Introducing CFI

Control Flow Integrity, or CFI, is an exploit mitigation technique that helps prevent attackers from modifying the behavior of a program and jumping to undefined or arbitrary memory locations. Microsoft has implemented a variant of CFI, which they term Control Flow Guard, or CFG. The PaX team has spent the last few years perfecting their Reuse Attack Protector, RAP. CFI, CFG, and RAP all attempt to accomplish the same goal, with RAP being the most complete and effective implementation. Clang's CFI is stronger than Microsoft's CFG and PaX Team's RAP is stronger than both CFI and CFG. RAP would be a great addition to HardenedBSD; however, it requires a GPLv3 toolchain and is patent-pending.

HardenedBSD is excited to announce the integration of Clang's CFI into base. CFI is enabled by default in HardenedBSD 12-CURRENT on amd64 and can be disabled by setting WITHOUT_CFI in src.conf. CFI is not applicable to architectures other than amd64, though Shawn is working on porting SafeStack to arm64.

Clang's CFI requires a linker that supports Link-Time Optimization (LTO). On 02 March 2017, version 4.0.0 of the lld linker from the llvm project was imported into both FreeBSD and HardenedBSD. lld 4.0.0 is the first version of lld that is usable in base and provides HardenedBSD with a linker that supports LTO. We have been working hard over the past few months in developing and testing the integration of Clang's CFI in HardenedBSD's base. All CFI schemes have been enabled for all of base in HardenedBSD 12-CURRENT/amd64, with the exception of the cfi-icall scheme for a handful of applications. It is possible that we may need to disable the cfi-icall scheme for more applications and we'll need to rely on our user base to identify edge cases. Any application that calls function pointers resolved via dlopen+dlsym will require the cfi-icall scheme to be disabled.

At this time, we have not applied CFI to shared libraries (aka, cross-DSO CFI). We are working on cross-DSO CFI support in base, though a few core modifications will need to be made. Upon initial investigation, we need to make llvm-ar and llvm-nm the default ar and nm and we need to build the libclang_rt.cfi static library. Once we gain that support, we should be able to enable cfi-icall across the board. Just as with SafeStack, cross-DSO CFI requires both ASLR and W^X in order to be effective. If an attacker knows the memory layout of an application, the attacker might be able to craft a data-only attack, modifying the CFI control data.

As of this writing, the following applications have cfi-icall disabled:

  1. /sbin/md5
  2. /usr/bin/less
  3. /usr/bin/mail
  4. /usr/bin/top
  5. /usr/bin/tsort
  6. /usr/bin/vi
  7. /usr/sbin/bhyveload
  8. /usr/sbin/pwd_mkdb
  9. /usr/sbin/sendmail
  10. /usr/sbin/services

Stable release: HardenedBSD-stable 10-STABLE v46.24

HardenedBSD-10-STABLE-v46.24 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • kyua updates
  • libarchive update (d7477941dbaca1a8f2916a367c2926e5fd74c7e6) [FreeBSD-SA-candidate]
  • hbsd-update improvements (a999c2ec59793a37e6735fa71854287e5921be25)
  • uipc related backports in kernel
  • tmpfs improvements
  • force disable Intel SDBG on HardenedBSD (28e49bc844977cee7afdb388482216378595eb2f)
  • xz update to 5.2.3 (76a56147f47a4e614999c919abd680746d455bfb)
  • openssl security fix (a12ba8665d8c2f94852d5f819104a9a69bc4c8b7)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-bootonly.iso) = 729f51b5d17c7bd18d8b3c45950ad8bccef267a185c7f08b1291103c1a70e01514466bb35d0e229722131f83518abf64608e1170ce49a650d1c63a2fd8ddfea2
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-disc1.iso) = 7ba707a3c415c45bd6ebe697ac944a5295342296584227f5ab726ee02574b830057618250f5e6b9afd15a7413b1dff363b4651151e9e5ce515a5ec593e20b48b
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-memstick.img) = 6af15c6c68b74340e72f145613122613c205a6fea10175ebaee16c7016be75a246bb844a71c94cda9a861201f6e906ab8238da53e5fea2935f1d055f6eb41950
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-mini-memstick.img) = 55bc8f7ee6844bdbbe03c7e9bb7b584e6758caa76c4ff2e977506ba9a60bcde4cba41e9170a4ba08702c02e3bb86d0353c9cc276e14e440725fd9d5427ad11a9
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-uefi-bootonly.iso) = 758bd02830f962c57d4a479eed7640bba7cb86f5c7962376427f924dc0d588f35d4bf9e60efd063c8d1b39ea600f89672b45de063173b4d2e0373093b16acd3c
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-uefi-disc1.iso) = acec39871086c8f2c44d7b0daefaec167416de6b42baa0b540c00207ea4299ac27069e46377d1b35d4452079d2c543a9f99f646881d709e07e493314241e3a5c
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-uefi-memstick.img) = 74bc4e9db2ceac1ab0bb1deaea9790dcbb7fab4ce82a320c2c1a8779f47d423404ca06fa3d526e6b4b13ba83ebdf418000f0b84d8d1d8fa4bd36d948e322383a
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-uefi-mini-memstick.img) = b3ad4ed8e501e74b49a443d0ad1b84e218cd86886155ada55d0e8354eff7e0db71047d3cd3cd07daf9e16c622e73d88d24be060b44fc7e6fd1ad6c26394d20ad

