Verifying Build Artifacts

The HardenedBSD build artifacts are signed with an SSH key. SSH keys are used so that artifacts can be validated using only tools included in the base operating system.

First, download the SSH public key:


$ fetch https://installers.hardenedbsd.org/pub/keys/ssh.pub.txt

Then download the build artifact. For purposes of this documentation, the
compressed memstick installation image for HardenedBSD 14-STABLE will be used.


$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz
$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz.sig

Next, generate an `allowed_signers` file which contains the SSH public key:


$ echo "hbsd-os-build-01 $(cat ssh.pub.txt)" > allowed_signers

Now the signature file can be verified:


$ ssh-keygen -Y verify -f allowed_signers -I hbsd-os-build-01 -n file -s memstick.img.xz.sig < memstick.img.xz

HardenedBSD installers

15-CURRENT
git git clone --single-branch --branch hardened/current/master https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git hardenedbsd-current
installers https://installers.hardenedbsd.org/pub/current/
14-STABLE
git git clone --single-branch --branch hardened/14-stable/master https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git hardenedbsd-14-stable
installers https://installers.hardenedbsd.org/pub/14-stable/
PORTS
git git clone --single-branch --branch hardenedbsd/main https://git.hardenedbsd.org/hardenedbsd/ports.git /usr/ports/
tar.gz fetch -o hardenedbsd-ports.tar.gz 'https://git.hardenedbsd.org/hardenedbsd/ports/-/archive/hardenedbsd/main...'
zip fetch -o hardenedbsd-ports.zip 'https://git.hardenedbsd.org/hardenedbsd/ports/-/archive/hardenedbsd/main...'

HardenedBSD November 2024 Status Report

This month saw a few improvements in HardenedBSD's source tree.

We can now boot to multi-user on the StarFive VisionFive2 riscv64 SBC dev boards. They use a 39-bit address space, so we had to tune down our ASLR deltas for this board as if we were operating on a 32-bit architecture. This is obviously far from optimal, but it's what we have.

Changes to the src tree:

  1. Ensure libhbsdcontrol operates only on regular files.
  2. Ensure hbsdcontrol does not follow symlinks by default. Provide an option to override.
  3. Allow the RTLD ASLR delta to be overridden in the kernel config file.
  4. Lower ASLR deltas for StarFive VisionFive2 SBC boards.
  5. Drop TCP SYN+FIN packets by default.

In ports:

  1. Do not override the default LLVM version in devel/electron32
  2. Bring in the -ftrivial-var-auto-init=zero patch from HardenedBSD src for:
    1. devel/llvm17
    2. devel/llvm18
    3. devel/llvm19
  3. Bump net-p2p/heartwood-httpd to 0.17.1
  4. Disable _FORTIFY_SOURCE for:
    1. x11/swaylock
    2. x11/swaybg
    3. x11-wm/sway
  5. Bump hardenedbsd/hbsdmon to 1.0_13
  6. Disable PaX PAGEEXEC for www/firefox
  7. Set default LLVM version to 19 for 15-CURRENT systems

We performed emergency maintenance on the 14-STABLE build server. We replaced three sticks of RAM. As of this writing, it appears we have to replace more sticks. Once the package build that's running right now finishes, we will do that.

We received a large donation specifically for the purchase of a new Framework laptop. That purchase has been made and we are awaiting shipping. The timing of this couldn't be better as the laptop I used to use for when I'm bed-bound is now too old to run modern HardenedBSD. (The problem being the video card is ancient and there are no supporte drivers for it.) Many of you know I have various random health issues (migraines, back injury, chronic fatigue), so having a more mobile system will help me be active where ever I am.

We will soon be ordering some new hard drives for our NAS server. Once ordered and installed, we will reconfigure how we are storing build artifacts. Right now, each build server has enough storage to store its own build artifacts. However, this means that when we perform maintnance on the build server, the build artifacts are temporarily unavailable. Centralizing artifact storage onto a NAS will enable us to be more efficient when performing maintanance. We plan to make that purchase in January 2025.

I have started a discussion with the FreeBSD Foundation, the HardenedBSD Foundation, the Colorado BSD User's Group, and the Google Summer of Code student Aymeric Wibo, to organize a hackathon in January or February 2025. This hackathon will be geared towards getting the BATMAN-adv mesh networking GSoC work to a state where it can be reviewed for merging into FreeBSD. I'm excited to see where this goes and its human rights impact as we design, build, and deploy surveillance- and censorship-resistant mesh networks.

HardenedBSD October 2024 Status Report

September was rather busy for me, so I didn't get the monthly status report out. So this status report covers both September and October 2024.

