It has been an exciting month for HardenedBSD. First up is an important announcement. I am officially looking for new job opportunities. This is important for the HardenedBSD project since the development and build infrastructure is housed at my (now former) employer's office.
I'm grateful for the two-and-a-half years in which BlackhawkNest has provided the project with free hosting. They have agreed to continue hosting the development/build infrastructure for free until the end of November. BlackhawkNest has been incredibly supportive of the project in many ways and I wish them well in their future endeavors.
HardenedBSD's development and build infrastructure will need to find a new home. Looking at the long term, I would eventually like HardenedBSD to stand independent of my employment. However, we currently lack the funding and will need to continue to rely on my employer until we gain enough sustained funding.
It is my hope that HardenedBSD's development and build infrastructure is transitioned in a timely manner to its new home, where ever that may be, before the end of November 2022. If you would like to help out in the effort to make HardenedBSD's infrastructure stand independent, please donate. We appreciate the community's contributions to the project, regardless of the form those contributions come in (code, advocacy, funding, etc.)
Please note that OS binary updates, package repos, and installer images are hosted elsewhere and will not be interrupted. GitLab and the build systems will be the only systems impacted.
Now, let's get into progress in the project itself!
In src:
- Shawn added a new sysctl tunable (hardening.pax.kmod_laod_disable) that, when set, disables loading all kernel modules from that point forward. The kld rc script has been updated such that users can specify hbsd_late_kld_prohibit in rc.conf, which will set the sysctl node after loading modules specified in kld_list. This work was sponsored by BlackhawkNest, Inc.
-
Significant progress has been made on Cross-DSO CFI support. An installable version of HardenedBSD 14-CURRENT with Cross-DSO CFI enable can now build itself (meaning, `make buildworld buildkernel` works in a fully Cross-DSO CFI'd system.)
-
There's still more work to be done here. On a normal install of HardenedBSD 14-CURRENT, the following command fails when building the compiler toolchain:
make buildworld WITHOUT_SYSTEM_COMPILER=yes WITHOUT_SYSTEM_LINKER=yes - The `ctfmerge` application segfaults when building the kernel. ctfmerge is needed for DTrace support. I plan to disable ctfmerge (thus disabling DTrace) in the Cross-DSO CFI feature branch and circle back around to fixing whatever bugs lie in ctfmerge. I'd rather keep the momentum around Cross-DSO CFI support going.
-
There's still more work to be done here. On a normal install of HardenedBSD 14-CURRENT, the following command fails when building the compiler toolchain:
In ports:
- Shawn forked FreeBSD's Poudriere project to support the needs of building packages in HardenedBSD. By default, Poudriere creates a 1GB tmpfs mount for data. HardenedBSD has (slightly) outgrown that, so the size has increased to 2GB to account for future growth.
- Shawn disabled CFI for x11-servers/xorg-server
- Loic fixed x11-wm/enlightenment
- Loic fixed mail/bogofilter
- Loic fixed sysutils/pefs-kmod
- Loic fixed net-mgmt/netdisco-mibs
- Loic fixed x11-toolkits/gtkd
- Loic fixed x11-wm/piewm
- Loic removed lib32 in emulators/libc6-shim
- Shawn bumped the version for hardenedbsd/liblattutil
