LibreSSL in HardenedBSD Base

A few months ago, we added Bernard Spil to the HardenedBSD team with a goal to bring in and maintain LibreSSL in base. Given the effort involved in maintaining such a complex piece of software, we at HardenedBSD have made the decision to keep it as a feature branch in the playground repo for now. Those who wish to check out Bernard's awesome, hard work can check out the repo here. We will soon start auto-syncing that feature branch on our normal six-hour cycle and we will produce periodic binary updates. As of today, the first binary update has been published. You can use this hbsd-update.conf file to tell hbsd-update to switch to the LibreSSL branch. If you wish to compile your own version of HardenedBSD with LibreSSL base, you will need to add WITH_LIBRESSL=yes to src.conf.

We would like to thank Bernard for volunteering. He has been a tremendous help. Here is a teaser screenshot.

New stable release: HardenedBSD-stable 10-STABLE v44.4

HardenedBSD-10-STABLE-v44.4 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a ntpd security update

More information will be in the FreeBSD's SA:
Security: CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550
Security: CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518
Security: CVE-2016-2519
Security: FreeBSD-SA-16:16.ntp

Introducing Full PIE Support

We at HardenedBSD have added support in 11-CURRENT for compiling nearly all of base as Position-Independent Executables (PIEs, for short). This work bumps hardening.version to 45. We've enabled PIE base for amd64 and i386 and hope to enable it for arm64 before or during BSDCan 2016. Compiling an application as a PIE enables it to take full advantage of ASLR. Without PIE support, the application itself is loaded at a fixed address, determined at compile time. As of this writing, only nine applications are not compiled as PIEs. At least two of them must stay that way (/sbin/init and /sbin/init.bak), so that leaves the outstanding list at seven. This is a huge leap forward for HardenedBSD. We have tested PIE base on several amd64 systems, both virtualized and bare metal. We have done multiple amd64 package builds with success. We would like to thank Bryan Drewery for his help.

An hbsd-update(8) update archive has been published for 11-CURRENT/amd64 with the "PIEified" base. Update at your leisure.

PIE base is enabled by default for amd64 and i386. We hope to enable it for ARM64 before or during BSDCan. Speaking of ARM64, we will be bringing ten Raspberry Pi 3 devices (which are ARM64) with us to BSDCan, eight of which will be given out to lucky individuals. We want the BSD community to hack on them and get ARM64/Aarch64 fully functional on them.

UPDATE 18 Apr 2016 05:03:00 EDT: PIEified base support has been enabled for ARM64.

Pages

Subscribe to HardenedBSD RSS