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlijpNgACgkQgZsRom/9
GI3CUBAAtw8z0IDFr/XoR8cXeIN/tpx4VxwiiJkZO/gXeZ2Kyr5Oei+9CVg2RlRB
x5Z79N8RHdX96Gpj8zIPAceoqDYxt7y1lSr7/voT9vN9eSrQQIoFMhT/uBa7d63J
rcZWUQlbnYxnBkmdvot90159robt6Ba7EuPLP+47hRR2Gzo3T7yvZR55RCA7SltU
bD/fxDeg9jwmMykl4j0KPgxRtq7pvvyeXr1Le+MyBuevHwxwUjylid1VdnpcdpHd
UARyTOoynVno52NrWLg5bL/UDItJmIWZi/JVZf0Qyd0c0eu/4qOXF8BQS4Mx7A+Q
o5Qtuu2Zc5Dg22MJv8Svs2jv6XO5/YdfDDH5pAd73Wu4kFjxSzzji8eTOsUU80xB
Z20MUorsbdFZ1kmeuFxSXmpo0YZR1ZjjmeFgNBESaKeJlsU5L1zKf/6GOKD2PIeQ
nn6//PZBlzV/BaNADOEohiyPV+rBGdAIw/pBhj0ov4f+FwiXL+T/013KgaM2ozbY
1vZrZ5yryA6Wg+bwGAb2lnFpeUfzNagBhldAAXAWmZzwo6MoMm+0e+ghnxxyf+YO
Zv9J0PqoVq1Jv6pSqQ3zdL6lXiximdBiS8YgsDP2z+2Q/pIvA1E/lNYkPvWQ65d5
oC4EbCP0tghB2tSqbYHkCrLKK+VHLfj+igyjUPsA5nGiil2v/6U=
=4J91
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.14

HardenedBSD-11-STABLE-v46.14 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • update to OpenSSL 1.0.2k (4aed7e4ccd53660aa6e7f0b024a4ce55a3227abc) [FreeBSD-SA-candidate]
  • disable Intel's Silicion Debug capability on boot time (0ea6d983779e624ab8949a1f6dce9c8f5d69f620)
  • update to xc 5.2.3 (30cbb6108bcfbff283ed03041ab29062a73117aa)
  • Force -fPIC when building PIEs (c64a53fe268b34bc0dac7fccdb7e150e74afa524)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-bootonly.iso) = e8f65f3cded1cb300ebd49b9af972447a5d9921b981440be3b45d123f42e765e18b733588c3130c73a2ea879d0fb7c8df5d2996101168993d61e73fb494345f8
SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-disc1.iso) = 3d0e0c053bf4722475bcb6f9b5831412097535b13cca470a5a2ee496721528d017ec240493d9e243c03887e9d47300a5a100cc87d1cd85f9943cf2823cd7aa8c
SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-memstick.img) = e633c7ec351519f90555bc69d045892456aaff8e838c04e5bc2afd31531299ecfd4528a81fadb126135a71c918d673fcab9678c7cd4a97a639eaf399f920effe
SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-mini-memstick.img) = d7055dc066c9d7b55be7d1942c9f7ee82714a485b48d17988e27547221a961dd18448f4630bc56de1e782efbbd184fc103292b08a84ac49339cd3374194275fd

