Verifying Build Artifacts

The HardenedBSD build artifacts are signed with an SSH key. SSH keys are used so that artifacts can be validated using only tools included in the base operating system.

First, download the SSH public key:

$ fetch

Then download the build artifact. For purposes of this documentation, the
compressed memstick installation image for HardenedBSD 14-STABLE will be used.

$ fetch
$ fetch

Next, generate an `allowed_signers` file which contains the SSH public key:

$ echo "hbsd-os-build-01 $(cat" > allowed_signers

Now the signature file can be verified:

$ ssh-keygen -Y verify -f allowed_signers -I hbsd-os-build-01 -n file -s memstick.img.xz.sig < memstick.img.xz

HardenedBSD installers

git git clone --single-branch --branch hardened/current/master hardenedbsd-current
git git clone --single-branch --branch hardened/14-stable/master hardenedbsd-14-stable
git git clone --single-branch --branch hardened/13-stable/master hardenedbsd-13-stable
git git clone --single-branch --branch hardenedbsd/main /usr/ports/
tar.gz fetch -o hardenedbsd-ports.tar.gz ''
zip fetch -o ''

HardenedBSD June 2024 Status Report

This status report covers the last few days of May along with June. At the tail end of May, I spoke at BSDCan about HardenedBSD. The video recording has been posted. Note that some of the audio recording equipment experienced some issues during the presentation, so there's a few missing minutes at around the 17:05 mark. I'm grateful for the opportunity to speak and for everyone who worked behind-the-scenes to make that a possibility. The presentation slides can be found at in our GitLab.

While the source tree was relatively quiet this month, the ports tree saw a lot of work:

  1. New ports for the Radicle project. The ports use the codename of the core Radicle repo known as heartwood:
    • net-p2p/heartwood-cli
    • net-p2p/heartwood-httpd
    • net-p2p/heartwood-node
    • net-p2p/heartwood-remote-helper
    • net-p2p/heartwood-tools
    • net-p2p/heartwood (metaport that installs all the above).
  2. First-time patch submitter Fabien Amelinck of the VultureOS project fixed the build of the hardenedbsd/secadm port
  3. Fabien Amelinck fixed an ignore condition in the kmod framework (
  4. Fabien Amelinck fixed the build of the OpenJDK-related ports
  5. A new port was introduced: sysutils/vm-bhyve-hbsd. This is a soft fork of the vm-bhyve project. The aim is to import a few pull requests/patches from the community, starting with p9fs support.
  6. The security/keepassxc port was taught the concept of flavors, with the lite flavor disabling certain features: AUTOTYPE, BROWSER, FDOSECRETS, KEESHARE, NETWORKING, and SSHAGENT. Of course, the default flavor keeps the default options enabld.
  7. 0x1eef added a new port: hardenedbsd/sourcezap, which can help manage a local copy of the HardenedBSD source tree.

The HardenedBSD Foundation has the following update:

The HardenedBSD Foundation is now available as a listed charity at Fidelity Charitable.

A new PO Box was established in Colorado. This is our new shipping/mailing address:

The HardenedBSD Foundation
PO Box 31063
Colorado Springs, CO 80931

If you decide to send anything to our PO Box, please let us know beforehand so we know to expect a delivery. The HardenedBSD Foundation's email address is:

HardenedBSD May 2024 Status Report

May 2024 was pretty quiet overall.

In FreeBSD land, The FreeBSD Foundation and Stormshield both sponsored a port of NetBSD's _FORTIFY_SOURCE implementation. Within twenty-four hours, we set _FORTIFY_SOURCE to 2 for the entirety of the base userland and the ports tree. June will see the first 15-CURRENT/amd64 package build with _FORTIFY_SOURCE=2 set by default. I'm sure there will be a lot of fallout to address in ports.

I'm making final preparations to give the HardenedBSD talk at BSDCan. That is the reason I'm writing this status report early. I will post my slides after the conclusion of my presentation.

In ports:

  1. 0x1eef updated hardenedbsd/portzap to v0.12.0
  2. Shawn disabled fortify source on a few select ports:
    • lang/gcc10
    • lang/gcc11
    • lang/gcc12
    • lang/gcc13
    • multimedia/libv4l
    • devel/libepoll-shim
  3. ports-mgmt/poudriere-hbsd was updated to 3.4.1.
  4. sysutils/cpu-microcode-intel build was fixed.
  5. ports-mgmt/pkg was updated to 1.21.3

HardenedBSD April 2024 Status Report

April was relatively quiet. In src, the only change was to mitigate the LESSOPEN vulnerability (CVE-2024-32487). I spent a little bit of time studying the dance between the CSU, libc, the RTLD, and libthr.

In ports:

  1. ports-mgmt/poudriere-hbsd build is fixed
  2. 0x1eef contributed a new port: hardenedbsd/portzap
  3. ports-mgmt/pkg was updated to 1.21.2
  4. graphics/waffle is now built as a PIE
  5. net/td-system-tools build is fixed

We collaborated with the Radicle project. I have some local patches that allow Radicle to compile on FreeBSD/HardenedBSD. I need to clean up those patches so they're upstream-worthy. We helped deploy a test seed node in my fully Tor-ified home network, exposing the node as a Tor Onion Service endpoint.

I'm hoping that in the long term, we will be able to switch from GitLab to Radicle for hosting our repositories. We made an attempt to provide src and ports over Radicle, but the repos are a little bit too large for Radicle to handle at the moment. We will continue working with the Radicle team to help support larger repositories.

HardenedBSD March 2024 Status Report

What a busy month it has been! And not just for HardenedBSD, but for the rest of the security and IT industries as we work through the xz backdoor (CVE-2024-3094).