We received a donation of four devices from Protectli. These devices will help us research and develop a censorship- and surveillance-resistant mesh network. More information can be found here.

In the source tree:

  1. Specifying a NULL environment variable in execve is now prohibited. This helps address ROP payloads that simply pass NULL as the envp.
  2. The hardening.kmalloc_zero regression is fixed.
  3. Use clang's C++ hardening integration. For more information, watch this presentation.

In ports:

  1. FORTIFY_SOURCE has been disabled for the following ports:
    • net/samba416
    • devel/libgtop
    • sysutils/grub2-bhyve
    • devel/kronosnet
  2. PIE was disabled for editors/libreoffice
  3. devel/bsddialog build was fixed
  4. PaX MPROTECT was disabled for www/node22
  5. the devel/boost and related ports were fixed
  6. base ranlib version detection was fixed
  7. Default ports llvm version was bumped to 18
  8. hardenedbsd/sourcezap was bumped to 1.2.1
  9. hardenedbsd/portzap was bumped to 1.2.1

In other news, HardenedBSD 13-STABLE is in the process of being archived. Folks who want continued support for 13-STABLE are encouraged to create a free account on our self-hosted GitLab and submit patches. Otherwise, we encourage everyone to enjoy HardenedBSD 14-STABLE and 15-CURRENT.

We are grateful for those who contribute to the project--no matter the form in which the contribution comes. Continued advocacy, patch submissions, financial support, and other contributions are appreciated and needed.

HardenedBSD and Protectli Collaborates for a Censorship- and Surveillance-Resistant Mesh Network

The HardenedBSD Foundation is happy to announce a donation from the folks over at Protectli. Protectli is an open source firewall appliance company. This is their second donation to the HardenedBSD Foundation to date.

This donation is for a specific project: the development of a censorship- and surveillance-resistant mesh network. Protectli donated four FW4B devices. These devices will help us research and develop a prototype network, with the end goal being wider deployment once the initial proof-of-concept is developed and documented.

We--the HardenedBSD Foundation and the HardenedBSD Project--believe that Protectli offers a solid product line with which to base our reference implementation. We plan to start a concerted effort on the proof-of-concept implementation starting January through February 2025.

We are in talks with a Google Summer of Code contributor for FreeBSD in bringing their hard work to completion; or, at the very least, to a state that is usable for this project. The contributor, Aymeric Wibo, spoke at BSDCan 2024 about his efforts at porting BATMAN-adv to FreeBSD. We hope to bring his work into a special feature branch in HardenedBSD.

Special care must be taken so as not to introduce GPL code. Some bits of the BATMAN project are GPL. The bits that are BSD license compatible can land in the src tree, but GPL bits will land as ports entries.

Once we are satisfied with that work, we will begin work on a special version of HardenedBSD. This version will have all methods for capturing packets (eg, libpcap, tcpdump, BPF, etc.) removed. This would enable network operators to respond to law enforcement requests with a simple answer: "we have no customer data and lack the ability to capture customer data."

We envision networks akin to the NYC MESH project, with two key differences:

  1. inter-mesh node connections will be encrypted (IPSEC, Wireguard, or OpenVPN);
  2. Supernodes will route all outbound public Internet connections via Tor.

Node and Supernode operators will undergo a vetting process. Supernode operators must also run a public Tor relay to offset the bandwidth cost of users. Routing all traffic through Tor will place a large burden on the Tor network, so we must be kind citizens and try to offset that burden as much as possible.

Protectli plays a crucial role beyond this one donation. We are in talks with Protectli to establish a baseline set of equipment as gold standard. Network operators can supply their own equipment, but we will recommend Protectli as the "known working gold standard reference."

Node operators will be required to run hardened operating systems, with a strong recommendation of HardenedBSD.

We are grateful for Protectli's support of the HardenedBSD project and its goals. We dream of a decentralized digital world wherein safety of its participants is of utmost importance.

If you would like to play a part in this initial research and development, please reach out to the HardenedBSD Foundation at foundation@hardenedbsd.org.

Basic network architecture

HardenedBSD August 2024 Status Report

This month was focused on ${LIFE} for me. One of our two dogs, Darth Vader, had a planned surgery that ended up being more intensive than originally anticipated. Just today (03 Sep 2024), he got a good bill of health from the veterinarian. He still can't use our doggy door to the backyard, but is a healthy good boy otherwise. :-)

We launched our first Signal group for the HardenedBSD community.

