federal tax ID.
  4. Close the current bank account and create a new one using the federal tax ID.
  5. File the 1023EZ paperwork with the federal government.
  6. Hire an attorney to help draft the organization bylaws.

Each of the steps must be done serially and in order.

We added Christian Severt, who is on Emerald Onion's Board of Directors, to the HardenedBSD Foundation Board of Directors as an advisor. He was foundational in getting Emerald Onion their 501(c)(3) tax-exempt, not-for-profit status and has really good insight. Additionally, he's going to help HardenedBSD coordinate hosting services, figuring out the best deals for us.

We promoted George Saylor to Vice President and changed Shawn Webb's title to President and Director. This is to help resolve potential concerns both the state and federal agencies might have with an organization having only a single President role.

We hope to be granted our 501(c)(3) status before the end of the year, though that may be subject to change. We are excited for the formation of the HardenedBSD Foundation, which will open up new opportunities not otherwise available to HardenedBSD.

Stable release: HardenedBSD-stable 11-STABLE v1100056

HardenedBSD-11-STABLE-v1100056 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r335558: Add support for selectively enabling LLVM targets (62b732f45dfe86a663fb78aec3e30ba28d0485c8)
  • HBSD: Switch back to OpenSSL as the default crypto lib (1087d59e45072059e2d20ac2dea1801d995c9a2d)
  • MFC r335569: pf: Support "return" statements in passing rules when they fail. (9e4899f2d2193db78e985cc427fcfb870a20e40a)
  • MFC r335641: Fix a stack overflow in mount_smbfs when hostname is too long. (0b39c762ec1d16fa2bca8a386d2e1af10e106a5e) [FreeBSD-SA-Candidate]
  • MFC r333059 (by tychon): Expand the checks for UCR3 == PMAP_NO_CR3 to enable processes to be excluded from PTI. (bad2d0f8e14dbc917f3ccbeb0adee1e045a63ae5)
  • loader updates
  • bhyve updates
  • libpcap updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056-amd64-bootonly.iso) = 1df1060cea47345ddaa4be6a93de16f5443a5e4b299e58aa89aaa5c9af16251d80cdd76f4b7a083686b78e3cafbf361c69b844fb6b75ca7919f969cbffe769ad
SHA512 (HardenedBSD-11-STABLE-v1100056-amd64-disc1.iso) = 78281285ea05b4adeb1933c50e780054419edd6aabccd350df6304a06b9fca02ea39863a2a1edaa9d615ff8c2cf78e63e2fc0f254adab4da8f3f7ed618ee52c2
SHA512 (HardenedBSD-11-STABLE-v1100056-amd64-memstick.img) = 0000bcab6e06421c7fdf0054cd13ecc339f8dc894082fe3a6f0d7b5039b7313fa14f14ee1db1d84ad5b7ad6679c1bd53438d52ebb819a67786d8e29c09d956e1
SHA512 (HardenedBSD-11-STABLE-v1100056-amd64-mini-memstick.img) = 08066dc2de7e19a7535188fe30d79bf7bd78c6fc877001a75d562b5e1ace2fb31a7e429cf6022d13e15e4d0a4cefa6b9ba8787725ad545e8aa32020193503338

