Verifying Build Artifacts

The HardenedBSD build artifacts are signed with an SSH key. SSH keys are used so that artifacts can be validated using only tools included in the base operating system.

First, download the SSH public key:

$ fetch https://installers.hardenedbsd.org/pub/keys/ssh.pub.txt

Then download the build artifact. For purposes of this documentation, the
compressed memstick installation image for HardenedBSD 14-STABLE will be used.

$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz $ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz.sig

Next, generate an `allowed_signers` file which contains the SSH public key:

$ echo "hbsd-os-build-01 $(cat ssh.pub.txt)" > allowed_signers

Now the signature file can be verified:

$ ssh-keygen -Y verify -f allowed_signers -I hbsd-os-build-01 -n file -s memstick.img.xz.sig < memstick.img.xz

HardenedBSD installers

15-CURRENT

git	git clone --single-branch --branch hardened/current/master https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git hardenedbsd-current
installers	https://installers.hardenedbsd.org/pub/current/

14-STABLE

git	git clone --single-branch --branch hardened/14-stable/master https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git hardenedbsd-14-stable
installers	https://installers.hardenedbsd.org/pub/14-stable/

PORTS

git	git clone --single-branch --branch hardenedbsd/main https://git.hardenedbsd.org/hardenedbsd/ports.git /usr/ports/
tar.gz	fetch -o hardenedbsd-ports.tar.gz 'https://git.hardenedbsd.org/hardenedbsd/ports/-/archive/hardenedbsd/main...'
zip	fetch -o hardenedbsd-ports.zip 'https://git.hardenedbsd.org/hardenedbsd/ports/-/archive/hardenedbsd/main...'

HardenedBSD April 2025 Status Report

April was a busy month! There's a lot to get into, so here we go.

In src:

The pkgbase UCL template for HardenedBSD-related packages was fixed.
xz CVE-2025-31115 vulnerability was patched.
0x1eef fixed `hbsdcontrol pax sysdef`.
0x1eef fixed hbsdcontrol verb detection issues.
0x1eef enhanced hbsdcontrol's help output.
FreeBSD recently introduced named attribute support for the open(2) syscall. HardenedBSD now rejects using named attribute file descriptors with fdlopen(3). I wrote a little proof-of-concept.
If hbsd-update fails to create the new ZFS boot environment due to the boot environment already existing, hbsd-update will no longer destroy the existing boot environment.

Nothing of note happened in the ports tree.

As discussed previously in the HardenedBSD Users mailing list, HardenedBSD will be slowing down the build cadence of OS builds (installers and hbsd-update) to once per quarter. This is primarily due to an issue with FreeBSD's latest release of the package manager, pkg. When building packages, pkg now takes a long time to calculate a given port's dependencies. This causes our 14-STABLE package build to now take longer than one month, up from just over two weeks.

Users who need a quicker cadence are encouraged to build src (and packages) themselves. We simply do not have the resources to speed up the build. The new installers/hbsd-update builds will take place on the first day of the following months: January, April, July, and October.

I plan on documenting a more formal release strategy, including the handling of security advisories, in the near future. I'm pondering whether we want to create quarterly branches in the src tree, and `git cherry-pick` security advisory fixes to those quarterly branches. That would prevent us from having to scrap an in-progress package build. But that comes at a cost of higher workload. So I'm weighing the pros/cons of various release strategies. I haven't made any firm decisions just yet. If anyone has any thoughts, please let me know.

I worked with the Radicle project to start testing HardenedBSD's src and ports trees. They've made a lot of progress on supporting larger repos. I worked on standing up a test Radicle network, to test importing src and ports and seeding them across a limited set of nodes. Each node is a separate HardenedBSD vnet jail. I came across some issues and need to report them more formally to the Radicle project. I'm grateful for their continued collaboration.

On the weekend of 25 April 2025, I attended a small FreeBSD hackathon focused on optional Rust toolchain support for userland applications. Attending were Alan Somers, Warner Losh, Brad Davis, Scott Long, and Reid Linnemann. I plan to tidy up a few things then announce a wider call-for-testing in May. You can follow along by watching the hardened/current/rust-in-base feature branch. I'd like to thank Alan Somers of the FreeBSD project for the opportunity to hack on this with him and the other FreeBSD developers in attendance--and for those who have provided valuable input.

One next step for the Rust-in-base work is to come up with a more formalized plan for vendor imports of third-party crates into the src tree. I imagine that to be a wider discussion point for figures upstream from us.

