BSD Now - Episodes Tagged with “Arc4random”

64: Rump Kernels Revisited

JT Pennington — Wed, 19 Nov 2014 08:00:00 -0500

This time on the show, we'll be talking with Justin Cormack about NetBSD rump kernels. We'll learn how to run them on other operating systems, what's planned for the future and a lot more. As always, answers to viewer-submitted questions and all the news for the week, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

EuroBSDCon 2014 talks and tutorials

The 2014 EuroBSDCon videos have been online for over a month, but unannounced - keep in mind these links may be temporary (but we'll mention their new location in a future show and fix the show notes if that's the case)
Arun Thomas, BSD ARM Kernel Internals
Ted Unangst, Developing Software in a Hostile Environment
Martin Pieuchot, Taming OpenBSD Network Stack Dragons
Henning Brauer, OpenBGPD turns 10 years
Claudio Jeker, vscsi and iscsid iSCSI initiator the OpenBSD way
Paul Irofti, Making OpenBSD Useful on the Octeon Network Gear
Baptiste Daroussin, Cross Building the FreeBSD ports tree
Boris Astardzhiev, Smartcom’s control plane software, a customized version of FreeBSD
Michał Dubiel, OpenStack and OpenContrail for FreeBSD platform
Martin Husemann & Joerg Sonnenberger, Tool-chaining the Hydra, the ongoing quest for modern toolchains in NetBSD
Taylor R Campbell, The entropic principle: /dev/u?random and NetBSD
Dag-Erling Smørgrav, Securing sensitive & restricted data
Peter Hansteen, Building The Network You Need With PF
Stefan Sperling, Subversion for FreeBSD developers
Peter Hansteen, Transition to OpenBSD 5.6
Ingo Schwarze, Let’s make manuals more useful
Francois Tigeot, Improving DragonFly’s performance with PostgreSQL
Justin Cormack, Running Applications on the NetBSD Rump Kernel
Pierre Pronchery, EdgeBSD, a year later
Peter Hessler, Using routing domains or tables in a production network
Sean Bruno, QEMU user mode on FreeBSD
Kristaps Dzonsons, Bugs Ex Ante
Yann Sionneau, Porting NetBSD to the LatticeMico32 open source CPU
Alexander Nasonov, JIT Code Generator for NetBSD
Masao Uebayashi, Porting Valgrind to NetBSD and OpenBSD
Marc Espie, parallel make, working with legacy code
Francois Tigeot, Porting the drm-kms graphic drivers to DragonFly
The following talks (from the Vitosha track room) are all currently missing:
Jordan Hubbard, FreeBSD, Looking forward to another 10 years (but we have another recording)
Theo de Raadt, Randomness, how arc4random has grown since 1998 (but we have another recording)
Kris Moore, Snapshots, Replication, and Boot-Environments
Kirk McKusick, An Introduction to the Implementation of ZFS
John-Mark Gurney, Optimizing GELI Performance
Emmanuel Dreyfus, FUSE and beyond, bridging filesystems
Lourival Vieira Neto, NPF scripting with Lua
Andy Tanenbaum, A Reimplementation of NetBSD Based on a Microkernel
Stefano Garzarella, Software segmentation offloading for FreeBSD
Ted Unangst, LibreSSL
Shawn Webb, Introducing ASLR In FreeBSD
Ed Maste, The LLDB Debugger in FreeBSD
Philip Guenther, Secure lazy binding ***

OpenBSD adopts SipHash

Even more DJB crypto somehow finds its way into OpenBSD's base system
This time it's SipHash, a family of pseudorandom functions that's resistant to hash bucket flooding attacks while still providing good performance
After an initial import and some clever early usage, a few developers agreed that it would be better to use it in a lot more places
It will now be used in the filesystem, and the plan is to utilize it to protect all kernel hash functions
Some other places that Bernstein's work can be found in OpenBSD include the ChaCha20-Poly1305 authenticated stream cipher and Curve25519 KEX used in SSH, ChaCha20 used in the RNG, and Ed25519 keys used in signify and SSH ***