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAls8Mr0ACgkQgZsRom/9
GI0WzxAA0uatTUXE+5ukll9Ehvnkd077UoS0hUhVoYw/OuPt/zm4RQH3q/ADWlaM
Fbm2yPPU/JHBISg6cE9HSDCu//dMe+9MS8Jx1GuoTihRBwQ3/9skIYeUeNIiOixf
55y13PHBHlLoXKnEuGJEbBUAFr4a5cltl3Uqbtla2ltFXsBE0tEAuZw/f4DbsvIB
TekXruGiuOzypLT/B2SMVTA0a9JwQ8S3A7avvUU+jpuvJcibb7ZMEvMmzpnuuBdd
QGsvanXRXMrB7o17PQSjGwtShpPuFER3ZKQ06FwT5h4mvk+oN8TkmEZrZfzNngD4
qLhuXf+4xe+VJyDBV+daHumwrvnFph50MB+jqkTHUmXOOZQmDXIyW6GIx7MjW8en
jfPzrD21W/LGr5ntKAggETOPN/h3sUl5Ukd3ZZhwNrouaT8Locl4wF4UXVtKFjgK
Z73ty+S1q9xIJm53tfH0qQSdf9ZmcTJZPy4yv28btjnznkF52UbAL4poP1OTH64p
xIjR7erdN2y7KxIcU/8zaYpBIHNYlFppSX6CGK6gvLK1XiUky03lnquX26oM+9Jv
bsWswNJRUsZ4hQtYqXT0LihGh7M+niY9xxbDlaXjZ+L/ie40RF4SdPhcnp56WBc8
eChcSRM0dzNYQYWOkUUqX41hL5IiLySurD+GgTBIOB16kIGabfQ=
=HMQk
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100055.5

HardenedBSD-11-STABLE-v1100055.5 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r333321,r333707: x86 cpususpend_handler: call wbinvd after setting suspend state bits (84c8399a4cb4fb3e5f4c52c6791696098c94fe02)
  • Set stable/11 from -PRERELEASE back to -STABLE. (745cc87c07b5ba623d4628dcddfccd2e605a2c99)
  • MFC r335171: Handle the race between fork/vm_object_split() and faults. (0556a47cc533046623b230de57af8e395f703425)
  • MFC r332994 (by tychon): Handle potential alignment adjustment of the exception frame by hardware. (6c5aa909303a2fc05289f82bf35b95e1fa770c78)
  • MFC r334876: pf: Fix deadlock with route-to (a0ce5787a02b7b00f6c2b509f5641b3fa078652e)
  • MFC r335131 Remove printf() in #NM handler. (2df766da5ab1577d0f8f348da0ce0dd7d1ad4f12) [CVE-2018-3665]
  • LinuxKPI updates
  • sysrc updates
  • nvme updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100055.5-amd64-bootonly.iso) = a4c4d44d2e6f8c9c17682035a0889b3185f8655cc37c23cdbe9b3fc74660585cd528c87ff71abf45d1f622b4eeceeeb99b5b8bbb95a72dd56062d21edf0ecebc
SHA512 (HardenedBSD-11-STABLE-v1100055.5-amd64-disc1.iso) = e802080c1931d009cffe11e5ed7a162a7ad1dc1e8f644d7fe395b8a90d95f18d157b7d3cc5e5e0a0d3a54460202974233bce4c1d93376330822a81b5446b212e
SHA512 (HardenedBSD-11-STABLE-v1100055.5-amd64-memstick.img) = b87544414fc178df8dff82a110fda18dfe810be0d0c395ffd19b669c0210a7c6f952d0da2b843c915dc43d6fb3e8859c79d658fd1b12ad45c288d87f4064a202
SHA512 (HardenedBSD-11-STABLE-v1100055.5-amd64-mini-memstick.img) = 772dc30b5c8156012f0309fc092b6557a27eca3ff1356f7aa9c9f3b1b6a141d72579a409bb17e5d93f69ad85cd2b73ff186f8b16392534bce5901f3a23f6346d