FreeBSD recently introduced limited pkgbase support in bsdinstall. Over the past few days, I've worked on updating our build scripts to support pkgbase. Our next build (in July) will include an experimental pkgbase repo for both 15-CURRENT/amd64 and 14-STABLE/amd64.

HardenedBSD March 2025 Status Report

March was a busy month for the project with regards to the infrastructure. We saw some commits to src and ports, but development was pretty quiet overall. On 12 March 2025, we drastically expanded power capacity in the server room, adding two new 20 amp circuits. The electrician also prepared for an eventual mini-split HVAC unit that we hope to requisition in the next year or two.

Due to the electrical work, we skipped performing package builds for March. We'll resume our regular package building schedule on 01 April 2025.

Years ago, we supported arm64 with HardenedBSD's hardened/current/master branch and provided regular builds and a package repo. We scaled down that support when I had switched employers. Back then, the infrastructure was hosted at my employer's mini-datacenter, whereas now it's hosted in my home. Now that we have the power capacity, I worked on powering on one of our two Cavium ThunderX1 servers. The NIC (an Intel NIC that uses the em(4) driver) seems not to be stable in this particular setup. Once we get stable networking, I plan to regain official support for HardenedBSD on arm64.

I worked with the Radicle team ( https://radicle.xyz/ ) to officially start research and development for larger code repositories. Currently, our src and ports repos are too large for Radicle to handle.

In the src tree:

0x1eef wrote a periodic(8) script that applies a stricter set of permissions to certain files and directories. Please refer to /etc/mtree/BSD.hardened.dist for which files and directories are applicable.
The retain option in jemalloc is disabled by default (see malloc.conf(5)) for more information about this option. Disabling the retain option increases the entropy applied to the heap and can help mitigate Use-After-Free (UAF) vulnerabilities.
The IP ID randomization period was increased from 8192 to 32768. This increases the window of the randomized IP ID value, making it slightly more difficult for an attacker.

In the ports tree:

Register zeroing (ZEROREG) was enabled for net/wireshark.

I'd like to finish this status report with a call for donations. The last major hurdle for us is cooling. A mini-split heat pump HVAC unit is going to be crucial for us this summer as we scale up our infrastructure. We currently use a portable A/C unit, and that seems to be sufficient for now since outdoor temperatures are manageable. However, when summer hits and it's 110F outside, we may have to power off some servers to keep indoor temperatures steady. I have not received any estimates or quotes, but I suspect it will be between $5,000 and $7,000 USD. Donations by those in the US are eligible for tax deduction.

I plan to get us fully supported on LiberaPay over the next month or two. I've set up a profile here: https://liberapay.com/hardenedbsd-finances/. I still have some work to do in order to get us fully set up on LiberaPay. I will reply to this status report when the account's setup is complete.

In April, I plan to continue work on the BATMAN port. I'm hoping to get it to a buildable state. Once it's buildable, then we can separate the GPL code out into various ports entries.

I'm also coordinating with two other FreeBSD developers about optionally supporting different compiler toolchains, starting with Rust, for base userland components.

HardenedBSD February 2025 Status Report

This status report includes January, since I missed publishing January's report. The last couple months have been busy, with progress being made on multiple fronts.

In the src tree:

PaX SEGVGUARD is now integrated with Capsicum. Capsicum violations now count against the process when the kern.trap_enotcap sysctl tunable is set. This feature was inspired by conversations with alip from Syd Linux.
A new sysctl tunable (hardening.elf_pie_only) was created to control whether non-PIE ELF executables are permitted to be executed. This feature was inspired by conversations with alip from Syd Linux.
_FORTIFY_SOURCE=2 was fixed for arm64.

In the ports tree:

Register zeroing (the new ZEROREG option) is now opt-in rather than opt-out. Several critical Python-related ports fail to build when ZEROREG is enabled by default for the entire ports tree.
Register zeroing was enabled for the following ports:
1. dns/unbound
2. irc/weechat
3. net/openntpd
4. net/rsync
5. ports-mgmt/pkg
6. security/openssh-portable
7. security/openvpn
8. security/tor
9. www/firefox
10. www/librewolf
11. www/lighttpd
12. www/nginx
13. x11-servers/xorg-server
The build was fixed for security/wazuh-agent
CFI was enabled for net/rsync
The build was fixed for net/libfabric

Additional research and development was done for the BATMAN port to freebsd/hardenedbsd. The code doesn't compile, yet, but we're working on it. The goal for having something ready by the end of February wasn't acheived, but work is still being done. R&D is continuing, though at a slower pace than originally anticipated.

