HardenedBSD August 2025 Status Report

This status report pertains to both July and August 2025. It has been a busy summer here in Colorado. We will conclude this report with a discussion on FreeBSD's 15.0 release engineering cycle and its impact on HardenedBSD.

The focus of the past few months has been addressing technical debt within the project.

In src:

  1. The old hbsdcontrol (prior to the rewrite) was removed.
  2. FreeBSD added the clang-scan-deps program to the build. Due to our use of LTO and CFI, we needed to add more files to the clang-scan-deps program's build.
  3. Trusted Path Execution (TPE) is now integrated with mmap(PROT_EXEC) when a file descriptor is used to back the memory mapping.
  4. TPE is now fully jail-aware.
  5. First-time patch submitter Théo Bertin fixed hbsd-update's checking of certificates to take into account non-standard mount points.
  6. The mac_do(4) module has been hardened to take into account the per-process flag that determines whether the process can change or be granted new privileges. Otherwise, a misconfiguration in mac_do(4)'s rules could result in a privilege escalation in an unprivileged chroot. We reported this issue upstream to FreeBSD, which does not seem to believe this to be an issue.
  7. Addressed some vnode locking issues with TPE and SEGVGUARD.
  8. 0x1eef helped address some issues with HardenedBSD's branding and recent changes by FreeBSD in the UEFI boot loader.

In ports:

  1. net-p2p/heartwood and related have been bumped to 1.3.0.
  2. Our patch to enable -frtivial-var-auto-init=zero by default in llvm/clang was forward ported to the devel/llvm20 and devel/llvm21 ports
  3. _FORTIFY_SOURCE was disabled for security/fakeroot

We also addressed some cooling issues, enabling us to bring another server online. The server brought online is our test environment, currently configured to test Radicle. The Radicle project has made a lot of strides to be able to handle larger repos, but it still seems like it is a bit too early for HardenedBSD's use.

In September 2025, FreeBSD plans to create the stable/15 branch from their main development branch. HardenedBSD will need to follow suit, creating a new hardend/15-stable/master branch. We will need to bring online build infrastructure to build the installation media, pkgbase repo, and package repos. It will take me some time to perform that work, perhaps up to two months.

Depending on our continued cooling issues (which we partiailly mitigated this past month), we may be constrained as to how many branches we can support. As such, I am currently unsure how long we can support 14-stable. Once we get a handle on the new 15-stable branch and the dust settles, we will be able to make a better determination as to how long we'll support 14-stable.

In addition to the new stable branch, I plan to get back to working on the censorship- and surveillance-resistant mesh network. I'm hoping to better understand Reticulum and have an internal test Reticulum network deployed.