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAliOMBwACgkQgZsRom/9
GI0VxBAAyV1lVw3LJpnn9wsul+l+T3VWvYQ3qbxQ12GEJZw7y5jRu38JxHkGI/4X
oWJKFOjoOWaJi4vmHyEDHEJjTKviIX3bHUtcs0kKWXHWhfj5KyFWx8SntEGYnLtC
1NnWmoM6mxYtjn4zeW27etpmtReVM1iWdiNSplqIcPD/1Q5USJPXi8CGKhhpjXaZ
7+BaR7BSP+7QOd4dv19UueYjzSVkYs+Crtl7NEvtUMKntyoLOLBimEb4Ypsm9tvZ
Cp3o2kfQMPNlzuDyenSW1tmqrvyNBpS3AxgZZ8cZLiR/mPEnPwfi0QEjQI41AGGH
6G3OG/Ev28B/Lsj1I9SapOj9NJY7Ny2DfVFzoh/SkE+/0BOeH2pkeT7cA2rnr1j2
FKYxJm3nEzmcXzmNvUIFE019r6hlKiBSjCOnrCcLKDMGEuBKfwcALE0wY9dpY/0a
r4Dyk2PP7T+bdXl8701J5pVwVyFLeRB+WSZ0ZOLNToLRV/BZDnGETQZBPqutAvOZ
UgMjWsIyvE8MUb1Dw8YUdwejBh/4PVg4mUCzE8WdvpSK6thxwlR94qnmEw4IjWX/
f6j/hskDH7VRjbDR+L4jRlM94glWnl1ZYUeBdoeC3NbrCa+Gyszo6pYZALgCI06q
Sl1egODADSokq0f5Y+ADrO6oYxhuVCuycqqnSg2p8jpw/JOL5DM=
=zcMK
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.13

HardenedBSD-11-STABLE-v46.13 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Fix multiple OpenSSH vulnerabilities. (6fd1410cc2d705293edb0ae5770cc28507893106) [https://security.freebsd.org/advisories/FreeBSD-SA-17:01.openssh.asc]
  • Changed settings for newsyslog (30d7a97741a4aa2e5059ce55bebac16fab)
  • Added /var/log/pkg.log log to store the packages lifecycle
  • Added support for SafeStack - disabled by default
  • Hypver-V updates
  • Clang 3.9.0
  • am-utils 6.2
  • hbsd-update-build cross-build support (b856ea99242c90b8c61879914f79fc6a19ec9fd4)
  • file 5.29
  • regression fix for SA-16:37.libc (6a7e18ff00902471666a295326db834bf51d175a)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.13-amd64-bootonly.iso) = 5ab50a1b2b6f5ababcc7ba31979b1054e867da4f171062630c2ddfac5e1886637a427fe4a00d2dafa3170864983f001aef6dc0296eee01fa348fef07034dae1f
SHA512 (HardenedBSD-11-STABLE-v46.13-amd64-disc1.iso) = 53e08090a71199d2328b080a79053554ac27855c38dbff9cc7b4428a652f7841909ace3f7be70753e998f4db679b166bd8f073e619ad55172db8fab5472f209b
SHA512 (HardenedBSD-11-STABLE-v46.13-amd64-memstick.img) = 33fe65a6b0bd537a5cf772448765b8fac148743008b8be478076a83783889c3beecb334075aad5bbba0ae8724df287f800c8fb5ce1cf6133010ad911a55d0743
SHA512 (HardenedBSD-11-STABLE-v46.13-amd64-mini-memstick.img) = 71b458cdd3913e3328791354e7ec6179a765d420b33cbaa5e34a06a112c82dc6741562f2d508c3f614ff0d1ba295546859eed72692acdcf460d4bd515356008c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlh28NAACgkQgZsRom/9
GI188BAAnzE0yfMjnG/bpCfCCE9j4HeB7X5F8jnEDmRjiE3X1V+smau9+ILHaZgi
rCafXmM82gUkqTqmHitBVAJUJbNH0PhnmP0O0ohRf2/jbjAVGaly0R50Gj1LH89P
2fttYC97WifiJQffAKZBGnMYZw2zSUa8iio6IZHZh+v7QQwckjiSdhqvxu9tQnyu
W5E8H9hSZg1vwx4I0it41Kc2uxiUUwHvUadfW7gOBXQfSFwUcBn+AHlw62ifU0H1
v3GM10Ej8+4hIh9dkwO2QihjqKk36wd2LScrj6G1KcBVDf13l2+GxUnPrSZIKody
/rW7MHl4N++WFFIxqe2XusrP8I3P+sUoCnuwZNeILu4224UhqX0rR42MUs2ufo7Y
c/fCNdccLDMp4BblzF1/5AYTfUrX/FgmnH/n+44RiTT+IeA6QYGrjs+LEsrd1bvN
6RcERt4SiDOg923TolHO5dSuhQaNCMcWQhZB4B2Govc7QBLufEX9cjJVXV/RNVBP
24bqbTdXhCz6XSY0Fccb727ZcU8LeX0HN8iDc1qVjhCVmC28Tk1MRe+KDHyNAJrl
eqdeQNLV8NBy4yjtU9cMY2QrpTGxojBXpakQBtFK/sbyu5cde2hqP5A2uv9Yw+kX
soxImzgbLieOifOiA/uZfZASJNZb9K2qmigtRirrKiRK8wLOgbY=
=SZ2C
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v46.23