FreeBSD 10.1-RELEASE

FreeBSD's release engineering team likes to troll us by uploading new versions just a few hours after we finish recording an episode
The first maintenance update for the 10.x branch is out, improving upon a lot of things found in 10.0-RELEASE
The vt driver was merged from -CURRENT and can now be enabled with a loader.conf switch (and can even be used on a PlayStation 3)
Bhyve has gotten quite a lot of fixes and improvements from its initial debut in 10.0, including boot support for ZFS
Lots of new ARM hardware is supported now, including SMP support for most of them
A new kernel selection menu was added to the loader, so you can switch between newer and older kernels at boot time
10.1 is the first to support UEFI booting on amd64, which also has serial console support now
Lots of third party software (OpenSSH, OpenSSL, Unbound..) and drivers have gotten updates to newer versions
It's a worthy update from 10.0, or a good time to try the 10.x branch if you were avoiding the first .0 release, so grab an ISO or upgrade today
Check the detailed release notes for more information on all the changes
Also take a look at some of the known problems to see if you'll be affected by any of them
PC-BSD was also updated accordingly with some of their own unique features and changes ***

arc4random - Randomization for All Occasions

Theo de Raadt gave an updated version of his EuroBSDCon presentation at Hackfest 2014 in Quebec
The presentation is mainly about OpenBSD's arc4random function, and outlines the overall poor state of randomization in the 90s and how it has evolved in OpenBSD over time
It begins with some interesting history on OpenBSD and how it became a security-focused OS - in 1996, their syslogd got broken into and "suddenly we became interested in security"
The talk also touches on how low-level changes can shake up the software ecosystem and third party packages that everyone uses
There's some funny history on the name of the function (being called arc4random despite not using RC4 anymore) and an overall status update on various platforms' usage of it
Very detailed and informative presentation, and the slides can be found here
A great quote from the beginning: "We consider ourselves a community of (probably rather strange) people who work on software specifically for the purpose of trying to make it better. We take a 'whole-systems' approach: trying to change everything in the ecosystem that's under our control, trying to see if we can make it better. We gain a lot of strength by being able to throw backwards compatibility out the window. So that means that we're able to do research and the minute that we decide that something isn't right, we'll design an alternative for it and push it in. And if it ends up breaking everybody's machines from the previous stage to the next stage, that's fine because we'll end up in a happier place." ***

Interview - Justin Cormack - justin@netbsd.org / @justincormack

NetBSD on Xen, rump kernels, various topics

News Roundup

The FreeBSD foundation's biggest donation

The FreeBSD foundation has a new blog post about the largest donation they've ever gotten
From the CEO of WhatsApp comes a whopping one million dollars in a single donation
It also has some comments from the donor about why they use BSD and why it's important to give back
Be sure to donate to the foundation of whatever BSD you use when you can - every little bit helps, especially for OpenBSD, NetBSD and DragonFly who don't have huge companies supporting them regularly like FreeBSD does ***

OpenZFS Dev Summit 2014 videos

Videos from the recent OpenZFS developer summit are being uploaded, with speakers from different represented platforms and companies
Matt Ahrens, opening keynote
Raphael Carvalho, Platform Overview: ZFS on OSv
Brian Behlendorf, Platform Overview: ZFS on Linux
Prakash Surya, Platform Overview: illumos
Xin Li, Platform Overview: FreeBSD
All platforms, Group Q&A Session
Dave Pacheco, Manta
Saso Kiselkov, Compression
George Wilson, Performance
Tim Feldman, Host-Aware SMR
Pavel Zakharov, Fast File Cloning
The audio is pretty poor on all of them unfortunately ***

BSDTalk 248

Our friend Will Backman is still busy getting BSD interviews as well
This time he sits down with Matthew Dillon, the lead developer of DragonFly BSD
We've never had Dillon on the show, so you'll definitely want to give this one a listen
They mainly discuss all the big changes coming in DragonFly's upcoming 4.0 release ***

MeetBSD 2014 videos

The presentations from this year's MeetBSD conference are starting to appear online as well
Kirk McKusick, A Narrative History of BSD
Jordan Hubbard, FreeBSD: The Next 10 Years
Brendan Gregg, Performance Analysis
The slides can be found here ***

Feedback/Questions

Mailing List Gold

63: A Man's man(1)

JT Pennington — Wed, 12 Nov 2014 08:00:00 -0500

This time on the show, we've got an interview with Kristaps Džonsons, the creator of mandoc. He tells us how the project got started and what its current status is across the various BSDs. We also have a mini-tutorial on using PF to throttle bandwidth. This week's news, answers to your emails and even some cheesy mailing list gold, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Updates to FreeBSD's random(4)

FreeBSD's random device, which presents itself as "/dev/random" to users, has gotten a fairly major overhaul in -CURRENT
The CSPRNG (cryptographically secure pseudo-random number generator) algorithm, Yarrow, now has a new alternative called Fortuna
Yarrow is still the default for now, but Fortuna can be used with a kernel option (and will likely be the new default in 11.0-RELEASE)
Pluggable modules can now be written to add more sources of entropy
These changes are expected to make it in 11.0-RELEASE, but there hasn't been any mention of MFCing them to 10 or 9 ***