On the side of infrastructure, I got another server ready for deployment. We have a few servers waiting for deployment. On 12-13 March 2025, we will dramatically increase power capabilities in the server room in my home.

Since package builds take over two weeks to complete, I do NOT plan to start package builds until after the construction work is completed. It might be that the next package build will be 01 Apr 2025.

We will be able to deploy the two Cavium ThunderX1 arm64 servers and two amd64 servers. Cooling might become an issue, but at least we'll have the power capacity.

I deployed a new (well, new-to-us) NAS running HardenedBSD with 30TB usable capacity. I also deployed a little Protectli appliance for our internal DNS server and wrote a little script to update various DNS records when our IPv4 address changes.

All this infrastructure work would not be possible without donations from the community. We're able to expand due to the generosity of a few contributors. I would like to extend a heartful thank you to all who contribute to the project and the Foundation, no matter the form in which those contributions come--code, documentation, advocacy, funding, inspirational conversations, or otherwise.

HardenedBSD December 2024 Status Report

December was a delightfully relatively busy month for HardenedBSD. I started research on mitigating SROP due to a discussion with one of the Syd Linux developers. While I don't have an implementation just yet, I've started research on that.

I created a private fork of the HardenedBSD src tree meant for collaborating with Aymeric Wibo on completing the BATMAN-adv mesh networking support. The idea here is to use the private fork to first separate the GPL bits into ports entries. The bits of code that land in the public src tree will NOT be GPL.

Notable changes in the src tree:

There was a regression in how we apply ASLR to mmap(MAP_STACK) mappings. The delta was improperly computed but is now fixed.
Default to PIE on all architectures.
fusefs(4) is now compiled with -ftrivial-auto-var-init=zero.
syslogd will no longer accept remote connections by default. Please note that this could impact users' environments. Deployments that need to accept remote connections will need to be modified. Please reference commit 50ed55c154b79f41fadd4b77ede9c202b83435b5 for more information.
Enable use of -fzero-call-used-regs=used across (nearly) the entirety of base userland. The only component in base userland that has this feature disabled is in the bootloader.

Notable changes in the ports tree:

PaX PAGEEXEC is disabled for www/firefox.
Default LLVM version is bumped to 19, matching llvm in base.
_FORTIFY_SOURCE was disabled for:
1. x11-wm/sway
2. x11/swaybg
3. x11/swaylock
net-p2p/heartwood-httpd was bumped.
Ports built with llvm-from-ports version 17, 18, and 19 will have -ftrivial-auto-var-init=zero enabled by default.
The build of devel/electron32 was fixed by using the default llvm version.
net-p2p/heartwood was bumped to 1.1.0.
Fix ranlib version detection.
security/libhijack version was bumped.
Apply -fzero-call-used-regs=all by default across the entire ports tree (new hardening option: ZEROREG).
Disable register zeroing for:
1. archivers/libdeflate
2. databases/mongodb80
3. devel/highway
4. devel/qt6-base
5. devel/wasi-compiler-rt
6. devel/wasi-libcxx
7. editors/libreoffice
8. graphics/libjxl
9. graphics/openjph
10. lang/go-devel (applies to golang universally)
11. multimedia/svt-av1
12. multimedia/vmaf
13. security/libsodium
14. www/node20
15. www/node22
sysutils/vm-bhyve-hbsd version was bumped.

Please note that there likely is a lot of fallout to address regarding register zeroing in ports. The next few package builds for both 14-STABLE and 15-CURRENT will likely have a few packages missing. I plan to address those broken ports/packages as soon as I find out they're broken. Please be patient as we address the breakages.

I plan to apply updates across the entire HardenedBSD development infrastructure on Saturday, 04 Jan 2025. I will keep everyone informed as to when the maintenance period begins and ends. The package builds will commence immediately after the infrastructure is back online.

Happy New Years! I hope 2025 treats everyone well. I'm excited to see the mesh networking work progress. I believe we will see an every increasing need for the deployment of these types of networks.

The HardenedBSD Foundation and the community are immensly grateful for the contributions made in 2024. This project could not survive if not for the graceous contributions that come in all their forms: monetary, patch submissions, advocacy, documentation, and otherwise. We look forward to a bright and productive 2025.

HardenedBSD November 2024 Status Report

This month saw a few improvements in HardenedBSD's source tree.