HardenedBSD-10-STABLE-v46.23 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Fix multiple OpenSSH vulnerabilities. (01991d8d9a5ef8038fb70e3084e07d1eaeed4e0d) [https://security.freebsd.org/advisories/FreeBSD-SA-17:01.openssh.asc]
  • Skylake support for hwpmc
  • Changed settings for newsyslog (7043b7898cf46d234e9b718d477802ed7805377d)
  • Added /var/log/pkg.log log to store the packages lifecycle
  • Update to ACPICA 2016122 to fix Skylake issues
  • Hyper-V updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-bootonly.iso) = beaeb17d9e57d1cbb99ffc42720ce02c47da022774d15c1e7572f7b740218934687fb881e952eaaf0876a14b15458f592fcdd1c9681873be0f53f57894167f5d
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-disc1.iso) = 97e534f74b9b05c75eb883190517509204ad5d45793822b7d70d82bbdab4a6bca81d06122c144fdc0f17d26e08f12a9dd50e3ce0ad855689320e0d4ea63cdd5c
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-memstick.img) = e55c0cbb1494854b84ebd0a32d60c259f2341e100c81c6eaa60faeb95e94aaee6dd855583b1575e2b0dc971f392236c19f8e5759b94df83bdbd70beeaa0eaa5f
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-mini-memstick.img) = f3df1e031cc56c1abba6cf1577c079b6f9234bac04b6c4ee290c6982cbece49cdc0d0980a3bfe14e28a27c5c796387c4c5a3131e2afe439e6cf0966bad5c7eb3
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-uefi-bootonly.iso) = 2201d710301b936a7726b82ba5ebd00210d4fef2bb555ee685e9425c29bf4433c95af4cbdb85a26981f00edff4397ff321c39f40b830812abf24c99d0b373ee7
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-uefi-disc1.iso) = b98006e8905200449cbf50c0e9dcb99a6705eccf9ee21be5d80bade5dd2762da4a16a51d8722cc4db557a7d35b0cf07d7b33e378a9ccac88c46f76f701e57b93
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-uefi-memstick.img) = a48329729e328b12b90930b1231b3720af41fdf44e7e6c2f2c1cd8307811da4089ab13fa17e66c5098d9320120f1a1eaf34d6a3b29e67520b9aa2371daa36b76
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-uefi-mini-memstick.img) = 0c71b037d5569da32b87fd749477c51e7d8756f08613b99660a294ae1d502d3d235d5d4323ab82ada3f0922a40a439dafdc309fdb92a435224aa591b32e9cf00

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlh21KwACgkQgZsRom/9
GI1qrA/8CizObUwE2nzZG7PXq0c4si1W/cVeMKFGvrp5MkSLG7hZfxtnNJmck1rF
dS/nNRQ2P1Rur4MI+m1GR33D3uF2bTV03YNXtclJ8D/R3eeYRd0Ee8V8cOh/ZcVa
BukZPhvlWiwJmhMacZh2cv+b85GUbaE9VzWhAYNffKtUeFJMHLhmJmILoHigdwRN
RCUKMl/oQZqcegxFnAoxmStJgkEui8HcrsoKprsWmWon4pmerMw5hkbPq8PBntea
nC79eVWy00QSWeloRHncLnFLQxWpcO2FU5HH3cpXGNV0JXE4G7ihxPaz3KMc318G
Ptvme6nMfKULZMDBVXd7XpXJP56x9fCUlGmJrhumMBfDyv8mAkTud7aJx0yS9PAc
Orl82U3Jbk2BAX/FJjeQhGUoNYKyrBQp19T5/hJO00MqEc+/xkxdQNjc7Cd3f8jL
P/BDdUwqZFEmVjZTONamBaKA5HazD+LXuJv107qTLxO257xwoSJbwlccFh/rcHrE
vgBpULno486o84fEzyOUe4gME04U2VjwlsGF+FCtAIwgciQc1gLXZRfXXLv1KfU1
kzww4hKMy/ubfdoLRawXYCM6AB+AjMg0eoVIYBQaWyV/I/AA2rYHzycanxCaU1yy
O4Mwbl50UW2pnHq5Ebq+I++g2QZTQ07KzPiPPq2UCh7Dz5jkJ9g=
=RvOg
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v46.22