In src, the hbsdcontrol utility, and the library implementing the core logic (libhbsdcontrol) were rewritten from the ground up. While the implementation is now feature complete, there is still a bit of work to be done. Chiefly, rewriting the manual pages. After the documentation is updated, I plan to also integrate libucl support, to support JSON output and perhaps also support applying rules specified by a configuration file.

In ports, www/firefox was fixed and the minimum llvm version number was bumped for devel/boost.

Updates were applied across the entire infrastructure. A new build of hbsdfw (a HardenedBSD-basd fork of OPNsense) was deployed. This build has some issues, so I would recommend others not to deploy it, though it works fine enough for us to keep this current build deployed.

Here's what to look for in April:

  1. Continued work on {,lib}hbsdcontrol.
  2. I'm hoping to study more the dance between the CSU, libc, libthr, and the RTLD.
  3. More work on libhijack, perhaps a new shim library that gets injected to help aid further process injection work.

And, lastly:

$ fetch -q -o - | jq -r .created_at

Happy birthday, HardenedBSD! May the next decade be as impactful as the previous.

HardenedBSD Unaffected By CVE-2024-3094 (Backdoor in xz/lzma 5.6.0/5.6.1)

A backdoor targeting amd64 linux glibc based systems was recently found in the xz project. The versions of xz impacted are 5.6.0 and 5.6.1.

Neither FreeBSD nor HardenedBSD are directly affected by this issue. However, I suspect that those running an amd64 linux glibc jail on FreeBSD (or HardenedBSD) have the potential to be affected.

Note that the linux.ko and linux64.ko kernel modules are tagged as insecure/untrustworthy by default in HardenedBSD. Those wishing to deploy a Linux environment on HardenedBSD must explicitly enable the Linux syscall translation kernel modules (linux.ko and linux64.ko).

HardenedBSD February 2024 Status Report

I spent most of February getting 15-CURRENT working again. FreeBSD introduced a new library, libsys, which is where the userland side of performing syscalls is implemented. There's an intricate dance between libsys, libc, libthr, and the CSU. I spent some time learning about that dance, and I still feel like there's more to learn.

HardenedBSD 15-CURRENT is mostly fixed. Prior to the libsys change, we built libc with Link-Time Optimizations (LTO). Building libc with LTO was part of the problem, though not the only issue. Once all the issues are resolved, I will re-enable LTO for libc.

FreeBSD also introduced a new pam_xdg(8) PAM module. This module had a few vulnerabilities, which are fixed in HardenedBSD. The two NULL deref bugs are fixed in FreeBSD now, too. The filesystem race condition and recursion limit issues are somewhat mitigated in HardenedBSD, but not completely.

HardenedBSD now has two VisionFive StarFive2 64-bit RISCV SBCs. I spent a little bit of time toying around with them. The kernel boots to the mountroot prompt. I've been wanting to learn hardware hacking, including writing drivers, so these little SBCs might be great for that.

In ports:

  1. the u-boot ports are fixed
  2. dns/unbound was updated to 1.19.1
  3. the net/vnstat port was fixed
  4. graphics/mupdf is now built as a PIE with SafeStack enabled
  5. The secadm ports were updated

Looking forward into March: I'm hoping to close two gaps of knowledge: the dance mentioned above and I'd like to return to jemalloc hardening. I plan to also do some infrastructure maintenance--routine updates.

HardenedBSD January 2024 Status Report

Happy new year! January saw a few changes in the src repository:

  1. Update some internal netlink(4) functions to use an unsigned integer for buffer size.
  2. The NETLINK option is now effectively required by our upstream FreeBSD. I would encourage the community to study its code for potential issues.
  3. The sysctl knobs vm.objects and vm.swap_objects are now only made available to privileged unjailed processes.
  4. A new sysctl node is introduced that disables new USB device connections: hardening.pax.prohibit_new_usb. Possible values to set it to:
    • 0: disabled
    • 1: enabled
    • 2: enabled without possibility to disable without incurring a reboot

    It would be cool to see a new option: 3, enforce a USB device allowlist. I would like to delegate that to anyone who wants to volunteer to do that work. :-)

In ports:

  1. An unneeded patch for dns/c-ares was remooved now that the port has been updated by upstream
  2. Fix build of devel/ivykis
  3. Bump default llvm ports version to 17

In the infrastructure:

As detailed in this announcement, HardenedBSD will slow its OS/update build cadence from bi-weekly to monthly.

The issue plaguing git clone https://... of src or ports has been resolved! Major thanks to h3artbl33d for helping resolve this issue.

Change in Build Cadence

Building packages takes quite a while, especially for 14-STABLE. The last package build for that branch took 371 hours, around 15-ish days. We currently build installer images and base OS updates every 14 days. This means that the 14-STABLE package builds will always be at least one build behind.

So, we need to slow the cadence of our installer image and base OS update builds. Instead of building installer images and base OS updates bi-weekly, we will move to monthly builds.

This will allow us to, at the start of every month, perform a clean package build. After that initial clean package build completes and is synced, we can then perform incremental package builds for the remainder of the month.

There are still a few potential issues with this. Sometimes, a port gets updated that 20,000+ other ports depend on, effectively meaning that we're doing a clean build even though an incremental build was requested.

If an incremental package build is unable to complete by the time the 1st day of the next month comes around, we will cancel that build in favor of starting the clean build on the 1st.

Slowing the frequency to monthly for the installers and base OS updates also opens up new opportunities for the community to explore. For example, we would welcome generation of .torrent files. Who knows, maybe we could help perform the initial seeding. :-)

These changes will take place on 01 Feb 2024.


Subscribe to HardenedBSD RSS