We can now boot to multi-user on the StarFive VisionFive2 riscv64 SBC dev boards. They use a 39-bit address space, so we had to tune down our ASLR deltas for this board as if we were operating on a 32-bit architecture. This is obviously far from optimal, but it's what we have.

Changes to the src tree:

Ensure libhbsdcontrol operates only on regular files.
Ensure hbsdcontrol does not follow symlinks by default. Provide an option to override.
Allow the RTLD ASLR delta to be overridden in the kernel config file.
Lower ASLR deltas for StarFive VisionFive2 SBC boards.
Drop TCP SYN+FIN packets by default.

In ports:

Do not override the default LLVM version in devel/electron32
Bring in the -ftrivial-var-auto-init=zero patch from HardenedBSD src for:
1. devel/llvm17
2. devel/llvm18
3. devel/llvm19
Bump net-p2p/heartwood-httpd to 0.17.1
Disable _FORTIFY_SOURCE for:
1. x11/swaylock
2. x11/swaybg
3. x11-wm/sway
Bump hardenedbsd/hbsdmon to 1.0_13
Disable PaX PAGEEXEC for www/firefox
Set default LLVM version to 19 for 15-CURRENT systems

We performed emergency maintenance on the 14-STABLE build server. We replaced three sticks of RAM. As of this writing, it appears we have to replace more sticks. Once the package build that's running right now finishes, we will do that.

We received a large donation specifically for the purchase of a new Framework laptop. That purchase has been made and we are awaiting shipping. The timing of this couldn't be better as the laptop I used to use for when I'm bed-bound is now too old to run modern HardenedBSD. (The problem being the video card is ancient and there are no supporte drivers for it.) Many of you know I have various random health issues (migraines, back injury, chronic fatigue), so having a more mobile system will help me be active where ever I am.

We will soon be ordering some new hard drives for our NAS server. Once ordered and installed, we will reconfigure how we are storing build artifacts. Right now, each build server has enough storage to store its own build artifacts. However, this means that when we perform maintnance on the build server, the build artifacts are temporarily unavailable. Centralizing artifact storage onto a NAS will enable us to be more efficient when performing maintanance. We plan to make that purchase in January 2025.

I have started a discussion with the FreeBSD Foundation, the HardenedBSD Foundation, the Colorado BSD User's Group, and the Google Summer of Code student Aymeric Wibo, to organize a hackathon in January or February 2025. This hackathon will be geared towards getting the BATMAN-adv mesh networking GSoC work to a state where it can be reviewed for merging into FreeBSD. I'm excited to see where this goes and its human rights impact as we design, build, and deploy surveillance- and censorship-resistant mesh networks.

HardenedBSD October 2024 Status Report

September was rather busy for me, so I didn't get the monthly status report out. So this status report covers both September and October 2024.

We received a donation of four devices from Protectli. These devices will help us research and develop a censorship- and surveillance-resistant mesh network. More information can be found here.

In the source tree:

Specifying a NULL environment variable in execve is now prohibited. This helps address ROP payloads that simply pass NULL as the envp.
The hardening.kmalloc_zero regression is fixed.
Use clang's C++ hardening integration. For more information, watch this presentation.

In ports:

FORTIFY_SOURCE has been disabled for the following ports:
- net/samba416
- devel/libgtop
- sysutils/grub2-bhyve
- devel/kronosnet
PIE was disabled for editors/libreoffice
devel/bsddialog build was fixed
PaX MPROTECT was disabled for www/node22
the devel/boost and related ports were fixed
base ranlib version detection was fixed
Default ports llvm version was bumped to 18
hardenedbsd/sourcezap was bumped to 1.2.1
hardenedbsd/portzap was bumped to 1.2.1

In other news, HardenedBSD 13-STABLE is in the process of being archived. Folks who want continued support for 13-STABLE are encouraged to create a free account on our self-hosted GitLab and submit patches. Otherwise, we encourage everyone to enjoy HardenedBSD 14-STABLE and 15-CURRENT.

We are grateful for those who contribute to the project--no matter the form in which the contribution comes. Continued advocacy, patch submissions, financial support, and other contributions are appreciated and needed.

HardenedBSD and Protectli Collaborates for a Censorship- and Surveillance-Resistant Mesh Network

The HardenedBSD Foundation is happy to announce a donation from the folks over at Protectli. Protectli is an open source firewall appliance company. This is their second donation to the HardenedBSD Foundation to date.

This donation is for a specific project: the development of a censorship- and surveillance-resistant mesh network. Protectli donated four FW4B devices. These devices will help us research and develop a prototype network, with the end goal being wider deployment once the initial proof-of-concept is developed and documented.