HardenedBSD-10-STABLE-v46.22 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Updated amd from am-utils 6.1.5 to 6.2. (78047153f3f320f60a8264a8a33abb8636dbfc7c)
  • Updated hbsd-update-build to cross-build (99496b88337ff9bc63e69f8128011d3bf5ccfb31)
  • Updated segvguard
  • Updated libarchive [FreeBSD-SA-Candidate]
  • Updated file to 5.29 (884efc61f7391700d81bb717ea62d897524b2184)
  • Fixed integer truncation in uipc_accf (0be920e8edf4ba492677df6ab6f14d3b9b2b6245) [FreeBSD-SA-Candidate]
  • Lot of various MFCs, see the git log for them

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-bootonly.iso) = 15af65eaa70174c06a8f22ff455b76bc1007ed6548d8b399ba6195b5df000797a3cbeca76adfc85a28befe4257c7ec3b012a35bd5b756d6170b9d53079aa9cae
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-disc1.iso) = e4f5b8ebc9633aaf0d5ea8d57a9f7834271abd457515c595fab40b2dc8dcb80438e9d30f6ef8f1dee658164e7ebfa20d63546157a2502985a06d24be8b6ccabc
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-memstick.img) = d61deb3e9aeac9a719acbef190701621414b1bbffeae398e5775fb4e9368547b543a2fa13a6003b598b10034a6255871c59ebdaab92acb9a987bed51008ca284
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-mini-memstick.img) = 13ce2d0bd82f2112e658deb363fa08587f4016c37bac91ea8668d308924129545733a8b7b68bef5b5f0a675287934059665e94686fe47e844b3992a652daf68b
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-uefi-bootonly.iso) = be43f99c0ad6edea347e011c2c8e72b9a2d70caaff7d48a8416dd2e53877fa6f3558047edb8df930d9beed76a354002bd3cbc3a2b5cb90f26b9b4fb6e45a902b
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-uefi-disc1.iso) = f9dbc1180c07661578141844d0151c82e5912121a0457959d1a28d2874a06b897d19390f03bcb43be6f57e8dd6b2a3bf8b4f6b756efa54e15fc925cba9e0b618
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-uefi-memstick.img) = f65e83999aaa7f3c347b53a83f34b49d5e413a1a9c7d4a7c87e5086b600051ed668e94c759fcf4e8ca113ac138f782236cf275c256ebabb5c29b264e2b08fc1a
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-uefi-mini-memstick.img) = 1464759ebdaa767f5a9d44d6cf04975e30bb6ae92a8e32f1e8e4545892a2983cbdf3ac05a7a944e0a49440d1fdb720903376055f84c01787356aa9cbb1c50f5e

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlhegzEACgkQgZsRom/9
GI1H/g/8CGGXdeW2PEA3OUd6uhiHOLJraPMma0ABbQ2PwJ7xjRF3+i1AdwXqr8kE
GRHFXFF0elZIPq2bQ6AxwrYEehkP8PpMwSd4xe06CV87ZG0MNYTq401REyyPAKU1
/sJdn8Ms1XcGiaaT2R7tdE+ETpymYy8NCHpnSHw0ploWBgDYLoIWHoyyGMalqSrM
3ZQ2GDH/gMRFc0rlcFOGHRxNk+CQSp4bCyic24pqhZw/Rrjo4d0KnOSAOla+5thZ
/s48MGopkLwcRdxFq0GGfo4ls6QZezkp7JCHZfCXPsIzbOdrnBdO/zFYD6En/JOy
Abaw7PYG1mOWp5COWbYdImS5R7yCblRBPgQBnrNAWnyRNRqBq4kIOJA2HX8xrIIE
EzqH/L+kVgCtHFaeZwy7Oz+TiDw+mY39tOKRDDVIuaMAbutMWJodXuAM3bL5V1Zu
d+awV9eojp2PrDFb/2dhfnFLwG++OOS5mp/jqaqkTwzgyjNeY4dTSfWfRP5aZ2DH
hF9Wu6Fa/+S71wY6r/Ai+P2kvrmo+FWkYA3i8Pqf+lVSGxlOesOSkcYiDViSWgGD
lb0uFSbx0vzSQnBl8yjLfkblvuxFlTPOTgmE0LcE130RqsFumU4LVXeaKYv9zw6v
2Jyl9GJLjuUwb6xNWP1jvMBHzqrUgYQSa0oeL4Kxw8RbGSZuD80=
=mECJ
-----END PGP SIGNATURE-----