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlstoZQACgkQgZsRom/9
GI1F9RAA2cZgO7LJohMFMQd53+X1Lgb/RebZotSc1xV9+AFo+2Mg4QLUz4VY82pj
lt2PRGbHsjXeNOI3eCIHJlUGlwdKV+ym1MXd61WwpJm7bCAfwF1GNgUQutrufsMK
rcEOKVDXBieXyAss59cR3GXbLn2sJDn2F1ZW0omNCY8vaZzdFaKyew0lxhklAgv5
YG/lWzC2n7sdlgtipeUbo3em1TiCjcMQcrOfJqRHQ1P1deAm9Pbc04USuIYxEhiK
KXhquEM3VsKXglDM0+EsLUy/TLjsy5cJrSta7kKAOP3heaFAu6YBYPcwDi51yyQA
rDCn52vwOtuW+xggB+NogvNrSEH60UtD0jN0TAmOVQlWO40D6jh+8Aag+CgidoMO
HIg1Cv5aC70t0kjqj8Ru0nhaM2NYgpA5IR1ci3WHQtweHy1hyEqHvEp8F2DXQWIL
x7jCO9JHV0wZwaXe8PMlLs3ippaKKpUpeu/zga14TiKtUu42ZZ4XXB5OS6RQVJ/2
mqH2sh7CwoqDKtZSQDR+E3NZq2yWGnXJcAQkYCW72XzfV3qeWxWn3cgFXBt7fdjh
FuLCbReTyaiFixbyJGnFihN/42j3qaRsIh2SZQMW1HVDTo0JjuBayRSUicSUWzdQ
Jor6S6cU5Pi9gSn1rV9HxPUu3ujU00MOHxk3BVcRL1HTZnggaDY=
=3a89
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100055.4

HardenedBSD-11-STABLE-v1100055.4 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r335072: Enable eager FPU context switch by default on amd64. (dee6710f89d54744c1d97a4088c547b6541dbb0e) [FreeBSD-SA-Candidate CVE-2018-3665)
  • MFC r334038: Enable IBRS when entering an interrupt handler from usermode. (2de20d5b1b0faaf2c7dcb503515af88bfb5aae90) [FreeBSD-SA-Candidate]
  • MFC r334004: Add Intel Spec Store Bypass Disable control. (425d57954121d3b228a3f7aa395e9bc8d2929214) [FreeBSD-SA-Candidate CVE-2018-3639]
  • MFC syslog from master (667052415ebdbade0cd55a3c66b7902227a78760)
  • MFC r334091: md5: perform compare case-insenstive (bc94720a7e512e88c6235155019d5f7c5972ab41)
  • MFC: r333580 Fix a slow leak of session structures in the NFSv4.1 server. (4a4ab2a82843ba496b969eb11f32aeb2f09c2c63)
  • MFC r333783: MFV r333779: xz 5.2.4. (e303059a606066e6076cca385aedac5958b17f34)
  • MFC r334068 (phil): Import libxo-0.9.0 (3549c1ab7a2950f9e8cd373af83fa0a4c6fb8903)
  • MFC Lock primitive updates (8b9af5c67de5a51974b9d4bc7570e0b9700c4fcb)
  • MFC r334050, r334051: Flush caches before initiating a microcode update on Intel CPUs. (cb1c0651a46b4d36bf9eed4a3cdd986aad9c9936)
  • MFC r333892: Fix PCID+PTI pmap operations on Xen/HVM. (a933e7a326f122cb0beb9fdc960f6ab327bf1908)
  • MFC r333228 Implement support for ifuncs in the kernel linker on x86. (0166dfd0a87d24c0280d715e42d03d82610265ad)
  • MFC r333404, r333405: Remove PG_U from the recursive pte for kernel pmap' PML4 page and from the rest of the kernel pmap ptes. (e27432718ce82962556986419ed12b9928d56690)
  • MFC r332504: Set PG_G global mapping bit on the trampoline ptes. (8bba637677bb95dc889605a2dc7b9e5204d2a4a5)
  • MFC r332450: Optimize context switch for PTI on PCID pmap. (3d88b710fd631da86a68457176c459133083e14f)
  • pf updates
  • nat64 updates
  • linuxkpi updates
  • sctp updates
  • nfs updates
  • dwatch updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100055.4-amd64-bootonly.iso) = 55280d25a0da2254c92d9f1a1b9e8c2e6e88acfa17abcb55b363e64bc078f609f549c2670069e532197cd6808ecd81adfb3452ddc116bc6cc5247e7017078af3
SHA512 (HardenedBSD-11-STABLE-v1100055.4-amd64-disc1.iso) = c96086f53c42e3e72d401a9334ff5e258c73ad50190d51a6316c9a00ebb9f141458c0d3a569543ece99e446e5e98a3287faf37f1242d9185141a86fcae704646
SHA512 (HardenedBSD-11-STABLE-v1100055.4-amd64-memstick.img) = 5feb136a3477e9c8932f08742b7d9efaaa482835843311f285c233d6cfb9fdde07a75665333d78cdd2167a618edc31f9ba6fd2fc8147ea5f776adfdd49ba9f9d
SHA512 (HardenedBSD-11-STABLE-v1100055.4-amd64-mini-memstick.img) = 117364b3fbea0c4ad5db900f8f96bd85f47616132950735930117c3bce1e3cee9b284cd7773fcc18a94a42656f2ec87ff18ac3e933cf69aad0025d8f9a3ea972

