December was a delightfully relatively busy month for HardenedBSD. I started research on mitigating SROP due to a discussion with one of the Syd Linux developers. While I don't have an implementation just yet, I've started research on that.

I created a private fork of the HardenedBSD src tree meant for collaborating with Aymeric Wibo on completing the BATMAN-adv mesh networking support. The idea here is to use the private fork to first separate the GPL bits into ports entries. The bits of code that land in the public src tree will NOT be GPL.

Notable changes in the src tree:

1. There was a regression in how we apply ASLR to mmap(MAP_STACK) mappings. The delta was improperly computed but is now fixed.
2. Default to PIE on all architectures.
3. fusefs(4) is now compiled with -ftrivial-auto-var-init=zero.
4. syslogd will no longer accept remote connections by default. Please note that this could impact users' environments. Deployments that need to accept remote connections will need to be modified. Please reference commit 50ed55c154b79f41fadd4b77ede9c202b83435b5 for more information.
5. Enable use of -fzero-call-used-regs=used across (nearly) the entirety of base userland. The only component in base userland that has this feature disabled is in the bootloader.

Notable changes in the ports tree:

1. PaX PAGEEXEC is disabled for www/firefox.
2. Default LLVM version is bumped to 19, matching llvm in base.
3. _FORTIFY_SOURCE was disabled for:
   1. x11-wm/sway
   2. x11/swaybg
   3. x11/swaylock
4. net-p2p/heartwood-httpd was bumped.
5. Ports built with llvm-from-ports version 17, 18, and 19 will have -ftrivial-auto-var-init=zero enabled by default.
6. The build of devel/electron32 was fixed by using the default llvm version.
7. net-p2p/heartwood was bumped to 1.1.0.
8. Fix ranlib version detection.
9. security/libhijack version was bumped.
10. Apply -fzero-call-used-regs=all by default across the entire ports tree (new hardening option: ZEROREG).
11. Disable register zeroing for:
    1. archivers/libdeflate
    2. databases/mongodb80
    3. devel/highway
    4. devel/qt6-base
    5. devel/wasi-compiler-rt
    6. devel/wasi-libcxx
    7. editors/libreoffice
    8. graphics/libjxl
    9. graphics/openjph
    10. lang/go-devel (applies to golang universally)
    11. multimedia/svt-av1
    12. multimedia/vmaf
    13. security/libsodium
    14. www/node20
    15. www/node22
12. sysutils/vm-bhyve-hbsd version was bumped.

Please note that there likely is a lot of fallout to address regarding register zeroing in ports. The next few package builds for both 14-STABLE and 15-CURRENT will likely have a few packages missing. I plan to address those broken ports/packages as soon as I find out they're broken. Please be patient as we address the breakages.

I plan to apply updates across the entire HardenedBSD development infrastructure on Saturday, 04 Jan 2025. I will keep everyone informed as to when the maintenance period begins and ends. The package builds will commence immediately after the infrastructure is back online.

Happy New Years! I hope 2025 treats everyone well. I'm excited to see the mesh networking work progress. I believe we will see an every increasing need for the deployment of these types of networks.

The HardenedBSD Foundation and the community are immensly grateful for the contributions made in 2024. This project could not survive if not for the graceous contributions that come in all their forms: monetary, patch submissions, advocacy, documentation, and otherwise. We look forward to a bright and productive 2025.