Binary Updates for aarch64

Our tool for building binary updates for base, hbsd-update-build, has now been taught how to cross-build. As of today, those who are experimenting with aarch64 devices like the Raspberry Pi 3 (RPI3) and Pine64 will be able to receive binary updates from HardenedBSD.

Since hbsd-update stages the binary update in /tmp, which is rather limited in size on most aarch64 dev boards, users will need to tell hbsd-update to use a different temporary directory:

# mkdir /root/tmp
# env TMPDIR=/root/tmp hbsd-update

Please note that aarch64 support is still a major work-in-progress both on FreeBSD's and HardenedBSD's side. Shawn Webb is working with both Ed Schouten and Ed Maste to resolve a few issues with lld 3.9.1. Once those issues are resolved, using aarch64 will become much easier for the average person.

Though this work is primarily targeted for aarch64 cross-building, it can be used with other architectures, like arm and i386 (i386 would need a follow-up commit). HardenedBSD plans only to provide binary updates for amd64 and aarch64 at this time.

New stable release: HardenedBSD-stable 10-STABLE v46.21

HardenedBSD-10-STABLE-v46.21 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: fix for FreeBSD-SA-16:37.libc (CVE-2016-6559) improper boundary checking - b66bee517d74e7395ba293bc2f41cc8273f0acdf 54ef6264f7f041d711a6f2a6afeedd2f3646bdd9

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-bootonly.iso) = 75580ab43e32dd5fecf439d4880b5820d96eb96975c5977c0a9ea7cc6dcc39584b1489cb45747833db706ea806775342bcd99ad85359f666dd09323361a220ad
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-disc1.iso) = c656ac66693d68bfddd8909ea58dceff64f6b28607909615ce331359e70fcc4e3fe9427a27f410ff810d68849de907bb82d340afb5f784e43b7777b87fec036d
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-memstick.img) = fbb5f60f5a708cf8d44e3434eb4226329d7c6fbd49781755f8be355931323cf75c506a4ba8e3a82ec68643cc254b6cf434705a25b0ea52357f857c69b2ad87f8
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-mini-memstick.img) = 7b2cfe0075d1d58e21c64359b2d143389be8932c93c12242b17eb463bc0ebd9df0efd564402608ccccc9fc81912896dea859f978c88b998576954bd61604efb6
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-uefi-bootonly.iso) = dcfd6952056243a5989954bafad5396845520b011e6bd5da536b0ffbf3951c04caa5bc1bbee2e0b1cf8c4616819b859a0c51f2ae73a7538d06248b97d59511e7
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-uefi-disc1.iso) = 58a1ff92b43ed12933cbaf3436ec78cab6e1863f09eea9db15e16756975e31a1f9bccebd8d13a6af84d6931ec5f5ed9bf7c71b85c03d72a73ef7ab33dcd548ef
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-uefi-memstick.img) = 77224a1e23d460ec48e5df1c51c6876840817c79590818440e16a92eabb64119e87063763236a75f4a48781165af7e628ca403551fde03f070c16b674ce62db8
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-uefi-mini-memstick.img) = 52d2d2c46ab0797d87a3903deef608d5918a31ff2e1f9ff5c2e470cc9ea34c1388a3bcb942acb2a40b701789be511b38e6a709e187a1bb303a824c8c339b69bd