OpenBSD Tor relays and network diversity

We've talked about getting more BSD-based Tor nodes a few times in previous episodes
The "tor-relays" mailing list has had some recent discussion about increasing diversity in the Tor network, specifically by adding more OpenBSD nodes
With the security features and attention to detail, it makes for an excellent dedicated Tor box
More and more adversaries are attacking Tor nodes, so having something that can withstand that will help the greater network at large
A few users are even saying they'll convert their Linux nodes to OpenBSD to help out
Check the archive for the full conversation, and maybe run a node yourself on any of the BSDs
The Tor wiki page on OpenBSD is pretty out of date (nine years old!?) and uses the old pf syntax, maybe one of our listeners can modernize it ***

SSP now default for FreeBSD ports

SSP, or Stack Smashing Protection, is an additional layer of protection against buffer overflows that the compiler can give to the binaries it produces
It's now enabled by default in FreeBSD's ports tree, and the pkgng packages will have it as well - but only for amd64 (all supported releases) and i386 (10.0-RELEASE or newer)
This will only apply to regular ports and binary packages, not the quarterly branch that only receives security updates
If you were using the temporary "new Xorg" or SSP package repositories instead of the default ones, you need to switch back over
NetBSD made this the default on i386 and amd64 two years ago and OpenBSD made this the default on all architectures twelve years ago
Next time you rebuild your ports, things should be automatically hardened without any extra steps or configuration needed ***

Building an OpenBSD firewall and router

While we've discussed the software and configuration of an OpenBSD router, this Reddit thread focuses more on the hardware side
The OP lists some of his potential choices, but was originally looking for something a bit cheaper than a Soekris
Most agree that, if it's for a business especially, it's worth the extra money to go with something that's well known in the BSD community
They also list a few other popular alternatives: ALIX or the APU series from PC Engines, some Supermicro boards, etc.
Through the comments, we also find out that QuakeCon runs OpenBSD on their network
Hopefully most of our listeners are running some kind of BSD as their gateway - try it out if you haven't already ***

Interview - Kristaps Džonsons - kristaps@bsd.lv

Mandoc, historical man pages, various topics

Tutorial

Throttling bandwidth with PF

News Roundup

NetBSD at Kansai Open Forum 2014

Japanese NetBSD users invade yet another conference, demonstrating that they can and will install NetBSD on everything
From a Raspberry Pi to SHARP Netwalkers to various luna68k devices, they had it all
As always, you can find lots of pictures in the trip report ***

Getting to know your portmgr lurkers

The lovable "getting to know your portmgr" series makes its triumphant return
This time around, they interview Alex, one of the portmgr lurkers that joined just this month
"How would you describe yourself?" "Too lazy."
Another post includes a short interview with Emanuel, another new lurker
We discussed the portmgr lurkers initiative with Steve Wills a while back ***

NetBSD's ARM port gets SMP

The ARM port of NetBSD now has SMP support, allowing more than one CPU to be used
This blog post on the website has a list of supported boards: Banana Pi, Cubieboard 2, Cubietruck, Merrii Hummingbird A31, CUBOX-I and NITROGEN6X
NetBSD's release team is working on getting these changes into the 7 branch before 7.0 is released
There are also a few nice pictures in the article ***

A high performance mid-range NAS

This blog post is about FreeNAS and optimizing iSCSI performance
It talks about using mid-range hardware with FreeNAS and different tunables you can change to affect performance
There are some nice graphs and lots of detail if you're interested in tweaking some of your own settings
They conclude "there is no optimal configuration; rather, FreeNAS can be configured to suit a particular workload" ***

Feedback/Questions

Mailing List Gold

48: Liberating SSL

JT Pennington — Wed, 30 Jul 2014 08:00:00 -0400

Coming up in this week's episode, we'll be talking with one of OpenBSD's newest developers - Brent Cook - about the portable version of LibreSSL and how it's developed. We've also got some information about the FreeBSD port of LibreSSL you might not know. The latest news and your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD quarterly status report

FreeBSD has gotten quite a lot done this quarter
Changes in the way release branches are supported - major releases will get at least five years over their lifespan
A new automounter is in the works, hoping to replace amd (which has some issues)
The CAM target layer and RPC stack have gotten some major optimization and speed boosts
Work on ZFSGuru continues, with a large status report specifically for that
The report also mentioned some new committers, both source and ports
It also covers GNATS being replaced with Bugzilla, the new core team, 9.3-RELEASE, GSoC updates, UEFI booting and lots of other things that we've already mentioned on the show
"Foundation-sponsored work resulted in 226 commits to FreeBSD over the April to June period" ***

A new OpenBSD HTTPD is born

Work has begun on a new HTTP daemon in the OpenBSD base system
A lot of people are asking "why?" since OpenBSD includes a chrooted nginx already - will it be removed? Will they co-exist?
Initial responses seem to indicate that nginx is getting bloated, and is a bit overkill for just serving content (this isn't trying to be a full-featured replacement)
It's partially based on the relayd codebase and also comes from the author of relayd, Reyk Floeter
This has the added benefit of the usual, easy-to-understand syntax and privilege separation
There's a very brief man page online already
It supports vhosts and can serve static files, but is still in very active development - there will probably be even more new features by the time this airs
Will it be named OpenHTTPD? Or perhaps... LibreHTTPD? (I hope not) ***

pkgng 1.3 announced

The newest version of FreeBSD's second generation package management system has been released, with lots of new features
It has a new "real" solver to automatically handle conflicts, and dynamically discover new ones (this means the annoying -o option is deprecated now, hooray!)
Lots of the code has been sandboxed for extra security
You'll probably notice some new changes to the UI too, making things more user friendly
A few days later 1.3.1 was released to fix a few small bugs, then 1.3.2 shortly thereafter and 1.3.3 yesterday ***

FreeBSD after-install security tasks

A number of people have written in to ask us "how do I secure my BSD box after I install it?"
With this blog post, hopefully most of their questions will finally be answered in detail
It goes through locking down SSH with keys, patching the base system for security, installing packages and keeping them updated, monitoring and closing any listening services and a few other small things
Not only does it just list things to do, but the post also does a good job of explaining why you should do them
Maybe we'll see some more posts in this series in the future ***

Interview - Brent Cook - bcook@openbsd.org / @busterbcook

LibreSSL's portable version and development

News Roundup

FreeBSD Mastery - Storage Essentials

MWL's new book about the FreeBSD storage subsystems now has an early draft available
Early buyers can get access to an in-progress draft of the book before the official release, but keep in mind that it may go through a lot of changes
Topics of the book will include GEOM, UFS, ZFS, the disk utilities, partition schemes, disk encryption and maximizing I/O performance
You'll get access to the completed (e)book when it's done if you buy the early draft
The suggested price is $8 ***

Why BSD and not Linux?

Yet another thread comes up asking why you should choose BSD over Linux or vice-versa
Lots of good responses from users of the various BSDs
Directly ripping a quote: "Features like Ports, Capsicum, CARP, ZFS and DTrace were stable on BSDs before their Linux versions, and some of those are far more usable on BSD. Features like pf are still BSD-only. FreeBSD has GELI and ipfw and is "GCC free". DragonflyBSD has HAMMER and kernel performance tuning. OpenBSD have upstream pf and their gamut of security features, as well as a general emphasis on simplicity."
And "Over the years, the BSDs have clearly shown their worth in the nix ecosystem by pioneering new features and driving adoption of others. The most recent on OpenBSD were 2038 support and LibreSSL. FreeBSD still arguably rules the FOSS storage space with ZFS."
Some other users share their switching experiences - worth a read ***

More g2k14 hackathon reports

Following up from last week's huge list of hackathon reports, we have a few more
Landry Breuil spent some time with Ansible testing his infrastructure, worked on the firefox port and tried to push some of their patches upstream
Andrew Fresh enjoyed his first hackathon, pushing OpenBSD's perl patches upstream and got tricked into rewriting the adduser utility in perl
Ted Unangst did his usual "teduing" (removing of) old code - say goodbye to asa, fpr, mkstr, xstr, oldrdist, fsplit, uyap and bluetooth
Luckily we didn't have to cover 20 new ones this time! ***

BSDTalk episode 243

The newest episode of BSDTalk is out, featuring an interview with Ingo Schwarze of the OpenBSD team
The main topic of discussion is mandoc, which some users might not be familiar with
mandoc is a utility for formatting manpages that OpenBSD and NetBSD use (DragonFlyBSD and FreeBSD include it in their source tree, but it's not built by default)
We'll catch up to you soon, Will! ***

Feedback/Questions

Thomas writes in
Stephen writes in
Sha'ul writes in
Florian writes in
Bob Beck writes in - and note the "Caution" section that was added to libressl.org ***