FreeBSD implemented a mechnism to prohibit local connections to wildcard addresses (like 0.0.0.0 or ::0). With commit 8624aac8cefa38382a1ae3f40b604581bc4cf69f, we now enable the prohibition by default. Commit d2d91bf7ba3eaf7bda029f3004553c6b45b90fe4 causes certain syscalls to have in-kernel dynamic data structures zeroed by default.

FreeBSD recently made changes to the in-kernel heap implementation (see malloc(9)). Those changes are incompatible with our hardening.kmalloc_zero feature. I have not had ample time to address this incompatibility, but hope to soon. As such, users who run 15-CURRENT and have set hardening.kmalloc_zero=1 should temporarily disable the feature prior to upgrading to the 01 Sep 2024 build.

In ports:

  1. net-p2p/heartwood and related ports have been updated to 1.0.0-rc16.
  2. A fix for _FORTIFY_SOURCE support has been pulled in for devel/libudev-devd.
  3. 0x1eef updated hardenedbsd/sourcezap to v1.0.0.
  4. 0x1eef updated hardenedbsd/portzap to v1.0.0.

A new (currently untested) build of hbsdfw has been published and can be found here. As usual, your upgrade steps are:

  1. Backup your config
  2. Reinstall using the new image
  3. Restore your config

Default username: root
Default password: hbsdfw

$ sha256 hbsdfw_installer_vga_14.1-20240831-231050.iso.xz
SHA256 (hbsdfw_installer_vga_14.1-20240831-231050.iso.xz) = 124a1be571bc0b316fd9a070be8ed4c6950c7a40531240e6ade15e7c21598483
$ wc -c hbsdfw_installer_vga_14.1-20240831-231050.iso.xz
 1564133444 hbsdfw_installer_vga_14.1-20240831-231050.iso.xz

To conclude this status report, I would like to thank the community for the continued support of HardenedBSD. All contributions, no matter the form in which they take, are immensely appreciated. Patches, advocacy, funding, or otherwise--it's all important and helpful.

HardenedBSD July 2024 Status Report

It has been a busy month for me personally, so not too much was accomplished in HardenedBSD.

It got really hot here at home, and the server room's temperatures kept creeping higher than desired. So I spent some time trying to get temperature control more efficient and I made a lot of progress. At the beginning of the month, the server room got up to 76F. After installing foam panels in the window, and doing some more weatherproofing, the room now averages 69F at the hotest, and 60F at the coolest.

I taught our infrastructure monitoring daemon (hbsdmon) how to monitor CPU temperatures. I also taught it how to take action when a monitor transitions from nominal success to failure, and vice-versa. hbsdmon alerts me if the CPU temp hits 80C, and shuts down the server if the CPU temp hits 90C. So now I don't have to worry if I go on vacation, or if the A/C unit dies while I'm asleep. :-)

We received a new server donation. This server will allow us to centralize storage. We'll likely budget for ten 8TB drives (six hot, four spare).

In src:

  1. I fixed a kernel panic when a PaX MPROTECT error handling code path was chosen.
  2. I coordinated _FORTIFY_SOURCE changes and testing with FreeBSD's Kyle Evans.

In ports:

  1. Fabien Amelinck fixed a custom patch we have in ports-mgmt/poudriere-hbsd
  2. Shawn Webb fixed x11/station-tweak
  3. Shawn Webb enabled PIE and RELRO for textproc/unix2ascii
  4. Shawn Webb updated various net-p2p/heartwood* related ports
  5. Fabien Amelinck fixed emulators/virtualbox-ose
  6. Fabien Amelinck fixed an issue with secadm's manual page path
  7. 0x1eef updated the hardenedbsd/sourcezap port
  8. Shawn Webb marked math/pspp broken for all supported src branches
  9. Shawn Webb updated the hardenedbsd/hbsdmon port

I also published (and deployed locally) a new build of hbsdfw. hbsdfw is a HardenedBSD 14-STABLE based fork of OPNsense that we maintain as a hobby side-project.

As usual, your update process is:

  1. Backup your config
  2. Reinstall with the new image
  3. Restore your config

Default username: root
Default password: hbsdfw

You can find the install media here:
https://hardenedbsd.org/~shawn/hbsdfw/hbsdfw_installer_vga_14.1-20240801...

$ wc -c hbsdfw_installer_vga_14.1-20240801-154128.iso.xz
 1547783764 hbsdfw_installer_vga_14.1-20240801-154128.iso.xz
$ sha256 hbsdfw_installer_vga_14.1-20240801-154128.iso.xz
SHA256 (hbsdfw_installer_vga_14.1-20240801-154128.iso.xz) = 639e87b17fc999acd143c6c731e665f7299a3efe8d551674d0833a475b46cb8e

HardenedBSD June 2024 Status Report

This status report covers the last few days of May along with June. At the tail end of May, I spoke at BSDCan about HardenedBSD. The video recording has been posted. Note that some of the audio recording equipment experienced some issues during the presentation, so there's a few missing minutes at around the 17:05 mark. I'm grateful for the opportunity to speak and for everyone who worked behind-the-scenes to make that a possibility. The presentation slides can be found at in our GitLab.

While the source tree was relatively quiet this month, the ports tree saw a lot of work:

  1. New ports for the Radicle project. The ports use the codename of the core Radicle repo known as heartwood:
    • net-p2p/heartwood-cli
    • net-p2p/heartwood-httpd
    • net-p2p/heartwood-node
    • net-p2p/heartwood-remote-helper
    • net-p2p/heartwood-tools
    • net-p2p/heartwood (metaport that installs all the above).
  2. First-time patch submitter Fabien Amelinck of the VultureOS project fixed the build of the hardenedbsd/secadm port
  3. Fabien Amelinck fixed an ignore condition in the kmod framework (kmod.mk)
  4. Fabien Amelinck fixed the build of the OpenJDK-related ports
  5. A new port was introduced: sysutils/vm-bhyve-hbsd. This is a soft fork of the vm-bhyve project. The aim is to import a few pull requests/patches from the community, starting with p9fs support.
  6. The security/keepassxc port was taught the concept of flavors, with the lite flavor disabling certain features: AUTOTYPE, BROWSER, FDOSECRETS, KEESHARE, NETWORKING, and SSHAGENT. Of course, the default flavor keeps the default options enabld.
  7. 0x1eef added a new port: hardenedbsd/sourcezap, which can help manage a local copy of the HardenedBSD source tree.

The HardenedBSD Foundation has the following update:

The HardenedBSD Foundation is now available as a listed charity at Fidelity Charitable.

A new PO Box was established in Colorado. This is our new shipping/mailing address:

The HardenedBSD Foundation
PO Box 31063
Colorado Springs, CO 80931

If you decide to send anything to our PO Box, please let us know beforehand so we know to expect a delivery. The HardenedBSD Foundation's email address is: foundation@hardenedbsd.org.

HardenedBSD May 2024 Status Report

May 2024 was pretty quiet overall.

In FreeBSD land, The FreeBSD Foundation and Stormshield both sponsored a port of NetBSD's _FORTIFY_SOURCE implementation. Within twenty-four hours, we set _FORTIFY_SOURCE to 2 for the entirety of the base userland and the ports tree. June will see the first 15-CURRENT/amd64 package build with _FORTIFY_SOURCE=2 set by default. I'm sure there will be a lot of fallout to address in ports.

I'm making final preparations to give the HardenedBSD talk at BSDCan. That is the reason I'm writing this status report early. I will post my slides after the conclusion of my presentation.

In ports:

  1. 0x1eef updated hardenedbsd/portzap to v0.12.0
  2. Shawn disabled fortify source on a few select ports:
    • lang/gcc10
    • lang/gcc11
    • lang/gcc12
    • lang/gcc13
    • multimedia/libv4l
    • devel/libepoll-shim
  3. ports-mgmt/poudriere-hbsd was updated to 3.4.1.
  4. sysutils/cpu-microcode-intel build was fixed.
  5. ports-mgmt/pkg was updated to 1.21.3

HardenedBSD April 2024 Status Report

April was relatively quiet. In src, the only change was to mitigate the LESSOPEN vulnerability (CVE-2024-32487). I spent a little bit of time studying the dance between the CSU, libc, the RTLD, and libthr.

In ports:

  1. ports-mgmt/poudriere-hbsd build is fixed
  2. 0x1eef contributed a new port: hardenedbsd/portzap
  3. ports-mgmt/pkg was updated to 1.21.2
  4. graphics/waffle is now built as a PIE
  5. net/td-system-tools build is fixed

We collaborated with the Radicle project. I have some local patches that allow Radicle to compile on FreeBSD/HardenedBSD. I need to clean up those patches so they're upstream-worthy. We helped deploy a test seed node in my fully Tor-ified home network, exposing the node as a Tor Onion Service endpoint.

I'm hoping that in the long term, we will be able to switch from GitLab to Radicle for hosting our repositories. We made an attempt to provide src and ports over Radicle, but the repos are a little bit too large for Radicle to handle at the moment. We will continue working with the Radicle team to help support larger repositories.

Pages

Subscribe to HardenedBSD RSS