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlhIXH0ACgkQgZsRom/9
GI0ACg/+KhecsVMDb/vDD6ttn7NZJmQXia2nsoi0aw0FbqEeksK2cAlbKTr13yBU
OCyFg8zbDM/y1WEcS0Rs2StvqhRWoOU0G8L1H5sWFbQCxdYUZ1ndsbTZaaTSBlky
SQnzAdChWXVQsFXFAjEFA6i8xaHTvHIwxt0Fhw4oEO1FsaBDIY73Db8E3u4C9Cnz
tJuMyZKff6HffhHeBbzNT6eBM84J0r1yodIj7w1/Ep1PJLpEMNrn9IK55AIfxf+X
q7gSV8TKAMt3w0nnthJHN25vHQa7KcgbJYbiqoFVc54Hrm0sBZROwc17nx1+qClh
Qp+MbgK4flWMviL686OAnh7H5lwLLTX9tsMpqb4qC0C0YlvbxaNsenkv5z7cU2vi
E8vPLyiTs+k7Bes1jPpcZmVTE2v8Biu+H7HtPxWbY46GeqGZQ6VWjhIyDrbYCO3n
koDqlcfT7TDkIIqIAVJnidh9MXc5xZdFc9hZI0og507Wog0/ruCigHEjBNAmm6N9
wB04WjM1PrAh7JSGUXpmaDuUliu+m8MF4Jzk0cbk9N8gU4lqMgm3IOb6QR9oHi4i
CK098e1P6rHpdOG1wDsxy0YCDSbS7dOx26onE+2PXbaKx6t72M6sXr4ASZjQ+/e4
StlOllTbOP1KDtr8gZxctTXyjzPcMaEkHEeilzJrvysGAJ1o/H0=
=SVW7
-----END PGP SIGNATURE-----

New stable release: HardenedBSD-stable 11-STABLE v46.12

HardenedBSD-11-STABLE-v46.12 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: fix for FreeBSD-SA-16:37.libc (CVE-2016-6559) improper boundary checking - b66bee517d74e7395ba293bc2f41cc8273f0acdf 54ef6264f7f041d711a6f2a6afeedd2f3646bdd9

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.12-amd64-bootonly.iso) = d1e8f7ab85cb80f155ffedff3bbd57847064bed3f3b2ea2f3ead2abddac041e007ff3ba6670373c2288620c00ffb11c3416c973840e5ccb08e03ae42b6fe4266
SHA512 (HardenedBSD-11-STABLE-v46.12-amd64-disc1.iso) = ba868e62c3e907e6e7c8751bddabffc4cca70f4ad7d447e88f68c1dd7c6d7974f8144110ffbdcdca704d7ea4f1e1a2de72562166ee12daa8db1c0632b5befa61
SHA512 (HardenedBSD-11-STABLE-v46.12-amd64-memstick.img) = 0a9f13ef94820deeac880f29e136f2fe904f30990800caddbedff12265cb5faa23252daa1273214c08a79211066d444d585644bbf7027384be938068f9a59886
SHA512 (HardenedBSD-11-STABLE-v46.12-amd64-mini-memstick.img) = c8e636881c0f651cc44d95f97539a7e6b0ebbbea046b66aed63ae1284ae336746c61c7961c241febd386f4f48ec57b0dac3311a9093357f4c606210c9f2a0847

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlhIfBQACgkQgZsRom/9
GI1SihAA4IQh1ptiQ4e52xcv16qoyqK5aZ5XRMFNLyudd/gRuxf7VEtjn5iHTvSH
KEBjHd2lEid0ELiGxKp5OjTLoRNNI3qe0Bzga3fBAbqKkAu2pnI5gpjM3ELt3OLd
/Eojw77mVILWeGdF9ZpYWQIPK6uDUvX/h6IOSkD7Y11ZXts5fjJBGLAhIKg2h0lS
3vyK2dYzDlCWhC6hm2tfxWeB0HeLad/FodS6wijOnlBoaXxrY2k8erIkGJjikb9h
G51hrWOTCoWPxAZ5FQreumyFckNRj9znKvzPrAVC3wjzlqJRuUZCqW0u5EY7ydXG
V5BO91cqc1eJb7gDsGQtzXWxUh3t6Lba9aHNdDpppdW5Sjt0flGWyt0pUptzHpB7
20iojO9UTJ/ba0VoqjNTzmq/Xh51BmNzlh1fvE13hKZAwAq2H3XVYccb9CRcitk9
Jh3A0incGx/qwmr/BmakYiBpvD/2+l5lBepeI4OumINbg8yPLHydk1jZUju3O+y1
cEKD9OjfCZpYbYgeFgmSq+Pzc2QFAKC8RsiMu9+5hHke9UBo0uUxxxTH43/KMF/f
77TveeYhu6XSRQ1xyNZOUPiPZGfBWZ7I33drDRoBXoMLX8ACEteawQjX/mVJbSJB
IZv5V4X8ejusH3StDtPwb7YiFEl2cP+ODIQXsjxtqaM5SA/y9i8=
=jspS
-----END PGP SIGNATURE-----

New stable release: HardenedBSD-stable 10-STABLE v46.20

HardenedBSD-10-STABLE-v46.20 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

WARNING: this is a security update!