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIyBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlsh0zkACgkQgZsRom/9
GI3tsQ/48+0KyrmFU9Ccw3gyklMh853LM1Y/eyCihQXlaCFk4o9W76Nzh67+mTF3
txjrCnJBBNJ2laG2EhgzQZnRgBT6Mbmr+VweyBzy4uLwW4Yihm8EIbaVV7hduFdg
jDV6EAKO1hiBD3QzA6cSgCD8E2AfP3uTLmQ6dKAtr0imz0UCB30bHrp7ISufprhg
qnHkritW5/pUw/xVfm2foll1JM5p4QOBPzid2IKYWfvFDdK5lUXJm54eYdAKHtdH
HzR1eetB3/HqyKs1edlMFUar/B8f5pZ7bwo1wWtaa9impJ74y6K8L9zyGH4xtZLF
Yla5wJiioq3QJIxg0USt0bqevH1qLhFHxDtehEbyJMXzq8NTrV+/rSHLj9IkEO+F
6j+OFOpnLiQin5Zvgj+Ks45sgKqCyZDpIvAx+q9M8nzClGXAwpda3U7viEXAkphZ
BT0OZBO3jh+ZsFBm33zR+cH4Yk14HuQ8E9Jd/fObTnnt5+VSxNf0w624qJgiqX7r
h6e3waF2q5EpRzMazmzzzjqFJnf3LzjXcB3bYvqTH8XIsXccHlWTxkgYwNk5Uwvn
EVgTa5G+Hae5zc2u7Mv7J1mszqQOjeiW7AuZYY8zlycZXdqGG/NbHGSZ+evnuF52
8LqhVk9iG+V8c89OrOJjxWBscxWmb5pri0iDO1C+AoFeyeioAQ==
=blBu
-----END PGP SIGNATURE-----

June HardenedBSD Foundation Update

We at HardenedBSD are working towards starting up a 501(c)(3) not-for-profit organization in the USA. Setting up this organization will allow future donations to be tax deductible. We've made progress and would like to share with you the current state of affairs.

We have identified, sent invitations out, and received acceptance letters from seven people who will serve on the HardenedBSD Foundation Board of Directors. You can find their bios below. In the latter half of June 2018 or the beginning half of July 2018, we will meet for the first time as a board and formally begin the process of creating the documentation needed to submit to the local, state, and federal tax services.

Here's a brief introduction to those who will serve on the board:

  1. W. Dean Freeman (Advisor): Dean has ten years of professional experience with deploying and securing Unix and networking systems, including assessing systems security for government certification and assessing the efficacy of security products. He was introduced to Unix via FreeBSD 2.2.8 on an ISP shell account as a teenager. Formerly, he was the Snort port maintainer for FreeBSD while working in the Sourcefire VRT, and has contributed entropy-related patches to the FreeBSD and HardenedBSD projects -- a topic on which he presented at vBSDCon 2017.
  2. Ben La Monica (Advisor): Ben is a Senior Technology Manager of Software Engineering at Morningstar, Inc and has been developing software for over 15 years in a variety of languages. He advocates open source software and enjoys tinkering with electronics and home automation.
  3. George Saylor (Vice President): George is a Technical Directory at G2, Inc. Mr. Saylor has over 28 years of information systems and security experience in a broad range of disciplines. His core focus areas are automation and standards in the event correlation space as well as penetration and exploitoation of computer systems. Mr Saylor was also a co-founder of the OpenSCAP project.
  4. Christian Severt (Advisor): Christian is an information security engineer. He served in the U.S. Navy administering classified Command, Control, Communication, Computers & Intelligence (C4I) systems. Christian also volunteers with the Seattle Privacy Coalition.
  5. Virginia Suydan (Treasury, secretary, and general administrator): Accountant and general administrator for the HardenedBSD Foundation. She has worked with Shawn Webb for tax and accounting purposes for over six years.
  6. Shawn Webb (President and Director): Co-founder of HardenedBSD and all-around infosec wonk. He has worked and played in the infosec industry, doing both offensive and defensive research, for around fifteen years. He loves open source technologies and likes to frustrate the bad guys.
  7. Ben Welch (Advisor): Ben is currently a Security Engineer at G2, Inc. He graduated from Pennsylvania College of Technology with a Bachelors in Information Assurance and Security. Ben likes long walks, beaches, candlelight dinners, and attending various conferences like BSides and ShmooCon.

Stable release: HardenedBSD-stable 11-STABLE v1100055.3

HardenedBSD-11-STABLE-v1100055.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • mfc r333368: prepare db# handler for deferred trigger of watchpoints. (5801fdddeba7acdc937cef898a45653c6af7a131) [cve-2018-8897, freebsd-sa-18:06.debugreg]
  • Turn off IBRS on suspend. (dbda57b58572831fa594ed380c7e5a9b87104694)
  • MFC r333247: Import tzdata 2018e (2beb6fbb124ec882449f77288cac650ffa862ab3)
  • MFC r333234: zfs_ioctl: avoid out-of-bound read (e7e4020489d1cdcbc338e0d6b916ec2beef71205) [FreeBSD-SA-Candidate]
  • MFC r332559: mountd: fix a crash when getgrouplist reports too many groups (e6e3f0e40308826bdaa17640f676d5ce98890a24) [FreeBSD-SA-Candidate]
  • Carefully update stack guard bytes inside __guard_setup(). (1086bca876f4a7d526450143227151e6544d2afb)
  • Correct undesirable interaction between caching of %cr4 in bhyve and invltlb_glob(). (1135b57649ecea7452dbae3245610ce03e6394df)
  • Handle Apollo Lake errata APL31. (6fd5da7f06d3412cef113820f484da4551ee8ab7)
  • Add PROC_PDEATHSIG_SET to procctl interface. (a31a7b88e5e784593cf07c3d8c39e1d68769511f)
  • Fix use of pointer after being set NULL. In NFS. (4223ca8e51c2eda332673d16f0dbf27e533a17a1)
  • Add hybrid ISO/memstick image support (47b459549c41e783f81dc1c71f5f5e1cb3454f50)
  • bnxt updates
  • clang updates
  • e1000 updates
  • hyperv updates
  • iflib updates
  • ixl updates
  • makefs updates
  • mlx5 updates
  • zfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-bootonly.iso) = e84a88f6909dee4155b6eb70d4471f0c07271f23d1df3c227def32e3e47d5cf78e5bd4c4150c0796ce52c79d61af0915136bf595bf598f898f777af5967e7156
SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-disc1.iso) = c3ddf6e6c439b53419442f56773b39e60f75e56cd9f28b4bfccf9623f478d63c307f4851eea75df785058d30f60e981b0c5342c11e1259796a0a0b4c3af0ccd9
SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-memstick.img) = 52b1597b74b6f83591ae7a2e678e4129e6ab3cfe07dfa5db8bf6748247c8137853806ea5e6dcb749540874dd35b673e19a9625d07d19d037b50f894ffea442cc
SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-mini-memstick.img) = 69c7709b601f5287a1b7a1938d52c8681648175402bc096b5793ba1f8f253b48ca3a019f2e70ad9e32857e812147951eb42c8fb2bec40e098f4ab40d68bfa521