We--the HardenedBSD Foundation and the HardenedBSD Project--believe that Protectli offers a solid product line with which to base our reference implementation. We plan to start a concerted effort on the proof-of-concept implementation starting January through February 2025.

We are in talks with a Google Summer of Code contributor for FreeBSD in bringing their hard work to completion; or, at the very least, to a state that is usable for this project. The contributor, Aymeric Wibo, spoke at BSDCan 2024 about his efforts at porting BATMAN-adv to FreeBSD. We hope to bring his work into a special feature branch in HardenedBSD.

Special care must be taken so as not to introduce GPL code. Some bits of the BATMAN project are GPL. The bits that are BSD license compatible can land in the src tree, but GPL bits will land as ports entries.

Once we are satisfied with that work, we will begin work on a special version of HardenedBSD. This version will have all methods for capturing packets (eg, libpcap, tcpdump, BPF, etc.) removed. This would enable network operators to respond to law enforcement requests with a simple answer: "we have no customer data and lack the ability to capture customer data."

We envision networks akin to the NYC MESH project, with two key differences:

inter-mesh node connections will be encrypted (IPSEC, Wireguard, or OpenVPN);
Supernodes will route all outbound public Internet connections via Tor.

Node and Supernode operators will undergo a vetting process. Supernode operators must also run a public Tor relay to offset the bandwidth cost of users. Routing all traffic through Tor will place a large burden on the Tor network, so we must be kind citizens and try to offset that burden as much as possible.

Protectli plays a crucial role beyond this one donation. We are in talks with Protectli to establish a baseline set of equipment as gold standard. Network operators can supply their own equipment, but we will recommend Protectli as the "known working gold standard reference."

Node operators will be required to run hardened operating systems, with a strong recommendation of HardenedBSD.

We are grateful for Protectli's support of the HardenedBSD project and its goals. We dream of a decentralized digital world wherein safety of its participants is of utmost importance.

If you would like to play a part in this initial research and development, please reach out to the HardenedBSD Foundation at foundation@hardenedbsd.org.

Basic network architecture

HardenedBSD August 2024 Status Report

This month was focused on ${LIFE} for me. One of our two dogs, Darth Vader, had a planned surgery that ended up being more intensive than originally anticipated. Just today (03 Sep 2024), he got a good bill of health from the veterinarian. He still can't use our doggy door to the backyard, but is a healthy good boy otherwise. :-)

We launched our first Signal group for the HardenedBSD community.

FreeBSD implemented a mechnism to prohibit local connections to wildcard addresses (like 0.0.0.0 or ::0). With commit 8624aac8cefa38382a1ae3f40b604581bc4cf69f, we now enable the prohibition by default. Commit d2d91bf7ba3eaf7bda029f3004553c6b45b90fe4 causes certain syscalls to have in-kernel dynamic data structures zeroed by default.

FreeBSD recently made changes to the in-kernel heap implementation (see malloc(9)). Those changes are incompatible with our hardening.kmalloc_zero feature. I have not had ample time to address this incompatibility, but hope to soon. As such, users who run 15-CURRENT and have set hardening.kmalloc_zero=1 should temporarily disable the feature prior to upgrading to the 01 Sep 2024 build.

In ports:

net-p2p/heartwood and related ports have been updated to 1.0.0-rc16.
A fix for _FORTIFY_SOURCE support has been pulled in for devel/libudev-devd.
0x1eef updated hardenedbsd/sourcezap to v1.0.0.
0x1eef updated hardenedbsd/portzap to v1.0.0.

A new (currently untested) build of hbsdfw has been published and can be found here. As usual, your upgrade steps are:

Backup your config
Reinstall using the new image
Restore your config

Default username: root
Default password: hbsdfw

$ sha256 hbsdfw_installer_vga_14.1-20240831-231050.iso.xz
SHA256 (hbsdfw_installer_vga_14.1-20240831-231050.iso.xz) = 124a1be571bc0b316fd9a070be8ed4c6950c7a40531240e6ade15e7c21598483
$ wc -c hbsdfw_installer_vga_14.1-20240831-231050.iso.xz
 1564133444 hbsdfw_installer_vga_14.1-20240831-231050.iso.xz

To conclude this status report, I would like to thank the community for the continued support of HardenedBSD. All contributions, no matter the form in which they take, are immensely appreciated. Patches, advocacy, funding, or otherwise--it's all important and helpful.

HardenedBSD