Highlights:

  • FreeBSD-SA-16:38.bhyve - integer overflow in bhyve - 02a6052b3f42f24b9015e26ef196c33cdaf56719
  • FreeBSD-SA-16:37.libc - buffer overflow in libc - 6eec5c0ac4990b2cf298afce48e0ea2529fa645c
  • FreeBSD-SA-16:36.telnetd - insufficient error checking in telnetd - d50c6c5b00e248bc0ebd39164e5b7d56af49d701
  • ACPICA update to fix issues with recent Skylake CPU based systems
  • SVN update to 1.9.5
  • bhyve: stability and performance improvement for dbgport

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-bootonly.iso) = bc9012bd9af9b9a9e1458a5b73f509250a82b90fa0d54126b3ea13630b0f6dea8a42457c049d396b073c52a5199d477ffe892e64bf3fd129c310392cfd440197
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-disc1.iso) = bf585c79fd8cc0bf481e84a369eb76fb30b1bf1dd5c328d43b51e8b88f2033485b94b2be8025758774b95e5fbf67fe620a62ba62fec93d70ed156b41721fc99e
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-memstick.img) = 298f39484d6403403a9213c399d309706ad4c3eaa7181136180af019bea66ff2862d52d9e15c095de58207eccea1791a6fafe13e3e7e4677070fc0cb8c6399c8
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-mini-memstick.img) = 1725c96a19c9cdb9429c951d1b21eca5c1804a9c5d8cbbdd376eb783759b046f8105e2d94d5091b4d00725584d89dade2df2e6128803ee55b98e24af99f93a58
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-uefi-bootonly.iso) = 1a55a48c7ea229c7b994262619db606b40424682a480978d6a95cb1ef29bfef2c8589b89ff27af31a1d4f63a63c4cc96b63dd084b8dcb6fe61cb461677243aa5
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-uefi-disc1.iso) = 00ea40e7afe74072feeb9cddd990eb482aed3259e20a754c0f38ddb1e7d7c63da9886be4740662d48f69334fe0b4dc3fac5195a62f9ca4e4b08c3ee81f6df834
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-uefi-memstick.img) = 46ccc6a8e8684d34867c811efbc3f87c4225fdc5b789235952630052b100a508b2012a6c3b30b703952835bc772d9b99a2687283c9330a6cb8f543eba31ba59b
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-uefi-mini-memstick.img) = 00815ec0284ccdfc56a5c877555306b444af525a64b78af7a72e1c5efb2ace936345ccba787df4737628cd728aa449e4d0a802e9040811a82a576eed08d13de1

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlhHJzEACgkQgZsRom/9
GI1VbxAAveup7QZKBQSZn3fWgUcdW5C91iqD78UqdGuO07fh8GU7akbh69emf1h7
OLgXSgjxw2PGi2Lt+PxlhMgxTs9KHe20/dX14nOGQnJbRZphH2ZhsyIo1a2Ir94V
qx1d1ha1xSqYMm3xMaj27/Q6aks23lEF5DL+qwNJ6dnpgaU4/K297K+vt5ixtD6H
bxSy3kqSTg2MSx0EiITguoR0c40zocKiqs6QnqIPddgGo5nIeFgktviDH2StthjA
SkqqB7O/Hi8M1ePDOJlFWGuWjZXoc+s+6Y/JdV6FnJv905clrjiVG6wPoV7naPGJ
PVZBjjdjn9i/roF327C3kFagGc7tDLb18xHFJWr6jiOvg5vRNsAoepjwIPSRcUh9
iJPptUgcqBPrpvaBZyZaQsfh5sor7BCYmt7nfS3FU5aaGqTrKawtwqMeF3ID3Q5k
Q+aOxUz/cXQnLSURXG8RyrIfk0I1a4aQoE47lPnlWZ3HHBBYV7/h1sE8sTkuP6pO
OjpadzPF5M4+LMA5qzGKCC+Oo7sISJ55HQjdQa1x3WV1ok7Ph/BfMcj6/v08OTh+
Fauingu+ZoZbj/rQcPN6t/dS4n2JEeeD/KX2JWII4ogP2znIIrZmprOhrKAtG8OF
AHZxVq5/AjXgaBrLPBe5BhDEEA2jKn0e3ifLh+iI8Mfs+5uT8vY=
=7uYD
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS