March was a busy month for the project with regards to the infrastructure. We saw some commits to src and ports, but development was pretty quiet overall. On 12 March 2025, we drastically expanded power capacity in the server room, adding two new 20 amp circuits. The electrician also prepared for an eventual mini-split HVAC unit that we hope to requisition in the next year or two.
Due to the electrical work, we skipped performing package builds for March. We'll resume our regular package building schedule on 01 April 2025.
Years ago, we supported arm64 with HardenedBSD's hardened/current/master branch and provided regular builds and a package repo. We scaled down that support when I had switched employers. Back then, the infrastructure was hosted at my employer's mini-datacenter, whereas now it's hosted in my home. Now that we have the power capacity, I worked on powering on one of our two Cavium ThunderX1 servers. The NIC (an Intel NIC that uses the em(4) driver) seems not to be stable in this particular setup. Once we get stable networking, I plan to regain official support for HardenedBSD on arm64.
I worked with the Radicle team ( https://radicle.xyz/ ) to officially start research and development for larger code repositories. Currently, our src and ports repos are too large for Radicle to handle.
In the src tree:
- 0x1eef wrote a periodic(8) script that applies a stricter set of permissions to certain files and directories. Please refer to /etc/mtree/BSD.hardened.dist for which files and directories are applicable.
- The retain option in jemalloc is disabled by default (see malloc.conf(5)) for more information about this option. Disabling the retain option increases the entropy applied to the heap and can help mitigate Use-After-Free (UAF) vulnerabilities.
- The IP ID randomization period was increased from 8192 to 32768. This increases the window of the randomized IP ID value, making it slightly more difficult for an attacker.
In the ports tree:
- Register zeroing (ZEROREG) was enabled for net/wireshark.
I'd like to finish this status report with a call for donations. The last major hurdle for us is cooling. A mini-split heat pump HVAC unit is going to be crucial for us this summer as we scale up our infrastructure. We currently use a portable A/C unit, and that seems to be sufficient for now since outdoor temperatures are manageable. However, when summer hits and it's 110F outside, we may have to power off some servers to keep indoor temperatures steady. I have not received any estimates or quotes, but I suspect it will be between $5,000 and $7,000 USD. Donations by those in the US are eligible for tax deduction.
I plan to get us fully supported on LiberaPay over the next month or two. I've set up a profile here: https://liberapay.com/hardenedbsd-finances/. I still have some work to do in order to get us fully set up on LiberaPay. I will reply to this status report when the account's setup is complete.
In April, I plan to continue work on the BATMAN port. I'm hoping to get it to a buildable state. Once it's buildable, then we can separate the GPL code out into various ports entries.
I'm also coordinating with two other FreeBSD developers about optionally supporting different compiler toolchains, starting with Rust, for base userland components.