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlryWWcACgkQgZsRom/9
GI1bABAAwJM+ZF9W3DGS2YCsMbNGHXWICmSWrqGO7Wa4B1s2JfhoIHOi4W7rDWfB
cBr++IkTf3bh0g7A38OJ2s8HWpDZ0IEAzl3KSNHtpvKMKJ6uuBeM79mLb5nAxQQM
lrApsfJ6njSu/kvwaKJLu20pZd1g1EqplC9PQ8D+UTDq9wgfDc0m3gaE7jOGc81Z
OIgw12pVg7bIur2EQVWyNpbEvCBQSTf1w9Ce7RZ2w7irGvptlB/AbrVPKLHraZTV
R6pVHUZnJ8KRvu0S5DpO0Gzr+H9gtfWypVs8H2ys1nn38/tZVpUVQC3S+0X3cSX2
kZbX7WPPK6z+XJF0e0V2V/7DuPPHkqkDe9tNkl+lVLDDwYlEIXVwgC9lRJR1+bML
uwY4VEH8Py2mZw7r8up0i1bNtfo2J+NOaJTvE549W+120zSgKrlzlz95p/jhP3Wj
NYyDOV/gPuxDXbpJEbWbA0XECmS+ijAQ61238/WTh9Gas6gAwXI3EVrm8DEYkpqn
Aj11++8Rh7WOEf6N0rWMy0NciZMLix/tcnoaGeABN6XsyieRTvAnrV/nJM+tbtti
5CxcnyVo4VYrh4zpY7hrF14PifM8WIKlN838N7Bkg3CL+xsWgDDcbs86ayY7B4a1
Bi+JZ95N8UIS00jJbRIbYjhcpHAiuwHbk1ZmAPbdMj76RFjMSbo=
=lVsG
-----END PGP SIGNATURE-----

HardenedBSD Switching Back to OpenSSL

Over a year ago, HardenedBSD switched to LibreSSL as the default cryptographic library in base for 12-CURRENT. 11-STABLE followed suit later on. Bernard Spil has done an excellent job at keeping our users up-to-date with the latest security patches from LibreSSL.

After recently updating 12-CURRENT to LibreSSL 2.7.2 from 2.6.4, it has become increasingly clear to us that performing major upgrades requires a team larger than a single person. Upgrading to 2.7.2 caused a lot of fallout in our ports tree. As of 28 Apr 2018, several ports we consider high priority are still broken. As it stands right now, it would take Bernard a significant amount of his spare personal time to fix these issues.

Until we have a multi-person team dedicated to maintaining LibreSSL in base along with the patches required in ports, HardenedBSD will use OpenSSL going forward as the default crypographic library in base. LibreSSL will co-exist with OpenSSL in the source tree, as it does now. However, MK_LIBRESSL will default to "no" instead of the current "yes". Bernard will continue maintaining LibreSSL in base along with addressing the various problematic ports entries.

To provide our users with ample time to plan and perform updates, we will wait a period of two months prior to making the switch. The switch will occur on 01 Jul 2018 and will be performed simultaneously in 12-CURRENT and 11-STABLE. HardenedBSD will archive a copy of the LibreSSL-centric package repositories and binary updates for base for a period of around six months after the switch (expiring the package repos on 01 Jan 2019). This essentially gives our users eight full months for an upgrade path.

As part of the switch back to OpenSSL, the default NTP daemon in base will switch back from OpenNTPd to ISC NTP. Users who have local_openntpd_enable="YES" set in rc.conf will need to switch back to ntpd_enable="YES".

Users who build base from source will want to fully clean their object directories. Any and all packages that link with libcrypto or libssl will need to be rebuilt or reinstalled.

With the community's help, we look forward to the day when we can make the switch back to LibreSSL. We at HardenedBSD believe that providing our users options to rid themselves of software monocultures can better increase security and manage risk.

Pages

Subscribe to HardenedBSD RSS